SlideShare una empresa de Scribd logo

Incident Response and the Attorney Client Privilege - ShmooCon 2019

Descargar como PPTX, PDF
Wendy Knox Everette
Wendy Knox Everette

Oh no, you’ve suffered a computer security incident. The DFIR team you hired wrote up a great report detailing exactly what happened and making suggestions for how to fix some of these issues. But now you’re being sued, and opposing counsel requests that report! Many times, companies will seek to protect investigations under the cover of attorney-client privilege. But what is that, when and how does the privilege attach, and how helpful is it most of the time? What should your goal be, and just what are best practices for working with attorneys?

Tecnología
1 de 46
Incident Response and the Attorney Client Privilege - ShmooCon 2019 Wendy Knox Everette @wendyckPhoto: dfectuoso17
Who am I? Senior Security Advisor at Leviathan Security Group. Hacker lawyer. I am a lawyer. I am very much not your lawyer. Shmoo 2019 - @wendyck
https://twitter.com/sarahjeong/status/961633627804024835 Shmoo 2019 - @wendyck
What are we protecting and why? Shmoo 2019 - @wendyck
Incident Response Reports… but also Advisory reports, Pen test reports, vulnerability scans… Shmoo 2019 - @wendyck
why worry about protecting them? Shmoo 2019 - @wendyck
So what is the attorney-client privilege and why are lawyers involved in this anyway? Shmoo 2019 - @wendyck
What is discovery? Part of civil procedure, the rules that govern civil (not criminal) trials ● Discovery is the process by which both sides share information that is relevant to the dispute ● “designed to prevent ‘trial by ambush’ where one side doesn’t learn of the other side’s evidence or witnesses until the trial, when there’s no time to obtain answering evidence” https://www.americanbar.org/groups/public_education/resources/law_related_e ducation_network/how_courts_work/discovery/ Shmoo 2019 - @wendyck
Fun discovery fact! The information has to be relevant - but it doesn’t have to itself be admissible in trial. Shmoo 2019 - @wendyck
Isn’t all this information confidential? Shmoo 2019 - @wendyck
But! Some information is NOT discoverable, such as information protected by the attorney-client privilege Shmoo 2019 - @wendyck
What is attorney- client privilege? What it protects: ● Communications between a client and attorney ● For the purposes of rendering legal advice ● That are made in confidence (don’t repeat that information to anyone else!) Shmoo 2019 - @wendyck
But wait, there’s more Shmoo 2019 - @wendyck
1 2 3 Courts recognize three privileges attorney-client privilege work-product doctrine “non-testifying expert” privilege Shmoo 2019 - @wendyck
Work Product doctrine Attorney notes about investigations are only discoverable (under FRCP 26(b)(3)) if the other side can show that they have a “substantial need” for them, and the facts couldn’t be obtained any other way “without undue hardship.” The underlying facts are not protected, but opinion work product that includes information about what happened is protected if it is prepared in anticipation of litigation. Shmoo 2019 - @wendyck
Non-testifying consultants & privilege FRCP 26(b)(4)(D)(ii) ● opposing counsel cannot discover the work of an expert who is not expected to be called as a witness at trial, unless the opposing side can show “exceptional circumstances” demanding that disclosure United States v. Kovel, 296 F.2d 918 (2d. Cir 1961): ● Accountant acts as a “translator” for the law firm, helping them to understand the complex technical issues. Work is related to the attorney’s job representing clients Genesco Inc. v. Visa (M.D. Tenn. 2014): ● “in the Court’s view, the Stroz representative would necessarily be applying his or her specialized knowledge. Thus, Visa’s characterization of its Stroz discovery requests as involving a fact witness is inappropriate..” Shmoo 2019 - @wendyck
What isn’t protected? “is you taking notes on a criminal fucking conspiracy?” Shmoo 2019 - @wendyck
Ok, we’re experts on protecting information now! Shmoo 2019 - @wendyck
Into the breach:Let’s walk through a data breach, but from the perspective of working with counsel Shmoo 2019 - @wendyck
Lawyers are usually non-technical – but they have a specialized skill set that can have its place in an investigation into a computer security incident Shmoo 2019 - @wendyck
Regulatory concerns Shmoo 2019 - @wendyck
Data breach notification considerations Some timelines are imposed by regulations like the GDPR, or state laws. The state data breach laws all vary in what constitutes a breach, who must be notified and how. Attorneys can help craft the relevant responses to meet regulatory requirements about content and deadlines. Shmoo 2019 - @wendyck
Before a security incident 1. Create a plan 2. Consider retaining a lawyer who can help with tabletops and work with you if you suffer a security incident. Ask them about IR teams they’ve worked with and consider retaining one of these teams. 3. Decide on your communications channels 4. Look at your insurance policies (Do you have to notify? Do they have preferred firms?) Shmoo 2019 - @wendyck
Don’t just listen to me https://twitter.com/RobertMLee/status/1085291137072615426 Shmoo 2019 - @wendyck
Hiring a Lawyer Shmoo 2019 - @wendyck
What if we have in house counsel? Shmoo 2019 - @wendyck
Business v Legal advice Make sure that in house counsel notes when they are giving legal advice vs business advice. Primary purpose test: doesn’t draw rigid distinction between a legal purpose on the one hand and a business purpose on the other. See In re Kellogg Brown & Root, Inc., 756 F.3d 754, 759 (D.C. Cir. 2014) Shmoo 2019 - @wendyck
