Hiding Data Behind Attorney-Client Privilege
Interesting advice:
He cites a key advantage to bringing in lawyers up front: “If you hire a law firm to supervise the process, even if there are technical engineers involved, then the process will be covered by attorney-client privilege,” Cunningham said.
He noted that in a lawsuit following a data theft, plaintiffs usually seek a company’s records of “all the [data-security] recommendations that were made [before the breach] and whether or not you followed them. And if you go and hire technical consultants only, all that information gets turned over in discovery. [But] if you have it through a law firm, it’s generally not.”
Gregory Engel has some good comments about this:
This isn’t a “prevention initiative” for data security, it’s a preemptive initiative for corporate irresponsibility.
I’m not sure it will work, though. I don’t think you can run all of your data past your attorney and then magically have it imbued with the un-subpoena-able power of “attorney-client privilege.”
EDITED TO ADD (10/22): This talk from Defcon this year is related.
RonK • October 21, 2007 7:15 AM
But that’s not what they’re talking about. They’re talking about not having to disclose what security precautions were taken (or not) to protect customer data which was subsequently stolen (when they get sued for being liable for this data theft, or prosecuted on criminal charges).