The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

How Privilege Undermines Cybersecurity

Bonus Episode 435 of the Cyberlaw Podcast


Despite the title, rest assured that the Cyberlaw Podcast has not gone woke.

This bonus episode is focused instead on how cybersecurity is undermined by the attorney-client privilege.  To explore that question, I interview Josephine Wolff and Dan Schwarcz, who along with Daniel Woods have written an article with the same title as this post.

Their thesis is that breach lawyers have lost perspective as they've waged a no-holds-barred (and frequently losing) battle to preserve the attorney-client privilege for forensic reports that diagnose their clients' cybersecurity breaches. Remarkably for the authors of a law review article, they did actual field research, and it tells us a lot.

The authors interviewed all the players in breach response—the breached company's information security teams, the breach lawyers, the forensics investigators who parachute in for incident response, the insurers and insurance brokers, and more. I am reminded of Tracy Kidder's astute observation that, in building a house, there are three main players – owner, architect, and builder – and that if you get any two of them in a room alone, they will spend all their time bad-mouthing the third. Wolff, Schwarcz, and Woods seem to have done that with the breach response players, and while the bad-mouthing is spread around, it falls hardest on the lawyers.

The main problem is that invoking attorney-client privilege to keep breach forensics confidential is not an easy sell. The courts have been unsympathetic. To overcome the undertow of judicial skepticism, breach lawyers end up imposing more and more draconian restrictions on forensic investigators and their communications. The upshot is that no forensics report at all may be written for many breaches (up to 95% of them, Josephine estimates). How does the breached company find out what it did wrong and what lessons it should learn from the incident? Simple. Their lawyer talks to the forensic firm, translates its advice into a high-level PowerPoint, and orally explains the cybersecurity details to the company's management and information security team. Really, what could go wrong?

In closing, Dan and Josephine offer some ideas for how to get out of this mess. I push back. All in all, it's the most fun I've ever had talking about insurance law.

Download the Bonus 435th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.