Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: I'm Jake Bernstein, cybersecurity counsel at the law firm of Newman DuWors.

Kip Boyle: This is a show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cybersecurity-related legal responsibilities-

Kip Boyle: And if you wanna manage your cyber risks just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable, and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cyber security expert. You could find out more by visiting us at CyberRiskOpportunities.com and newmanlaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Today, Jake, we're gonna talk about one of your favorite subjects, attorney-client privilege for better cyber risk management.

Jake Bernstein: Sounds good, let's go ahead and start.

Kip Boyle: Okay. Right. I've heard of attorney-client privilege in movies and television shows, but what is it really and why does it matter for our work?

Jake Bernstein: Sure. So the attorney-client privilege is the oldest privilege recognized by English and American law. A privilege, in general, is a evidentiary rule that says you don't have access to this. It also can prevent ... It will prevent you from testifying in court. You can claim privilege.

Jake Bernstein: So a really common one that most people have heard about is your Fifth Amendment right to not self incriminate. That's considered a type of privilege. What the attorney-client privilege does is, specifically, protect communications between attorney and client that are about legal advice.

Jake Bernstein: Now it's not absolute. For the most part, nothing in law really is absolute, but it is one of the most sacrosanct of the recognized privilege and least likely to be pierced by a court order or by a judge saying, "Testify anyway."

Kip Boyle: When you say pierce, does that ... what you mean by that is ... That little piece of jargon right there means like when you pierce corporate veil?

Jake Bernstein: That's very similar, yes. The idea would be you can ... The privilege can be pierced, can be discarded, it can be set aside. The idea is that we're gonna make a choice to ignore it. There are very few exceptions, broadly speaking to ACP, and they relate to general lawyer ethics overall.

Jake Bernstein: For example, if my client comes to me and says, "Jake, I'm going to kill someone in six hours," I have to report that. That's actually a situation where there is no ACP, and I have to actually report that because it's a risk of death or severe bodily harm.

Jake Bernstein: On the other hand, if that same client comes to me and says, "Jake, I killed someone yesterday," then there is attorney-client privilege and I cannot breach that. Now we're talking about criminal investigations and advice.

Kip Boyle: Okay. A client after the commission of a crime can enjoy the ACP, so that ... Again, I'm going back to the movies here, but that's so they can get the best possible legal representation?

Jake Bernstein: Well, there's a number of reasons for ... One of the justifications is that without the attorney client-privilege, why would you tell your attorney anything? If you know that you can ... So what we really wanna do, ultimately, is we want people to have the best possible defense. They cannot have the best possible defense if they can't be honest and truthful with their attorneys. The only way they can be honest and truthful with their attorneys is if they feel that whatever they tell their attorney stays with the attorney. That's the idea behind the attorney-client privilege.

Kip Boyle: Okay, all right. I wanna go back to something you said a moment ago about ... like if somebody says, "I'm planning to commit murder in six hours," that's not gonna be covered by attorney-client privilege because it's a risk to a person's life. Is there a similar obligation to inform if somebody says, "I'm going to blow up a big building but nobody will be in it. I'm gonna do that in six hours?" That's a great property damage. Does that also invalidate ACP?

Jake Bernstein: That's interesting. I think the risk that life would be harmed is still pretty high in that, but that's a hypothetical that I have not considered in a while. If I can guarantee that no one's gonna be hurt ... I don't know, I have to go ... I'd have to check.

Kip Boyle: Okay. Well, I'm not planning to do anything like that. I just thought it was interesting. All right.

Jake Bernstein: You know what? That aspect is very similar to like the counselor-patient privilege, right? If someone says, "I'm gonna kill that person," you have to make a judgment call. Did they really mean it? Did they not?

Kip Boyle: Right.

Jake Bernstein: Right. It can be confusing.

Kip Boyle: This goes back to my education on the attorney's career, simply by watching television and movies because I remember watching a Sopranos episode where Tony Soprano goes to see his counselor. She explains confidentiality and exceptions to confidentiality. He starts being a little bit more careful about what he says to her because some of the things that he wants to talk about are things that haven't happened yet.

