While lawyers may understand and apply the “lipstick” of Privilege, it’s the lack of knowledge about the
“pig” of Incident Response (IR) that’s causing all the problems.i
For many years, Forensic responders working a cyber incident were able to leverage Attorney Client Privilege (“Privilege”) and Work Product protections to limit the visibility of their efforts to plaintiffs during a trial. This has changed drastically in the last almost two years based on a number of recent court rulingsii. Just last month this topic took a dramatic turn when one of the world’s largest cyber insurance brokersiii acknowledged that Digital Forensic Investigation reports are no longer subject to Privilegeiv. I knew this was eventually going to happenv.
In this article I will walk you through the rationale for why Privilege should have never been applied to typical forensic reporting, and what organizations can do now to move forward in a landscape that is both extremely technical and extremely litigious.
FULL DISCLAIMER:
- I am not an attorney. I don’t have a JD. If I could go back ~30 years, I would tell my young Marine Corps Lieutenant self to get a JD instead of an MBA at night school. Not sure I would want to be a lawyer though.
- The first PII breach that I managed was in early 2008. California had one of the first statutes (SB- 1386). Almost monthly for several years, my previous employer with ~200K employees and millions of customer records would find a way to “lose” PII. I managed every one of those incidents.
- What I am about to present is what I learned working with a very competent team over a period of several years.
- Wherever I say Attorney-Client Privilege (ACP), I also mean the possibility of Work Product protections.
- This article is solely my opinion. I could be wrong.
- This is not intended to be legal advice.
So, let’s start at the very beginning: InfoSec 101. Organizations are entrusted with maintaining the Confidentiality, Integrity, and Availability of Sensitive Information (InfoSec). They employ three types of Controls: Preventative, Detective, and Corrective. Incident Response (IR) is a Corrective control for when you Detect that your Preventative controls have failed. The fundamental purpose of IR is to re-establish the efficacy of your three controls.
Now before we go any further, I would like to introduce a non-IT analogy. In every community there are jails/prisons. Prisons also employ the same three types of Controls: Preventative, Detective, and Corrective. The barbed wire fence around the prison is one of their Preventative controls. It prevents the inmates from escaping. Guard Towers watch over the fence to Detect any time a prisoner breaches the fence (by climbing, by cutting a hole, someone left a gate open, etc.). When the guard in the guard tower detects a prisoner escaping through the fence, they push the Big Red Button on the wall. That Big Red Button causes a siren to start blaring, Blood Hound dogs start barking, other guards start running around with guns, etc. (Anybody see the movie “The Shawshank Redemption”?) That Big Red Button initiates the prison’s Corrective protocol. The purpose of their Corrective protocol is to re-capture the escaped prisoner(s) and fix the fence, so other inmates don’t escape.
Incident Response (IR) as a Corrective control, has three fundamental efforts:
- Technical Response
- IT focused – What broke and how do we fix it?
- Business Response
- Due Diligence (Non-IT) – Concerns the organization must satisfy because of the incident
- Incident Coordination
- Managing the effort to do the things listed above
Here’s what this looks like in a diagram:
The “Technical Actions” component (lower left bubble) is often characterized by the following diagram:
Please note the “Analysis” requirement at about 5:30 on the clock face. This is when you typically need forensics. Forensics is a mechanism to understand what happened so you can fix it.
In the previous three-bubble diagram, you hopefully noticed in the “Business Actions” (lower right bubble) a requirement for potential Litigation Preparation. Forensics is a mechanism to also understand what happened so you can defend yourself in court.
In summary, there are two opportunities in which forensics should be leveraged to achieve the due diligence obligations of the organization. In the “Technical Actions,” forensics is necessary to fix the problem and return the organization to a “secure” state. In the “Business Actions,” forensics is necessary to prepare the organization for potential litigation.
Technical Actions
I would argue that the primary characteristics of forensics in the “Technical Actions” sphere are:
Normal Course of Business/Ordinary Business/”Commercial Documents”
- You don’t get Attorney Client Privilege (ACP)
- The Big Red Button at the jail doesn’t say, “In case of litigation, press here”
- Regardless of litigation, the prison must ultimately fix the mess (e.g., repair the fence, capture the escapees) – same for IT during an incident
- Involves a lot of people: collaboration, reporting, brainstorming, knowledge is power
- Regardless of whether or not you:
- CC’ed counsel in your latest email
- Were hired by the general counsel or outside counsel
- Put “Attorney-Client Privileged Communication” at the bottom of the email
- That was just sent to the entire CIRT (So much for limited distribution)
Now this isn’t to say that there won’t be opportunities for isolated conversations/efforts that may qualify for ACP or work product protections, but on the whole, the “nexus” of this effort is what I’ve detailed above.
