A US court recently found that reports prepared by a computer security firm in the wake of a cyber-attack were not required to be disclosed in litigation arising from the attack as they were protected by attorney-client privilege. The input of the computer security firm was necessary to enable the lawyers to advise their client on the likelihood of litigation arising from the attack. The reports therefore facilitated effective consultation between the lawyers and their client and attracted legal privilege.
The case highlights the role lawyers can play in managing the consequences of a cyber-attack and in minimising litigation exposure.
BACKGROUND TO LITIGATION
The decision was given in the context of litigation arising from a "sophisticated cyber-crime attack" on US retailer, Genesco in 2010. The perpetrators planted malware on Genesco's computer system in an effort to steal payment card information which Genesco was transmitting in unencrypted form to its banks. Following the attack, Visa levied fines of over $13.2 m on Genesco's banks for non-compliance with Payment Card Industry Data Security Standards. The banks in turn collected the monies from Genesco, which had contractually agreed to indemnify them for any losses they incurred in processing Visa card payments for its retail establishments. Genesco claimed, however, that the fines had been "wrongfully imposed" and it issued proceedings against Visa in the US District Court.
In the course of an investigation into the attack, carried out prior to the commencement of the proceedings, Visa detected suspicious software on Genesco's network. This prompted Genesco to seek legal advice on the likelihood of litigation arising out of claims by payment card brands such as Visa. Genesco conducted its own investigation into the attack to ensure that its external lawyers had all the information they needed to give full and proper legal advices. Genesco's in-house counsel retained a computer security firm to assist with the investigation. The terms of engagement expressly stated that the computer security firm was engaged "in anticipation of potential litigation and/or legal or regulatory proceedings."
In the course of the litigation (which is still ongoing), Visa sought discovery of any analyses or reviews prepared by the computer security firm in relation to the cyber-attack and any communications between the computer security firm and Genesco. Genesco claimed that this was legally privileged information which did not have to be disclosed.
DID PRIVILEGE APPLY?
The District Court for the Middle District of Tennessee refused to order Genesco to provide the information sought. The Court noted that in United States v Kovel (1961), the Second Circuit held that attorney-client privilege extends to a lawyer's communications with agents and experts who are retained by the lawyer for the purpose of providing legal advice. In Kovel the expert retained was an accountant. The Second Circuit commented:
"Accounting concepts are a foreign language to some lawyers in almost all cases, and to almost all lawyers in some cases. Hence the presence of an accountant, whether hired by the lawyer or by the client, while the client is relating a complicated tax story to the lawyer, ought not destroy the privilege... the presence of the accountant is necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege is designed to permit."
The Court in Genesco noted that the reality of litigation in the adversarial system is that lawyers must rely on the assistance of investigators and other agents. The doctrine of privilege must, therefore, protect materials prepared by agents for lawyers (in this case the computer security firm) as well as materials prepared by lawyers themselves.
POSITION IN IRELAND
Would an Irish court have ordered disclosure in this case? We cannot give a definitive answer to this question, but there is a strong argument that reports prepared by a computer security firm, or other relevant experts (e.g. forensic accountants or loss adjusters), in circumstances such as those that arose in Genesco would be subject to litigation privilege.
Litigation privilege applies to:
- confidential communications between a client and his lawyers or between a client and a third party;
- made for the dominant purpose of litigation;
- which litigation is in being, pending or reasonably anticipated.
In Genesco, the terms of engagement between Genesco and the computer security firm expressly provided that the firm was being engaged "in anticipation of potential litigation and/or legal or regulatory proceedings." The Court was also told that the reason Genesco conducted its own investigation into the attack was to enable it to obtain legal advice on the potential legal ramifications of the attack and the likelihood of litigation. In Ireland, such facts would provide the foundation for a strong claim to litigation privilege.
However, apparently strong claims to litigation privilege can fall on the second of the three requirements listed above, i.e. the dominant purpose test. The document over which litigation privilege is sought must have been prepared for the dominant (though not exclusive) purpose of litigation. This can create difficulties where a document was created for more than one purpose. The Irish courts have held that statements prepared by nurses into the circumstances of a complicated birth were not covered by litigation privilege in medical negligence proceedings against the hospital as the statements were prepared for hospital management reasons, as well as the possibility of litigation.
If an Irish court found that a report from a computer security firm, or other relevant expert, was procured principally to identify security risks in an organisation's network and to advise on how to prevent further cyber-attacks, and that enabling the lawyers to advise on the possibility of litigation was only a subsidiary purpose of the report, a claim to litigation privilege might fail.
CYBER-RISK & THE ROLE OF LAWYERS
Cyber-security is getting more attention than ever before and it is now a top priority for boards and senior management. Organisations need to be alive to this issue and to put in place a coordinated risk management strategy and incident response plan When putting these together, consideration should be given to the role that lawyers can play in planning for, and managing the consequences of, a cyber-attack.
In the event of a cyber-attack, consult your lawyers before any investigations are commenced and before any IT consultants or other experts or advisors are engaged. The involvement of lawyers at an early stage will help ensure that any investigations into the attack are conducted in a way which attracts and maximises legal privilege. As the Genesco case highlights, this can be invaluable in the event of litigation.
Read our top tips on how to minimise litigation risk arising from a cyber-attack here.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.