Jake Bernstein: Yeah, that's an issue. Totally

Kip Boyle: Yeah. Okay. That's attorney-client privilege ACP. I've also heard you talk about something else before, which I think was like attorney work product. Yeah, talk about that.

Jake Bernstein: Yeah. The attorney work-product doctrine is not ... It's not a privilege in the same sense that attorney-client privilege is a privilege, but it is part of the civil rules of procedure and the rules of evidence. Basically what it says is, "My notes, my mental impressions, things I create in anticipation or preparation for litigation are not discoverable." It's related and similar to attorney-client privilege, but it really is ... It adheres to the attorney's work product, hence the name attorney work-product doctrine.

Jake Bernstein: Other actual privileges with varying degrees of strength would include spousal privilege. A judge cannot force a spouse to testify against another or the other spouse. There's the doctor-patient, there is a priest and confessor-type privilege. Those are recognized. A lot of these are ... None of these are absolute, and a lot of them are recognized for a similar reason, right? It's a custom. If we don't recognize that privilege, then people won't do X. So it's kind of the idea here.

Kip Boyle: Interesting, especially the spousal privilege, right? I suppose that, that would be sort of like saying, "Well, for the good of the institution of marriage, if we didn't honor that, then spouses wouldn't tell each other what's going on."

Jake Bernstein: Right. One of the things we haven't really talked about is, with respect to privileges, who owns the privilege, which really means who can waive the privilege? The attorney does not own the privilege. The attorney-client privilege is owned by the client. The client can waive attorney-client privilege, the lawyer cannot.

Jake Bernstein: In the spousal privilege context, both spouses own that privilege and both spouses can waive it. So guess what? It doesn't tend to come up in divorce proceedings because in that situation, they're going to testify against each other all the time. So one spouse can't use that. You can't use it offensively. You can't say, "No, she can't say that because of spousal privilege." Its like no, no. If she waives her spousal privilege, she can say it.

Kip Boyle: Got it.

Jake Bernstein: That's one of the reasons that we talk about the client can ultimately waive privilege when it's time.

Kip Boyle: Okay. This is ... Our listeners might be thinking, "Where is this going?" We're building a little foundation here to talk about why ACP and these other privileges can be useful in terms of managing cyber risks, right?

Jake Bernstein: Yeah.

Kip Boyle: Let's move on in the conversation, and let's talk about ACP. What does that mean in practice? Let's talk a little bit more about that. Then of course, we're gonna talk about how this translates into specifically cyber risk management. What else about the practice of ACP and AWP, right, the attorney work product?

Jake Bernstein: Right. Yeah, attorney work-product doctrine. The way that this works in practice is that if your attorney is giving you advice or you're asking questions of the attorney and the attorney responds with legal advice, those communications are privileged, which means that neither the attorney nor you can be forced to divulge the substance of that communication. Interestingly enough, you aren't necessarily allowed to keep the fact of those communications secret. In the cyber world, we would call that metadata. The metadata of the communications is not secret. For-

Kip Boyle: Right. The metadata is like the day that ... Like there was a call, Kip was on the line, Jake was on the line, it started at this time, it ended at this time.

Jake Bernstein: Right. Or most commonly an email. I might be able to say that an email is ... Or I can claim that an email is privileged. But if I do that, I have to put it on something called the privilege log in litigation. What that is, is a list of documents that I'm withholding, and then based on what privilege, usually the ACP and attorney work product. What that has to ... The privilege log has to describe documents enough that I can potentially contest the claim of privilege or work product.

Jake Bernstein: When I said that the privilege is not absolute, one of the main reasons it's not absolute is that in litigation I can say, "I don't buy it. That wasn't legal advice." This happens all the time with in-house corporate counsel because in-house corporate counsel tends to give a lot of legal advice but also a lot of business-based advice. And business commentary is not privileged. That's what happens.

