Data Privacy/Security Audits and the Preservation of Attorney-Client and/or Work Product Privilege

BY BENJAMIN SLEY, J.D., LL.M., CIPP

We’ve seen the recent headlines about COVID-19 and the rise of the remote workforce with resultant security vulnerabilities. We’ve also seen the recent headlines about the most extensive data breach to date involving SolarWinds software that has affected the Pentagon, the State Department, many government agencies, and up to 18,000 public and private users including many Fortune 500 companies!

The federal Cybersecurity & Infrastructure Security Agency (CISA.gov) has requested that all corporations affected by this breach perform a comprehensive security audit for determination of breach and possible remediation. As a matter of “best practices” all corporations, whether publicly traded or privately held, should have a third-party cybersecurity audit conducted to prevent or remediate data breaches.

To instill public confidence in the protection of data and privacy, these companies should prepare for security and privacy compliance with an independent third-party audit such as the American Institute of Certified Public Accountants (AICPA) “SOC 2 Type 2” audit (covers a period of six months to one year) by a CPA firm, or an “NIST 800-171” audit by a technical computer security firm. A “SOC 2 Type 2” report is acceptable for the required annual Sarbanes Oxley Act reporting compliance for publicly traded companies. Clients and customers today demand such audit reports to certify that the company has stringent, comprehensive system and organizational controls in place to properly protect data and privacy.

A company needs to know how to protect against the disclosure in court of a “Qualified” (negative) or adverse audit report, which could enumerate a corporation’s security failures or negligence.

If a data breach has occurred or is suspected to have occurred, the case of In re Capital One Consumer Data Sec. Breach Litigation, MDL No. 1:19md2915 (AJT/ JFA) (E.D. Va. Jun. 25, 2020), is instructive regarding preserving work-product privilege. In In re Capital One, the district court concluded that the cybersecurity audit report in that case was not protected under “work-product privilege” since the law firm, Debevoise & Plimpton, was hired by Capital One after the breach to receive a cybersecurity report previously contracted for by the company with the same technical auditor, FireEye, prior to the breach. The court held that Capital One failed to prove the two-prong test for work-product privilege set forth in RLI Insurance Co. v. Conseco, Inc., 477 F. Supp. 2d 741, 748 (E.D. Va. 2007). The RLI test provides that in order to successfully claim work-product privilege, a court must find that the document at issue (1) was created “when the litigation is a real likelihood and not merely a possibility”; and (2) would not have been created in essentially the same form in the absence of litigation. Capital One met the first prong, but failed the second prong, because it failed to establish that the report would not have been prepared in substantially similar form “but for the prospect of the litigation.”

To preserve attorney-client privilege, the corporate general counsel should interface directly with the CPA firm or technical firm and have them report directly to the GC, not to the chief information officer or data security officer.

If there is concern a company may have existing security vulnerabilities or that a breach has already occurred, the general counsel should retain a law firm to provide legal advice regarding the vulnerabilities or breach, reporting that legal advice directly to the general counsel. The CPA firm or technical firm retained by the law firm should not be a firm that has a pre-existing contract with the company to provide security or audit services. The CPA firm or technical firm should be paid directly by the law firm, not the company. Taking these precautions will likely be sufficient to preserve attorney-client and/or work-product privilege regarding the cybersecurity report; however, each case, of course, will be determined upon its own unique facts. AL