Private industry is not the only sector being targeted by hackers and other criminals looking to steal valuable personal information, intellectual property, and business intelligence, and interrupt core services. Over the last 24 months, state and private universities, local and state government agencies, and even the federal government have announced significant data breaches that compromised information and caused significant operational disruptions. Among the largest was the recent cyberattack on the United States government's Office of Personnel Management that reportedly exposed personal and security clearance background check information of approximately 4 million former and current federal government employees. Recent cyberattacks on state-level institutions are similarly significant: Oregon Employment Department in 2014 (850,000 individuals), Maricopa County (Arizona) Community College District in 2013 (2.5 million individuals), South Carolina State Computer Systems (3.6 million individuals), University of Maryland (287,000 individuals), and Central Hudson (New York) Gas & Electric (375,000 individuals).
Of the two principal consequences that follow a breach — litigation and reputational harm — proactive efforts aimed at managing litigation risk offer an excellent opportunity. Litigation risk is particularly high for public entities because, unlike private industry, many state and local governments, agencies, and departments are required by law to implement very specific information security and privacy policies, procedures, and standards. For example, in California, all state entities are obligated to comply with security standards set forth by California Information Security Office (CISO) in Section 5300 of the State Administrative Manual. Other states with similar requirements include Florida, Texas, Virginia, Massachusetts, and Colorado. These standards set a de facto floor for information technology security that plaintiffs can use as a proxy for what is — and what is not — reasonable security. If plaintiffs can trace a breach to non-compliance with a mandated standard, they can effectively hold entities strictly liable.
This dynamic is made even more complicated by the fact that state mandated security procedures almost always require public entities to conduct proactive cybersecurity assessments to identify weaknesses and shortcomings in security measures through penetration and vulnerability testing. Reports on these vulnerabilities offer plaintiffs a roadmap that can be used to show not only weak cybersecurity, but knowledge of non-compliance and lapses in cybersecurity. Indeed, the reports generated from these assessments are almost always included among the first discovery requests issued by plaintiffs and regulators in litigation or investigations of a breach.
Against this landscape, all organizations (whether public or private) should consider conducting cybersecurity assessments at the direction of legal counsel, for the purpose of identifying and evaluating legal risk associated with weak cybersecurity or non-compliance with state mandated standards. This is not a dramatic shift. Rather, it recognizes that the landscape of security has changed, and that a predominant risk area is litigation that follows a data breach. Accordingly, it reframes the purpose of conducting cybersecurity assessments from solely being an IT security risk assessment to one that includes evaluation of legal risk. In this paradigm, legal counsel should retain outside cybersecurity experts (obviously, with significant input from IT security) for the purposes of providing technical assistance to enable legal counsel to provide legal advice. This structure brings the work product and communications related to the assessment under the attorney-client and work product privilege.
A recent decision from the Middle District of Tennessee validates this approach. In ongoing litigation between Genesco, Inc. and Visa U.S.A., Inc., the court denied discovery requests by Visa for analyses, reports, and communications made by two cybersecurity firms that were retained by Genesco's counsel for the purposes of obtaining technical services and consultation in connection with providing legal advice on post breach remediation efforts, one of which was hired in connection with Genesco's efforts to comply with PCI DSS. The court held that the attorney-client privilege "extend[ed] to the [cybersecurity] firm that assisted counsel in its investigation" because cybersecurity "concepts are a foreign language to some lawyers in almost all cases . . . [h]ence . . . the presence of the [consultant] is necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege is designed to permit." Indeed, there are good, substantive reasons for conducting these activities under legal privilege. Principally, doing so offers clients a "safe place" to gather information, request and receive legal advice, and to deliberate with counsel over (for example) what remedial efforts will — and, more importantly, will not — be undertaken in response to identification of cybersecurity vulnerabilities, weaknesses, or areas for improvement.
The same approach should be applied in responding to a cyberattack or breach. Legal counsel, in close partnership with IT security, should direct the investigation (and retain and direct the work of cybersecurity forensic experts) into determining the how, when, and who of a data breach. Again, doing so covers communications and work product generated by the response team (both the external forensic experts and the internal organizational team) under the attorney-client privilege and the work product doctrine, which is especially important given the increasing risk of litigation and regulatory investigation. These protections can also be invaluable for entities where public disclosure laws are particularly broad.
Of course, all of the above assumes the existence of a well-conceived Incident Response (IR) Plan that not only defines roles and responsibilities for the IR Team and response protocols, but that reflects practice, and then more practice. Public entities, in particular, are often structured in departmental and/or service silos, such that coordination and collaboration in responding to a breach scenario is of paramount importance. By working together to perform proactive risk assessments and managing activities under appropriate privilege protections, and preparing for what is generally considered the inevitable breach, public entities can more effectively manage litigation risk.
Tony Kim and Aravind Swaminathan are co-chairs of Orrick, Herrington & Sutcliffe LLP's Cybersecurity & Data Privacy practice. Justin Cooper is a partner at Orrick, and chair of its housing finance group.
