Cloaking Threat Risk Assessments Under Legal Privilege
Threat risk assessments against technology-based systems and surrounding environments are increasingly mandated by customers and regulators. Threat risk assessments (TRAs) are typically done either pre-breach event as internal due diligence, or responsive to an event to determine the origins of the event and the scope of the impact. The breadth and penetration level of TRAs vary, but they are inherently intrusive, command significant time and financial resources, and will inevitably result in disclosing areas of possible vulnerabilities.
The intent of TRAs is in part to identify those weaknesses, but that goal is often balanced by the concern that having actual knowledge of weaknesses and vulnerabilities exposes businesses to greater liability upon a breach event if the business was unable to implement a solution before the breach event occurs. Rectifying vulnerabilities, which could include simply catching up on ever-changing industry standards, often takes a significant amount of time to complete and that assumes that the business in question has the resources to allocate to such effort (whether or not this is simply the cost of doing business can be discussed another time). That inherently leaves a period of time between when an organization becomes aware of a vulnerability and when the solution is in place.
In the United States, many law firms have standing agreements with cyber security experts to undertake TRAs. This is often done with the view that if the law firm engages the cyber security expert to perform the TRA and provide the resulting TRA report to the law firm, the TRA report and findings therein would be protected by a form of legal privilege and harder to use against the client should someone want to discover that TRA report. This approach has been tested in limited cases in the United States, and in certain post-breach incident TRAs, it has had some success. (We refer you to an Order issued by the U.S. District Court of Minnesota on October 23, 2015 by a U.S. Magistrate Judge, Jeffrey J. Keyes, in the matter relating to Target and a TRA prepared by Verizon Business Network Services).
In Canada, the approach of law firms retaining cyber security experts to undertake the TRAs is less prevalent, but the merits and limitations should be considered.
A fundamental role of lawyers is to provide advice to clients on legal exposures and risks and to help provide solutions. Proper and comprehensive advice in this regard can be provided only if all of the relevant facts are known. TRAs require a level of knowledge and expertise that most businesses and managers do not possess and, as a result, often only third-party experts can provide this information.
For solicitor-client privilege to apply, the communication must be between solicitor and client; the communication must entail the seeking or giving of legal advice; and the parties must intend the communication to be confidential. Solicitor-client privilege is sacrosanct, it exists independent of litigation and once solicitor-client privilege is established, it is infinite in duration, unless waived.
Generally, legal advice that is prepared by a lawyer for its client, even if it is about system vulnerabilities, would be covered by solicitor-client privilege. However, it is not as certain whether solicitor-client privilege would apply to the TRA that is used to draft that legal advice. As the Ontario Court of Appeal stated in General Accident Assurance Co v. Chrusz, "not every communication by a third party to a lawyer that facilitates or assists in giving or receiving legal advice is protected by client-solicitor privilege." However, the Court goes on to state that "[i]t is, however, well-settled that client-solicitor privilege can extend to communications between a solicitor or a client and a third party." The question of whether or not privilege applies to a particular report/communication/document that is prepared by a third party for, or on behalf of, a solicitor for the provision of legal advice to a client is fact-specific and depends on satisfying the requirements set out by the courts. Case law that considers reports/communications prepared by third parties given to solicitors for legal advice to clients is mixed.
The arguments supporting cloaking a TRA performed after a breach event and when litigation is reasonably contemplated being protected by litigation privilege is more positive. Litigation privilege is different than solicitor-client privilege. Litigation privilege can extend to third party reports and communications, but a key element is that litigation privilege applies where the dominant purpose of the communication relates to existing litigation or when litigation is reasonably contemplated. If the TRA is made for the solicitor's information for the dominant purpose of pending or contemplated litigation, there is a good chance the TRA report will be protected by litigation privilege. The privilege applies to any and all documentation (even those prepared by third parties) if made for the solicitor's information for the dominant purpose of pending or contemplated litigation.
However, in addition to ensuring that the TRA and corresponding communications are prepared for existing or reasonably contemplated litigation (as opposed to simply investigating how and why the breach occurred), there are a few other important points to keep in mind. If the lawyer or the client intends to call the cyber security expert that prepared the TRA as an expert at trial, the report and the instructions to the expert may become discoverable by the opposing side. As well, one must appreciate that litigation privilege expires once the contemplated litigation ceases to exist, so the TRA will be discoverable in future litigation.
At this point, there can be no certainty about whether a TRA report will be protected by solicitor-client privilege or litigation privilege. However, as TRAs are increasingly being required by customers and regulators, it may be useful to at least attempt to structure the TRA, the relationship with the cyber security firm, and the corresponding TRA report in a manner where arguments about solicitor-client privilege and/or litigation privilege may be made. Of course, any retainer with a client in this regard should be clear that the strength of these arguments are very fact specific and the courts may or may not uphold it.
*With assistance from Mark Strychar-Bodnar, a 2015-2016 articling student at the firm.