Jake Bernstein: What a privilege log looks like is your typical email metadata, to, from, CC line, possibly the subject. Although you might be able to redact part of the subject, if there is substance in there, and then of course time, date stamps and all that good stuff. That's what it looks like in practice. The same thing holds true on full documents. If I give a client a memorandum, that memorandum is gonna have so-called metadata as well. When did I give it to them and what's the subject? That kind of stuff would have to be listed in a privilege log.

Kip Boyle: Okay. How interesting? I don't have any experience with this. I can just imagine if somebody showed me a privileged log, I would want to try to pierce as much of that as possible, right? Because I know if it's on the log, then that means that it's relevant. If I was the opposing counsel, I would want access to that. So I would imagine that there's quite a bit of thought and effort put into trying to figure out how to get as much of that off the log and in to my hands as possible. Is that about right?

Jake Bernstein: That is right, and that's one of the things that drives up the cost of litigation. The vast majority of the cost of a lawsuit is in the discovery phase, which includes litigating about ... Basically, it's all about what information and what evidence can be exchanged, has to be exchanged and all kinds of stuff, the way that you would contest it is file a motion to compel, which means that you're asking the court to compel production or disclosure of something.

Kip Boyle: Okay, so I'm gonna sue you. I want as much information that you have to help me build my case against you, but you're gonna have a log of things that you're gonna claim are privileged and that those records would not be available to the other party. Is that a good summary?

Jake Bernstein: Well, let's just actually take through an example regarding cyber risk, because-

Kip Boyle: Okay, let's do that.

Jake Bernstein: ... that's really what we're trying to do here.

Kip Boyle: Great.

Jake Bernstein: Here's a quick hypothetical. In other words, a story in attorney speak. This is what happens if you don't think of cybersecurity as "legal advice." Let's say that I am ACME company and I recognize that my cybersecurity and my cyber risk management maybe isn't very good. I have two choices. I can watch ... I have many choices, but in this hypothetical, I have two choices. I'm going to get a cyber risk assessment done. I can either go and find a provider, and I can just hire that provider, and I can do my cyber risk assessment, and go from there. Or I can find an attorney who does cyber risk management, and I can ask the attorney to do a cyber risk assessment and go from there.

Jake Bernstein: Let's take the first ... Option one, let's say that you get your assessment performed by a cyber risk non-attorney provider, and you are ... What's gonna happen in a cyber risk assessment, right? They're gonna tell you what your risks are, they're gonna tell you what you should, how and when, and what you should do to mitigate those risks. They're gonna give you a menu of options. That menu is likely to cost money. Ultimately, you're gonna have to do a number of things. You're gonna have to act on it, you're gonna have to purchase things or spend resources and basically just make a normal set of business choices.

Kip Boyle: Yeah. You may choose to accept some of those risks.

Jake Bernstein: You may choose to accept some of those risks. Really, this is very a normal process. Here's the problem. Let's say that you're informed of 10 significant risks or potential vulnerabilities and you're like, "Okay, we can only fix five of them right now." Six months later, item number six happens to be the root cause of a cybersecurity incident or breach.

Kip Boyle: Right, but you've accepted it for the time being?

Jake Bernstein: Well, you accepted it or you ... Essentially, you've accepted it because you didn't fix it when you could, but there's any ... I mean, there's ... It might have been on the road map, you just didn't get to it yet.

Jake Bernstein: If there's a lawsuit or an investigation, then what's going to happen is, is either the government, whether that's the FTC, or Europe, moving forward with GDPR, or a private lawyer is gonna say, "Basically, give us all your documents related to your cyber risk management." They're probably gonna ask a specific set of questions like did you get a cyber risk assessment?

Jake Bernstein: Now this is one where if you answer no, you lose right away because that's unreasonable per se. If you answer yes, then they'll say, "Great. Who did you use for your cyber risk assessment?" You're gonna have to tell them, "Well, I use this vendor." They're gonna say, "Awesome. We want all communications with that vendor. We want everything that, that vendor gave to you. We want all deliverables from that vendor."

