Court Says Cyber Assessments For Legal Counsel Covered by Legal Privilege reports on a key decision in an ongoing case that reaffirms the wisdom of what has become a very common and accepted practice. Increasingly cyber security assessments by external consultants are being done under the leadership of corporate legal counsel and like other retained experts the communications between these consultants and counsel are subject to confidentiality under attorney-client privilege.

Here is how JDsupra put it:

The Middle District of Tennessee recently issued a key decision in the ongoing Genesco, Inc. v. Visa U.S.A., Inc. data breach litigation.  The court denied discovery requests by Visa for analyses, reports, and communications made by two cybersecurity firms Genesco retained after it suffered a data breach on grounds that those materials were protected by the attorney-client privileged and work product doctrine.  The decision is crucially important for two reasons.

  • First, it confirms that cybersecurity consultants’ work product and communications—like that of other retained experts—are subject to confidentiality under the attorney-client privilege and/or the work product doctrine when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client.
  • Second, it validates the decision by organizations to designate legal counsel as the lead in key cybersecurity activities, such as scoping and directing proactive security risk assessments and directing reactive forensic investigations and response efforts following a data breach.

Accordingly, organizations should think ahead, and carefully, about the underlying purposes for any cybersecurity assessment or cyberattack response effort, and the role that counsel (inside or outside) should play.

Read more at: