With significant input from Orrick's Cybersecurity, Privacy and Data Innovation team, the influential Sedona Conference and its Working Group 11 last week published important guidance on the application of the attorney-client privilege and work-product protection in the cybersecurity context. The comprehensive Sedona Conference commentary provides a framework for federal and state policymakers to amend existing law in several respects, including carving out a limited privilege for information prepared in the cybersecurity context without the involvement of lawyers.

Partner Doug Meal, head of our cyber and privacy litigation practice, served as vice-chair of the conference's Working Group 11 steering committee and editor-in-chief of the team that drafted the commentary, released in April for public comment. The conference's Working Group 11 is the body charged with addressing legal issues in the Privacy & Cybersecurity area, and its membership includes a cross-section of prominent plaintiffs' and defense lawyers, regulators, forensic experts, law professors, judges, in-house counsel and others who specialize in privacy & cybersecurity law.

The Commentary released last week evaluates the application of the attorney-client privilege and work-product protection to an organization's cybersecurity information (CI). The Commentary seeks to move the law forward by assessing the arguments for and against the discoverability of CI being determined under general principles of attorney-client privilege and work-product protection law as opposed to modifying those principles in the context of CI. Finally, the Commentary considers various proposals for adapting existing attorney-client privilege and work-product protection law, or developing entirely new protections, in the CI context.

Doug and David Cohen, Of Counsel in our cyber and privacy practice who also worked on the project, provide these key takeaways from the Commentary, which will be particularly useful to in-house counsel seeking to understand what factors courts currently use to determine whether the privilege and protection will apply to documents/communications generated before and after a cyber breach.

Among the key findings:

  • There are only a handful of cases addressing whether the attorney-client privilege or work-product protection applies in the cybersecurity context under current law, but those that do provide invaluable guidance:
    • The primary question courts look to here, just like outside the cybersecurity context, is whether the communication was made to solicit or render legal advice or in anticipation of litigation.
    • Companies seeking to claim the privilege or protection will need to be prepared to prove up their claim. The privilege/protection determination is heavily influenced by the degree to which lawyers were involved in the circumstances surrounding the creation of the information. But merely getting counsel involved in a project does not automatically make the documents or communications protected. Rather, courts will carefully scrutinize the evidence, including declarations companies submit, to assess whether legal advice was the primary purpose of the document/communication and whether it was made because of anticipated litigation.
    • Using outside counsel for legally driven cybersecurity projects can strengthen a company's privilege/protection claim. Communications with in-house counsel may be less likely to be considered privileged, particularly with respect to documents that arguably have both a business and legal purpose (e.g., security assessments or breach investigations), since it may be less clear to the court whether legal concerns were the driver.
    • Companies seeking to preserve the privilege or protection will need to be careful when sharing CI. Disclosing it to the wrong people outside the company, or sometimes even within the company, can waive the privilege or protection.
  • The Sedona Conference Commentary advocates for an expansion of the protection afforded to CI under current law. Specifically, it calls for a qualified stand-alone cybersecurity privilege that would not depend on whether lawyers and/or litigation concerns were sufficiently involved in the creation of the information, and it calls for a "no waiver" doctrine providing that disclosure of CI to law enforcement would not waive any privilege or protection.