Surprise Capital One court decision spells trouble for incident response

Security incident? Prepare to be surrounded by even more lawyers than usual...

Editor’s note: Our original story described legal privilege exclusively in the context of using outside legal counsel. We’ve since learned of a non-infosec case in which communications with in-house counsel was accepted by a US court as privileged. We didn’t find any examples specific to DFIR, so handle with extreme care… this story is not legal advice! Thanks to Wendy Knox Everette at Leviathan Security for the additional info - she has some handy tips on legal privilege in IR at this ShmooCon talk.

As long as companies have as much to fear from opportunistic litigation as they do from attackers, legal privilege is going to play a role in managing security incidents.

When litigants suing Capital One sought a forensic incident response report into its 2019 data breach, the bank played a reliable card: the report was commissioned by its outside law firm, and therefore subject to attorney-client privilege.

In a surprising move, this week a US District Court rejected the bank’s claim to privilege and demanded the document be handed over, in what appears to set an unsettling precedent.

The practice of applying legal privilege to all communications involved in a serious security incident is routine in the United States, and is growing increasingly common across every jurisdiction where there is a requirement to disclose material data breaches.

In order to play the privileged card, the organisation sets up its legal counsel as a reporting channel for all communications about the incident. Legal counsel then commissions and directs third-party forensic IR investigations to determine the scope of the incident and whether the attacker (and its malware) have been evicted, and shares the resulting report with the victim company as a form of legal advice. This renders any findings about what happened non-discoverable in future litigation.

The application of privilege is pitched by lawyers as a way to ensure investigations into serious incidents are conducted by impartial specialists that won’t be coloured by institutional thinking or ass-covering.

But it can be disheartening - if not a little jarring - for infosec practitioners to see their legal team spend more on managing the response to an event than what they spend on securing the network in the first place. Far from being upset about the Capital One case setting a precedent - many are cheering on from the sidelines. To them, legal privilege is the pedantry that prohibits open participation in a post-mortem on what went wrong.

But there is good cause to expect companies will continue to rely on legal privilege, irrespective of the precedent set in the Capital One case.

The United States in particular is a highly litigious environment where every petty grievance gets its day in court. Legal privilege is important to security investigations because many of the people that determine the impact of a security incident on a company - judges, journalists, shareholders - don’t necessarily have a nuanced view of security. To them, security is black and white - you’re secure and diligent, or you’re insecure and negligent.

A good class action plaintiff will seize on the best instincts of a security practitioner to play to this limited worldview. They will seize on any modest admission made over email about what could have been done better as evidence of poor posture. They will seize on snarky Slack comments about the warnings unheeded by management as proof of negligence. They will take as-yet unverified observations made in an early draft of a report, compare it to the verified findings in the final report, and hold it up as evidence of a cover-up. That’s the prize they’re after during discovery.

To counter this, many organisations even push penetration testing or red team operation findings through a privileged reporting channel to prevent them being used as evidence against the company in court.

DLA Phillips partner Jim Halpert - a specialist in security investigations - spends a lot of his time explaining the privilege protocol to agitated IT teams that don’t like the idea of lawyers calling the shots. “You don’t want to be a witness, do you?” he asks those that would prefer to handle an investigation internally. “Do you want to be deposed?”

Halpert argues that legal privilege “provides a protected space” for a company to explore the root cause of an incident, even if it results in fewer people participating in the analysis.

The other reason use of legal privilege may outlast the Capital One case is that the bank arguably left itself open to the scrutiny of the court by failing to apply privilege with the necessary care and precision.

For legal privilege to stand up, there can’t be any doubt that legal counsel did in fact direct the forensic investigation. When health insurer Premera Blue Cross hired a DFIR firm directly in response to a 2017 incident, it wasn’t able to protect audit reports sought during litigation as a result.

While Capital One avoided that mistake - its law firm directed the Mandiant IR report - the law firm used the same terms Capital One and Mandiant had already agreed on under an existing ‘Master Services Agreement’ signed years earlier. The court found that the most substantive change to the terms was a requirement that the report be delivered to the law firm instead of the bank.

