Within business organizations, even internal lawyers are often greeted with ambivalence in regard to their participation in business and technical projects. No one likes the idea of being interviewed by a lawyer in connection with an investigation or litigation. But even where there is no immediate specter of becoming a witness in some legal proceeding, lawyers are often seen as hindrances, obstacles who stand in the way of progress by adding a layer of review and taking an approach that is too risk averse. The old adage that the law department is a cost center and not a revenue generator belies this attitude.
Business and technical personnel may also view the involvement of lawyers with distaste based on the sentiment that the lawyers are not subject-matter experts and should leave specialized matters to those with expertise. However, these attitudes must be overcome when it comes to addressing cybersecurity. It is critical for lawyers to be involved in leading cybersecurity efforts.
One fairly obvious reason lawyers need to be involved is that cybersecurity is rife with legal issues and legal liability risks for the enterprise. Those issues and risks are the subject of a vast and rapidly expanding literature. By way of brief example only, consider the need for compliance with federal statutory requirements and regulatory guidelines and pronouncements regarding cybersecurity, the need to make assessments regarding whether and how to contact law enforcement in the event of a breach that may involve illegal activity, the need for compliance with state data-breach notification laws, etc.
Beyond these more obvious legal touch points, the process of preparing for and addressing cyber risk benefits by allowing full deliberation and discussion of the most complete factual picture possible, regardless of whether it is good or bad, under the umbrella of privilege protection. This results in a better risk-mitigation strategy based on comprehensive information. It is critical for counsel to be involved in cybersecurity activities so that these can be protected by attorney-client privilege and/or work product protection, as applicable.
It is especially important that the groundwork for privilege be laid thoroughly where in house counsel is involved, because courts tend to take a more narrow view of privilege there. In other words, courts may analyze whether in house counsel acted in a business or legal role, which can confuse things. That is why merely involving in-house counsel is not enough to ensure protection; in-house counsel need to be actively integrated into the process in a way that makes the legal protections applicable. The lawyer needs to have creative or analytic input.
A recent case, Genesco, Inc. v. Visa, U.S.A., Inc., (302 F.R.D. 168 (M.D.Tenn. March 10, 2014)) is viewed as validating organizational decisions to lead cybersecurity activities through legal counsel—including proactive and reactive efforts. This case stemmed from a cyber attack where hackers in Eastern Europe succeeded in remotely installing sniffing software on Genesco’s network that siphoned (unencrypted) account data. The captured data was in transmission to certain banks that processed card payments under their own separate agreements with Genesco and the issuers, including Visa.
As a result of its investigation in the wake of the attack, Visa assessed fines of over $13 million against these banks, which Visa determined were in violation of agreements to maintain certain cybersecurity standards at the merchant, Genesco. Those banks then obtained indemnification from Genesco pursuant to their agreements with Genesco. Genesco sued Visa to recover this money based on a number of state law claims grounded in the allegation that Visa’s fines against the banks were unwarranted.
A controversy ensued when Visa sought discovery from a non-testifying cybersecurity consultant retained by Genesco. Genesco’s general counsel submitted an affidavit that indicated he hired the consultant based on his consultation with two outside lawyers and in anticipation of the likelihood of litigation, “…in particular litigation arising out of claims by the payment card brands such as Visa.” (Id. at *180) The consultant was selected by outside counsel, although it was retained directly by the general counsel on behalf of Genesco. The general counsel also averred that “[a]ny and all contacts, correspondence, meetings or other interactions between Genesco and [consultant] concerning the intrusion occurred either with or at the direction of Genesco Counsel.” (Id. at *181)
Visa’s requests sought all documents relating to the consultant’s retention and work with Genesco, through requests and interrogatories to Genesco as well as a subpoena to the consultant for documents and deposition testimony. It also noticed the general counsel’s deposition on the consultant’s hiring and work. Visa argued that Genesco had waived privilege on these matters by producing two documents from the investigation and a report from the consultant. Moreover, Visa argued waiver due to Genesco’s failure to submit privilege logs.
The court held in favor of Genesco and found that the information regarding the consultant was privileged and protected work product, which protections were not waived by the absence of a privilege log. It relied on the affidavit of the general counsel in supporting this decision, not only in elucidating the process and rationale for retaining the consultant and the way the work was performed under counsel’s direction, but also as providing the information about the basis for privilege claims that would otherwise be found in a privilege log.
Lawyers and technical experts play key roles in enterprise cybersecurity. By carefully following the right process, they can work together to make complete and candid assessments, while maintaining a reasonable expectation that their deliberations will be kept confidential. The more litigation we see in the cybersecurity realm, the more likely it is that joint legal-technical work in that realm is “in anticipation of litigation” and for purposes of rendering legal advice.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.