Harvard Journal of Law & Technology
In recent years, cyberattacks have cost firms countless billions of dollars, undermined consumer privacy, distorted world geopolitics, and even resulted in death and bodily harm. Rapidly accelerating cyberattacks have not, however, been bad news for many lawyers. On the contrary, lawyers that specialize in coordinating all elements of victims’ incident-response efforts are increasingly in demand. Lawyers’ dominant role in cyber-incident response is driven in part by their purported capacity to ensure that information produced during the breach response process remains confidential, particularly in any subsequent lawsuit. By interposing themselves between their clients and any third party consultants involved in incident response, lawyers can often shield any materials produced after a breach from discovery under either attorney-client privilege or work-product immunity. Moreover, by limiting and shaping the documentation produced by breached firms’ personnel and third-party consultants in the wake of a cyberattack, attorneys can limit the availability of potentially damaging information to plaintiffs’ attorneys, regulators, or media, even if their attorney-client privilege and work-product immunity arguments falter.
Relying on over sixty interviews with a broad range of actors in the cybersecurity landscape — including lawyers, forensic investigators, insurers, and regulators — this Article shows how, in their efforts to preserve the confidentiality of incident-response efforts, lawyers may undermine the long-term cybersecurity of both their clients and society more broadly. We find that lawyers often direct forensic providers to refrain from making recommendations to clients about how to enhance their cyber defenses, restrict direct communications between cybersecurity firms and clients, insist upon hiring cybersecurity firms with limited familiarity with the client’s networks or internal processes, and strictly limit dissemination of the cybersecurity firm’s conclusions to the client’s internal personnel. To ensure their clients do not inadvertently waive any legal confidentiality protections, lawyers also frequently refuse to share any written documentation regarding a breach with third parties like insurers, regulators, and law enforcement. Even worse, we find that law firms overseeing breach investigations increasingly instruct cybersecurity firms not to craft any final report regarding a breach whatsoever.
These practices, we find, may impair the ability of breached firms to learn from cybersecurity incidents and implement long-term remediation measures. Furthermore, such efforts to protect confidentiality inhibit insurers’ capacity to understand the efficacy of different security countermeasures and regulators’ power to investigate cybersecurity incidents. To reverse these trends, the Article suggests that materials produced during incident response should be entitled to confidentiality protections that are untethered from the provision of legal services. But such protections should be coupled with new requirements that firms impacted by a cyberattack disclose specific forensic evidence and analysis. By disentangling the incident-response process from the production of information that can hold firms accountable for failing to take appropriate and required precautions, the Article aims to remove barriers to effective incident response while preserving incentives for firms to take cybersecurity seriously.
Daniel Schwarcz, How Privilege Undermines Cybersecurity, 36 Harvard Journal of Law & Technology 421 (2023) (with Josephine Wolff and Daniel W. Woods)