Jake Bernstein: So they basically get to look behind the curtain and see everything that you saw. That's gonna give them a big leg up when they argue in court that you were not reasonable in your cybersecurity.

Kip Boyle: Okay. They'll probably see that, that sixth risk was unaddressed at the time that, that bad thing happened.

Jake Bernstein: They will absolutely say that, that is ... that they will notice that and they will make that their case. What's gonna happen is, is you will spend a lot of time and energy litigating whether or not that was reasonable. They're gonna have a big advantage showing that maybe you weren't reasonable.

Kip Boyle: Okay, so that's option one. Your-

Jake Bernstein: That's option one. Let's look at option two. If you instead hire a lawyer, and let's just say that the lawyer's like, "Yeah, I do cyber risk, and I'm very knowledgeable in this, and I can give you legal advice, but I'm gonna hire the same vendor because I want to have someone come in and assist me with that." This is pretty standard. It's not any different than a personal injury lawyer who hires a private investigator to follow the plaintiff around and catch them playing tennis after they have claimed that they can't move, right?

Jake Bernstein: You see that all the time in TV shows, but it's real. That kind of stuff is real. When the lawyer is supervising this process, there's a number of things that are happening. One, there is attorney work product being made all the time. Why are you doing cyber risk assessment? Well, really it's an anticipation of litigation, ultimately. That's not the only reason you want to be ... You wanna do good cyber risk management. You wanna prevent it. One of the things you're protecting against is a lawsuit. One of the issues in all cyber risk management is whether or not you're reasonable, which is a legal question based on legal precedent.

Kip Boyle: Right. We're saying this all the time these days like with Equifax, and Uber, and Target, and Home Depot, right? These very, very high profile data breaches, there was just ... They were flooded with lawsuits against-

Jake Bernstein: Oh, yes. It's constant. Constant stream of lawsuits. Let's move ahead to the same ... We'll use the same background, same issue arises, number six on the list. This time though when the person asks you, "Did you do a cyber risk assessment?" You're still gonna say yes. Then the next question is gonna be, "Okay. Well, who do you do it with?" You're gonna say, "Our attorney handled that and the remaining information is privileged under the attorney-client privilege."

Jake Bernstein: Then they can ask the same set of questions they were gonna ask. Every time they do, you claim privilege. That means that now, instead of just getting all of that documentation and evidence, and information, now, if they want that, they have to go to court separately just to argue about the attorney-client privilege and whether or not it applies. It's a massive, massive barrier. Like I said, it's not absolute. I mean, even a concrete wall can be knocked down with enough effort, but it is very, very strong.

Kip Boyle: This is really interesting because in my experience, if I was an executive and I wanted to get a cyber risk assessment, thinking back, I would probably not think that a lawyer, it should be the first person that I would go to. I would think about ... Well, I should find somebody who's a technological expert because these cyber risks have all to do about technology. I mean, that seems like the place to go. Why would they go to an attorney first? That's really what we're talking about here. I think what you're ... Another point you're trying to make is that cyber risk isn't so much a technological issue as it's now a legal issue. Isn't that right?

Jake Bernstein: It is. You are. Look, this is actually not any different than environmental law 30, 40 years ago. At some point if your assistant ... If you're an executive of a company and your assistant walks in and says, "Sir, one of our trucks just spilled a ton of coal all over a park." Originally, you're probably gonna say, "Well, that's unfortunate. Why don't you call the cleanup guys," right?

Kip Boyle: Right.

Jake Bernstein: However, once laws were passed about environmental regulation and environmental damages, and once those laws were enforced by, for example, the EPA, instead of saying, "Great, call the cleanup guy," you are immediately on the phone to your lawyer because now you need to protect yourself. That is where we're going with cyber risk.

Jake Bernstein: It's early, but I think more and more clients are wising up to the fact that this can be protected by an attorney, and it should be because let's be clear, what was the reason that we talked about for why you want attorney-client privilege in the first place? The reason is so that you can be honest and open about something that is sensitive.