Business Actions
On the other hand, while fulfilling your obligation of preparation for potential litigation, in the “Business Actions” bubble, understanding what happened is critical to defending yourself in court.
Leveraging forensics for Litigation Preparation will require the following:
- It’s a separate action
- Exclusively for the purpose of Litigation Preparation
- With limited distribution – “Need to Know” – primarily involving legal counsel
- You should get ACP; but beware, ACP is narrowly construed in favor of discovery
One more thought, if after reading this blog, you still intend to make your only forensic effort privileged, how do you otherwise satisfy your Normal Course of Business/Technical Due Diligence obligations?
And finally, Recommendations for how I would move forward if I were a lawyer:
(Again, referring to the three-bubble diagram)
The effort detailed in the “Technical Actions” bubble should be characterized as:
- Normal Course of Business/Ordinary Business/”Commercial Documents”
- Completely transparent
- Managed by IT/InfoSec
- Shared within IT, third parties, legal counsel, anybody who has a need to know
- Demonstrated due diligence that the organization is taking the incident seriously and employing industry best practices to remedy the problem
- One of the CEOs at a management tabletop exercise I was performing said: “It’s not about whether or not you have an incident any more. Even the best companies have incidents. It’s about how you respond.”
- Performed by a separate forensics firm that reports to the CIO/CISO
- With a separate contract
- Producing a separate report
- Describing what happened
- Include recommendations to remediate the (technical) problem
- Avoid generalizations/extrapolations of structural/organizational flaws
- Have it reviewed by counsel prior to release
- This effort will not receive ACP
The effort detailed in the “Business Actions” bubble:
- Litigation Preparation
- Completely separate from the IT/“Technical” effort described above
- Exclusively for the purpose of preparing for litigation
- Limited distribution – Need to Know
- Primarily involving legal counsel
- Performed by a separate forensics firm that reports to outside counsel
- Separate contract
- With explicit language as to the purpose of the effort and the restrictions necessary to maintain ACP/Work Product protections.
- Broader scope of inquiry
- Include/Reference the current technical (IT) Incident Response (IR) efforts
- Also identify “structural deficiencies” (negligence?) within the organization
- “From the top”
- BOD involvement/oversightvi
- C-suite involvement / oversight (especially if the CISO works for the CIO, who works for the CFO, and the CISO can’t remember the last time they spoke with the CEO)
- Risk Management involvement
- Documented Policies – Plans – Procedures
- Maturity of the InfoSec program
- Audits/Updates/Testing
- Feeding into the overall Litigation Management effort
- ACP / Work Product protections should apply
- Everything is labeled as Privileged and the restrictions in the Statement of Work are strictly followed by all parties
- The court may still rule in plaintiff’s favor – I could be wrong
In summary, I would recommend two separate forensic efforts, by two separate firms, under separate contracts; one working for the CIO/CISO, the other working for outside counsel; fulfilling the two due diligence obligations of the organization. That’s how I would do it, but I’m not a lawyer and this is not intended to be legal advice.
i Lipstick on a pig – Wikipedia
ii https://www.natlawreview.com/article/forensic-report-deemed-not-privileged-capital-one-ordered-to-release-report
https://www.debevoisedatablog.com/2021/01/14/court-chips-away-at-privilege-protections-for-cyber-forensic-reports/
https://www.fmglaw.com/cyber-privacy-security/attorney-work-product-and-client-communication-privilege-protections-for-data-breach-forensic-investigation-reports-impacted-by-recent-ruling/
https://www.natlawreview.com/article/lessons-learned-target-s-data-breach-discovery-win
iii Kudos to AON for their Thought Leadership on this topic.
iv Integrating your Cyber Insurance into your Incident Response efforts | Secureworks
v Back in 2015, at a meeting with a bunch of forensic investigators, one of the presentations ended with “and cc an attorney and it’s all covered under privilege”. Although I knew this was the conventional wisdom (probably from some SANS class) I raised my hand anyways. “This is not the way it’s supposed to work. Why don’t you just make sure your CEO is also a lawyer, and everything the company does is covered under privilege?” is what I countered with. They all looked at me like I was a scientist questioning Climate Change.
vi SEC.gov | SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies