Schneier on Security
A blog covering security and security technology.
« "Conceptual Terrorists Encase Sears Tower In Jell-O" |
| Detecting Restaurant Credit Card Fraud with Checksums »
October 21, 2007
Hiding Data Behind Attorney-Client Privilege
He cites a key advantage to bringing in lawyers up front: "If you hire a law firm to supervise the process, even if there are technical engineers involved, then the process will be covered by attorney-client privilege," Cunningham said.
He noted that in a lawsuit following a data theft, plaintiffs usually seek a company's records of "all the [data-security] recommendations that were made [before the breach] and whether or not you followed them. And if you go and hire technical consultants only, all that information gets turned over in discovery. [But] if you have it through a law firm, it's generally not."
Gregory Engel has some good comments about this:
This isn't a "prevention initiative" for data security, it's a preemptive initiative for corporate irresponsibility.
I'm not sure it will work, though. I don't think you can run all of your data past your attorney and then magically have it imbued with the un-subpoena-able power of "attorney-client privilege."
EDITED TO ADD (10/22): This talk from Defcon this year is related.
Posted on October 21, 2007 at 6:39 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
> I don't think you can run all of your data past your attorney
But that's not what they're talking about. They're talking about not having to disclose what security precautions were taken (or not) to protect customer data which was subsequently stolen (when they get sued for being liable for this data theft, or prosecuted on criminal charges).
Given the state of the art today, I wouldn't recognize "security engineering" as an engineering discipline. By contrast, if someone told me that they were a "Reliability Engineer" at Ford or Boeing, then I wouldn't think they were practicing black magic.
Ford or Boeing could try to convert advice on expected faults and mitigation into legal advice. But, although America has the most innovative lawyers in the world, I don't think the strategy would work in a lawsuit.
This sorcerous-incantation view of attorney-client privilege is common. My last company told people on certain critical projects to Cc: the lawyer on all project communications so as to get the magical privilege pixie-dust on them.
I think the notion is to have the engineers give the lawyer recomendations, and the lawyer give recomendations based on what the engineers tell them and any legal issues at hand. A lawyer's recomendations *are* covered by Attorney-Client priviledge.
It clearly doesn't/shouldn't work to just take your engineers' recomendations, run them by your lawyer as well, and then assert the information is covered.
It is this type of FUD (Fear, Uncertainty, & Doubt) that keeps lawyers employed at the expense of everyone else. You can make have the best security precautions in place but a lawyer will still question them.
Corporations are reluctant to embrace encryption, especially in e-mail, because then they can't as easily monitor it.
Executives simply don't understand security, and IT departments' hands are tied by executives and legal departments.
"If a town has one lawyer, he'll starve. If a town has two lawyers, they'll both be rich."
OK, so if I ever have to kill somebody, I'll discuss the plans with a lawyer first. That way, they can't prove premeditation. (Makes as much sense, anyway.)
One of the factors that sets a professional discipline apart is a specialized body of professional knowledge, common among practiticioners of the art. That, in turn, implies a duty to the public beyond any duty to a particular client—a duty to the public.
The lawyers, though, have convinced the judges that legal practioners do not have any enforcable duty to the public.
It's unethical for an engineering professional to adopt the so-called ethics of the lawyers. An engineer's duty to the public overrides his duty to any particular client.
When process defects pose a risk of harm to the public, an engineer should not scheme to hide them. It's despicable.
The analogy is more, if you are going to discuss killing somebody, discuss it with your lawyer(who happens to be an assassin), not with an assassin, than it is discussing it with your lawyer makes it legal. The idea is to limit discovery, not liability.
This is bad advice - Attorney client privilege typically only extends to communications related to legal matters, and would not cover data-security recommendations, even if given by or through a licensed attorney.
Also, the privilege does not cover data generated by the company, even if that data was later communicated to an attorney - it can only protect communications with the attorney.
I don't know now often Cunningham gets away with this, and whether Colorado has a unique loophole, but now that the cat is out of the bag, I would expect people to challenge his interpretation of the privilege.
(David, the privilege also does not cover criminal activity.)
Well, we had something like this at work. The company's lawyers were telling IT Security specialists what software we could run on certain monitoring systems. They don't want us "leaking" information even though our main app is browser based and gmail is still accessible. Any time Corporate IT Security has Corporate Legal telling them what they can install on their own systems, that IT Security Unit has a problem. Would you want to work in a datacenter run by the company's lawyers?
From what I understand (based on Law & Order), the information loses that privilege when you disclose it to an unprivileged person (i.e. not your attorney, doctor, or spouse).
Its all part of the lawyers plans to rule the world.
What i don't get is why would you want too?
I worked on a project that came under ITAR regulation. Lawyers decided what was safe or unsafe to share with allies. Engineers discovered that lawyers had no understanding of physics or engineering and it was impossible to communicate with them: they were not only unteachable, they were unreachable. As long as lawyers were the 'deciders', the only fix was to keep secret from the lawyers the unsafe parts, so that they couldn't inadvertently 'give away the store'.
>> "a client's state of mind when initially seeking legal assistance is a very difficult factual determination for judges to make"
Prior to the age of electronic mail.
In the geological pollution business (e.g. groundwater pollution caused by escaping fluids fro mine dumps) it is common practice to hire a law firm and direct them to hire groundwater consultants and geophysicists to investigate the problem. Since the consultants are employed by the legal beagles, any communications to the hiring company are through the lawyers and thus not available to the environmentalists or govt agencies. The only stuff that gets disclosed is whatever the legal types allow, and this includes all the data that have been collected.
Don't know how successful this has been, but it's been common practice in all my years in the business, and I was born when Harry Truman was still in office ....
Please make sure to read Sodium's post at 9:05 pm. It does a good job of explaining the limits of privilege.
Also, as mentioned in the helpful links provided by Sam Greenfield at 8:07, the advice cannot be for the purpose of committing fraud, even if the fraud does not rise to the level of criminality.
Basically funneling everything through counsel doesn't get you much other than an irritating drag on communication.
This sort of thing has also been done in cases involving toxic products -- both tobacco and fungicides come to mind. Somehow the really damaging evidence about the product was handled so that the companies could claim it came under the attorney-client privilege. This enabled the companies to settle large cases for pennies on the dollar, though in some cases other courts rejected the privilege argument. It's an abuse of the legal system, and clearly unethical under the codes that govern lawyer behavior, but it can be hard to prove.
Don't know about the US, but in the UK there's a 'dominant purpose' test for litigation privilege: it's only privileged if the dominant purpose of getting the report/document prepared was for litigation. So when a train company got an accident report after a train derailed, they couldn't privilege it as it was only half intended for litigation, and half for improving safety.
Abbreviated case study from:
See full case study at link for discussion section.
Failure To Report Information Affecting Public Safety - Case No. 90-5
The following case study is furnished by the Board of Ethical Review of the National Society of Professional Engineers. This opinion is based on data submitted to the Board of Ethical Review and does not necessarily represent all of the pertinent facts when applied to a specific case. This opinion is for educational purposes only and should not be construed as expressing any opinion on the ethics of specific individuals. This opinion may be reprinted without further permission provided that this statement is included before or after the text of the case. The Board of Ethical Review includes, John F. X. Browne, P.E., William A. Cox, Jr., P.E., Herbert G. Koogle, P.E.-L.S., Paul E. Pritzker, P.E., Harrison Streeter P.E., Otto A. Tennant, P.E., and Lindley Manning, P.E., Chairman.
Tenants of an apartment building sue the owner to force him to repair many defects in the building which affect the quality of use. Owner's attorney hires Engineer A to inspect the building and give expert testimony in support of the owner. Engineer A discovers serious structural defects in the building which he believes constitute an immediate threat to the safety of the tenants. The tenants' suit has not mentioned these safety related defects. Upon reporting the findings to the attorney, Engineer A is told he must maintain this information as confidential as it is part of a lawsuit. Engineer A complies with the request of the attorney.
Was it ethical for Engineer A to conceal his knowledge of the safety-related defects in view of the fact that it was an attorney who told him he was legally bound to maintain confidentiality?
Section II.I.a. - Engineers shall at all times recognize that their primary obligation is to protect the safety, health, property and welfare of the public. If their professional judgment is overruled under circumstances where the safety, health, property or welfare of the public are endangered, they shall notify their employer or client and such other authority as may be appropriate.