Jake Bernstein: So imagine doing a cyber risk assessment without an attorney. You basically have to just take the customer's word that what they're telling you is correct. A customer though is never completely unknowledgeable about these things. They may just not tell you something if they feel that, that's a really ... If they know that it's a bad thing. For example, there are five email servers in my basement that are used but that are not part of the corporate network.

Jake Bernstein: That is per se a bad thing. If a lawyer, however, is involved in the process with the protection in place, the client now is now able to more confidently disclose that sensitive information. You kind of .... There's actually multiple levels to why you'd wanna do this. It's not just the legal protection, it's also getting full disclosure from the customer, so that they feel comfortable doing that.

Kip Boyle: Right. So that they can share more freely without having to have some kind of a nagging voice inside their head saying, "Oh, I don't think I should have said that."

Jake Bernstein: Exactly. You see this all the time with currently sexual harassment investigations, things like that. I mean, you're not gonna call HR when you learn about that. You're probably gonna call your lawyer then call HR. That's because you know that there's a lot of legal liability associated with these types of issues. That's really what we're talking about. It's the same thing, and that's why we do it this way.

Kip Boyle: Okay. Just to sum up, if you're an executive and you wanna get a cyber risk assessment or you're asking yourself, "Should I get a cyber risk assessment?" If it occurs to you that like, "Gosh, I don't want all that stuff written down, that could come back to haunt me. I'll just not do the cyber risk assessment. Then if something blows up, I can just say, 'Oh, I had no idea.'" What you're saying is like, "No, that's actually not gonna work."

Jake Bernstein: Well, so I've actually heard people saying, "I don't wanna know. I'd rather not know." The problem with that is that ... I call that the head in the sand defense. It's actually not a defense. If your head's in the sand, then you're not gonna even see me walk up and kick you on the butt and push you over, which is what exactly would happen in a legal sense because if you say, "I didn't even do a cyber risk assessment because I just didn't wanna know." That's indefensible. How can you ever take reasonable cyber security measures if you don't even know what your cyber security risks are? You can't.

Kip Boyle: Right. One of the risks legally there, is not only would you potentially be found guilty of whatever happened, but would that also open you up to a charge of negligence?

Jake Bernstein: Well, absolutely. Negligence is one of the standards involved here. Negligence just means that you had a duty and you breached it. That's a component of your failure to be reasonable.

Kip Boyle: Right. This is fascinating. You can hire an attorney to help you with the cyber risk assessment not just because the attorney is a cyber risk expert, but because that attorney can go and can bring other experts into the situation. You can get as many experts as you want on whatever aspect of cyber risk you want. All of those conversations and all of those reports are all protected by attorney-client privilege. Is that much pretty the sum of it?

Jake Bernstein: It's pretty much true. There's gonna be some rules that have to be followed. But by and large, yes, that is the case. If you're following the rules and keeping the attorney involved and being careful with the privilege, then, yeah. That is the idea, that's how it works.

Kip Boyle: Oh, that sounds like a very good option for executives these days, the way things are going. Any last thoughts about attorney-client privilege?

Jake Bernstein: I would never recommend ... I personally don't think that there's any reason not to do cyber risk work without attorney-client privilege. Perhaps, I'm biased in that statement.

Kip Boyle: You might be.

Jake Bernstein: Maybe self-interested. But I do think that it's a really, really important point and that as these lawsuits and investigations become more common, particularly, as GDPR moves forward, we're talking ... It's March 27th. There are now less than two months until GDPR enforcement begins on May 25th, 2018. That's all gonna be a whole new ball game, and you really wanna make sure that your cyber risk is not only managed but managed under attorney-client privilege.

Kip Boyle: Right, okay. Well, thanks everyone for joining us today on the Cyber Risk Management Podcast. Today, we talked about attorney-client privilege and how that can help you have a higher quality cyber risk management program.

Kip Boyle: Thanks, everybody, for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. If you wanna manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.