The forensics report was also distributed well beyond the law firm and its client. At the bank’s direction, it was shared with 51 staff, several regulators and Capital One’s auditor, Ernst and Young. The court found that the timing of the various agreements - and the “use of the report for business and regulatory purposes” - meant that it wasn’t expressly delivered for the purpose of informing legal advice to the client.

While he wouldn’t comment on the Capital One case specifically, Halpert said that in his professional opinion, “the argument for privilege should not be [lessened] simply because a forensics firm has done other work or has an ongoing relationship”. It would only get tricky if the same firm that was hired to perform post-incident forensics previously provided consulting services to the cyber defence team (they’d effectively be reviewing their own work).

Privilege should apply, he said, “based on whether the counsel has engaged the specific entity for a specific investigation into potential legal risk to the breached entity.”

Linn Freedman, a partner at law firm Robinson+Cole describes the decision to allow Mandiant’s report into evidence as “monumental” in that it punishes organisations for being prepared for a cyber security incident. She argues that setting pre-arranged terms with legal and forensics firms enables a faster response to an incident, which is typically in the best interests of everyone involved.

Dmitri Alperovitch, chairman of Silverado Policy Accelerator and the co-founder and former CTO of Crowdstrike, is concerned the court’s determination could break the business model of keeping IR forensics firms on retainers. It wouldn’t be an ideal scenario, he said, for the CISO to have less say in who is retained to perform forensics than the outside counsel.

The use of legal privilege in security incidents didn’t slow down after the Premera case, perhaps because the insurer made small clerical missteps that others could learn from. By the same logic, it’s unlikely that legal privilege will be dispensed with on the back of the Capital One case. More likely it will be applied with greater rigour, be more expensive, and continue to frustrate internal security functions.

It may become more common, for example, for breached entities to run two tracks of investigation in parallel - one that summarises the underlying facts about the incident to share with regulators, and a second privileged and more detailed report for internal consumption that makes conclusions based on those facts. It’s a more complex and expensive operation to pull off - requiring two independent tracks of inquiry and ‘work product’, but is probably a more palatable path than the risk of losing big in the courtroom.

Legal privilege will likely play a role until such time that companies can be assured of some form of protection from litigation arising from good faith reporting of incidents. Ideally, Risky Business co-host Adam Boileau posits, we’d end up with a “mandated, no-fault public breach response policy where transparent investigation and reporting is accepted as a public good.”

We’re just a long way from getting there yet.

How to navigate the privilege minefield

If your organisation can even afford to think about using legal privilege in a security incident - there are a lot of trade-offs to consider and dozens of ways to trip up. DLA Phillips partner Jim Halpert shared a few tips with Risky.Biz on getting it right.

  1. Break in case of emergency: Language is everything. Delineate clearly in all written comms between a ‘potential incident’ - and an actual one. Don’t start turning one of the hundreds of security events you see into a ‘security incident’ before the most essential facts are understood. Halpert’s threshold for incidents that need to be covered by legal privilege are: a) An incident that gives rise to an obligation to notify a regulator, or a contractual obligation to notify a business partner; or b) An incident that exposed trade secrets or otherwise would affect the share price of a company; or c) An incident that would cause significant reputational hit to the company; or d) An incident in which a crime is committed.
  2. Don’t cross-pollinate: It may be necessary to run two tracks of inquiry - one that limits itself to statements of fact, and a privileged inquiry that makes observations or recommendations based on those facts. The two tracks must be completely independent of each other for the relevant inquiry to be protected by legal privilege.
  3. Explain the rules of the road: Explain to any staff with knowledge of an incident why the concept of privilege is important, and read them in on how best to follow the protocol. Agree to keep communication about the security incidents off email, instant messaging and any other recorded format that could be discoverable.
  4. Don’t overshare: All the hard work of keeping a document covered by privilege goes out the window if the final result isn’t carefully handled. The only version of the report that should sit on a breached entity’s system should be the final version prepared by the legal counsel, and should only be sent by the counsel to the relevant recipients. If you’re not copied in, chill - you’re probably not being deliberately kept out of the loop - it’s just a legal precaution. Ask for a verbal read-out.
  5. Summarise: If you want to hold a ‘lessons learned’ session, work with legal counsel to prepare a non-privileged summary to share with staff.