Is your IT department "donating" your attorney-client privilege without your knowledge?
Alan Brill, Kroll Ontrack
You might ask, “Did you consult with our legal counsel before you made this decision?” Or, “Is there a contract between us and these outside organizations that protects us?”
Unfortunately, the answer to the first question will likely be “no” and the answer to the second “I don't know.”
Think this couldn't happen to you? It could – and it may already be happening right in your own IT department without your knowledge.
Here's how: With all of the publicity about computer hacking, the speed with which hackers build new tools, and problems that defensive software has in identifying malware, there are a number of organizations out there that ask for — and often receive — access to data on both successful and unsuccessful attacks on your technology infrastructure. Often these companies are providing you with cyber security services in the form of software or hardware. Such security software and hardware has the ability to record information about cyber attacks and, with the permission of the company, they are able upload that data which is then used for threat analysis and product improvement functions. It's generally pitched as a combination of helping yourself (you benefit if the vendor improves the capabilities of the hardware/software) and helping the overall state of information security (by contributing to a better knowledge of what kind of attacks are taking place and what kind of tools the hackers are using at a given time). If you don't think too much about it, it seems like a very reasonable thing to do.
The problem is that by participating in such a data sharing arrangement, you're making an implicit decision to release that data to a third party, and may be doing so without advice of counsel.
Consider, for example, if your organization suffered a successful cyber attack which, while serious and resulting in the loss of valuable intellectual property, didn't involve the loss of personally identifiable information and was never known outside of the company? Further, the company doesn't believe that it has a legal duty to make a public report or to make the fact that a breach occurred known. Secrets, of course, don't stay secret forever, so assume that some stockholders begin a lawsuit. You may believe that some of the data about the incident falls under attorney-client privilege. However, if your IT department has freely transferred the information to a third party, that argument may be badly undermined or even rendered useless. As a result, data that might have been protected would become available, either from you or through a subpoena directed to the third party.
Be PreparedBefore a company agrees to participate in data sharing of cyber attack or penetration related data with a third party, there is an absolute need for counsel to become involved. Basic questions that counsel would want to consider include:
- Exactly what data is collected?
- Is the data identifiable as coming from us when it is in the third party's hands?
- Exactly what uses is it put to?
- Who in the third party company knows what data has come from us?
- What benefit do we receive by providing this data?
- What are the contractual provisions covering this transfer of data?
- Once the data arrives at the third party, who owns it?
If you can't find answers to these questions, and the third party isn't immediately forthcoming with the answers, you should question your company's involvement. Once the risk exceeds the benefit, participation becomes a questionable decision.
There's no question there can be a place for information sharing within certain, controlled contexts. However, the ultimate decision, whatever it is, should be based on a solid legal analysis of risks and rewards, regardless of how much of a “feel-good” participation may seem.