Section II.I.c. - Engineers shall not reveal facts, data or information obtained in a professional capacity without the prior consent of the client or employer except as authorized or required by law or this Code.
It was unethical for Engineer A to not report the information directly to the tenants and public authorities.
@nedu: "The lawyers, though, have convinced the judges that legal practitioners do not have any enforceable duty to the public."
Since these two parties are in fact the same, it's more like the lawyers have convinced themselves of it. The law has ceased to be a profession.
Thanks for the great link to the engineering teaching case. That is a perfect example of how a profession should function.
@Bryce "From what I understand (based on Law & Order), the information loses that privilege when you disclose it to an unprivileged person (i.e. not your attorney, doctor, or spouse)."
Despite the source (TV) this is correct. But a corporation is a legal entity composed of many individual persons, so simply telling another employee doesn't negate the privilege.
@anonymous, 7.56am "I think the notion is to have the engineers give the lawyer recomendations, and the lawyer give recomendations based on what the engineers tell them and any legal issues at hand. A lawyer's recomendations *are* covered by Attorney-Client priviledge."
IIRC, in certain jurisdictions (a few? many? most?) a lawyer's recommendations are covered by privilege if they're withing the lawyer's professional expertise. Most lawyers don't have engineering expertise.
Further, there's no privilege if the lawyer is advising on committing a crime or helping commit a crime. Confidentiality only applies to defending someone against the accusation of a crime.
As others have noted, you can't make information priviliged just by cc'ing company lawyers on communications, or "running it by the legal department." In some cases, work done by non-lawyers can be protected by privilege where they are helping the lawyers perform legal services. For instance, suppose someone alleges that a company facility has been leaking toxic chemicals into a stream, or onto adjoining property. If the company's lawyers are asked to evaluate whether the company is liable and/or is legally required to do anything, the lawyers may need technical assistance to understand what's going on. If the lawyers hire some consultants to perform an inspection and report back to them, the consultants' work may be priviliged. (I say "may, because this issue can be hotly disputed, and the "trick" of concealing information via privilege is hardly new.)
I suspect that in many cases like this, the company in question is just looking for a plausible way to CLAIM privilege. Even if they ultimately lose on that issue, it creates another barrier that has to be overcome before they can be forced to cough up the information.
So far as I understand,
1. an attorney cannot be compelled to disclose what a client has told him or what s/he has told the client.
2. the client can disclose anything s/he wants i.e. the client is by no means prohibited from disclosing the attorney's advice.
3. the attorney must be acting as an attorney and offering legal counsel i.e. courts don't allow an attorney to act as an executive so as to cast a blanket of privilege over an organization by claiming that everything which happens is between attorney and client.
(b) intended to be confidential
(c) between atty and client
(d) concerning the representation
Running technical considerations past an attorney will fail, even if the technical person is an employee of the client company, because the communications are not concerning the representation. That is to say, they are not in the course of seeking legal advice.
Same fact pattern: manager of client company asks me if I want a beer. That is a communication, the client does not want people to know his manager is offering to buy a beer for a lawyer, and it is between atty and client. It does not concern the representation, so that communication is not privileged. You can compel me to reveal this communication.
Almost the same fact pattern: manager asks me if I view a clause in a contract where I represent his company as requiring him to buy me a beer. That does concern the representation. When I tell him to buy me a beer, that's legal advice, and it is privileged. You cannot compel me to reveal this communication.
Tanner Andrews: your discussion suggests a possible workaround. Party A contracts with Party B for A to provide a secure system to B. A then hires a lawyer whose responsibility is to ensure compliance with this contract. The lawyer hires security consultants. All communications pass through the lawyer. Surely this now is legal advice, in that it concerns technical matters that need to be fulfilled in order to avoid breaching a contract?
Hiring an attorney was never the act of hiring a firm - yet the balooning of service sharing seems to be the current practice - inflating fees, and destroying the protection of attorney-client privilege.
Where attorneys are unable to perform personal services, how can attorney client privilege exist, and certainly within a concept of fee-sharing privileges in firms that otherwise could be viewed as conspiratorial?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.