Confidential headers & email footers Rather than having a loooooooooong boilerplate footer at the end of every email, emails in which a legal opinion are given should have Privileged & Confidential as the first line. To: Nancy Drew, CISO From: Natalia Romanova, General Counsel Privileged & Confidential Regarding the security incident we’ve been investigating….
More things to do before a security incident 1. Get your logging, monitoring, observability, alarms and audit logs in shape PLEASE (and please check your timestamps) 2. Make sure all your logs are logging in the same time zone 3. Review your audit log settings in cloud platforms 4. Check your retention: are you saving important logs? How long do you retain? Shmoo 2019 - @wendyck
Don’t just listen to me https://twitter.com/MalwareJake/status/1085650856089837571 Shmoo 2019 - @wendyck
In a breach – Is there a reportable incident? GDPR, CCPA, NYDFS, HIPAA, State data breach notifications…. Shmoo 2019 - @wendyck
We have a reportable breach: now what? If you’re engaging an outside DFIR firm to assist, should your attorney engage a DFIR team? Shmoo 2019 - @wendyck
Sometimes yes, as their professional opinions are shared with the lawyer and help form the basis of the lawyer’s advice: “At the direction of counsel” means the experts are performing the investigation to assist the attorney in giving legal advice Shmoo 2019 - @wendyck
Crafting the engagement letter In Genesco v Visa, Genesco-Stroz retention agreement expressly provided that Stroz’s retention was “in anticipation of potential litigation and/or legal or regulatory proceedings.” Shmoo 2019 - @wendyck
During... 1. Activate your IR team and communications channels 2. Secure evidence and follow directions of the team you hired 3. Follow the advice of the attorney on engaging with regulators and law enforcement Shmoo 2019 - @wendyck
Gathering Evidence Following the advice of your DFIR firm and lawyer about how to gather evidence if you anticipate regulatory or legal proceedings Shmoo 2019 - @wendyck
Communications: what is protected by attorney – client privilege Shmoo 2019 - @wendyck Messages to counsel seeking legal advice should make clear that the person is seeking legal advice & the lawyer’s professional opinion about whether there is a breach and if the breach is notifiable or causes any regulatory obligations
Joint Defense Agreements Consideration for SAAS and cloud environments: if joint investigations are done, a Joint Defense Agreement should be in place; these are used where parties share a common interest in a legal matter. Schaeffler v. United States, 806 F.3d 34, 40 (2d Cir. 2015) Shmoo 2019 - @wendyck
Are we going to monitor ongoing suspicious activity? Is it on our servers? (there are CFAA and ECPA concerns otherwise) Is it reasonable to allow intruders to remain in the network in this case? When should we engage law enforcement? Shmoo 2019 - @wendyck
Interviewing employees and contractors Often having outside counsel conduct interviews offers the strongest protections if you are concerned about interview notes being discoverable Shmoo 2019 - @wendyck
LOGS Please log things. Please pick a time zone. Please only put things in the report supported by the logs or other evidence. Shmoo 2019 - @wendyck
Reports These should contain a timeline of the breach, the cause, evidence artifacts supporting the timeline and cause. Shmoo 2019 - @wendyck
What happens if you share a lot of the findings of the report in your response to a court case? If you share too much, you may destroy privilege in the rest of the report. ‘Litigants cannot hide behind the privilege if they are relying on privileged communications to make their case’ or, more simply, cannot use the privilege as ‘a shield and a sword.’ In re United Shore Fin. Servs., LLC, 2018 BL 1881 (6th Cir. 2018) Shmoo 2019 - @wendyck
Things to remember Shmoo 2019 - @wendyck
Takeaways 1. Create a plan 2. Retain a lawyer 3. Set up communications channels 4. Log all the things 5. Secure evidence 6. Communications with your lawyer are seeking legal advice 7. Follow directions of the attorney you hiredShmoo 2019 - @wendyck
Sources Civil Procedure: http://fordhamlawreview.org/wp-content/uploads/assets/pdfs/Vol_76/Rocci_Vol_76_Mar.pdf HIPAA Data Breach Notification: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html NYDFS: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf Joint Defense Agreements: https://www.dentons.com/en/insights/newsletters/2015/september/30/practice-tips-for- lawyers/joint-defense-vs-common-interest-agreements Protecting Reports: https://www.lanepowell.com/portalresource/Corporate-Counsel-Brecher-June-2016-Data-Breach- Response-Teams Crafting IR Plans: https://www.sans.org/reading-room/whitepapers/legal/paper/37487 Shmoo 2019 - @wendyck

Recomendados

Ataques informáticos
Ataques informáticosAtaques informáticos
Ataques informáticosGregory Karl Rodriguez Montesinos
 
Presentacion ingeniería social
Presentacion ingeniería socialPresentacion ingeniería social
Presentacion ingeniería socialLily Diéguez
 
Ransomware Presentation.pptx
Ransomware Presentation.pptxRansomware Presentation.pptx
Ransomware Presentation.pptxMirMurtaza39
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Hacking
HackingHacking
HackingShubham Kolapkar
 
Detecting the presence of cyberbullying using computer software
Detecting the presence of cyberbullying using computer softwareDetecting the presence of cyberbullying using computer software
Detecting the presence of cyberbullying using computer softwareAshish Arora
 

Recomendados

Ataques informáticos
Ataques informáticosAtaques informáticos
Ataques informáticosGregory Karl Rodriguez Montesinos
 
Presentacion ingeniería social
Presentacion ingeniería socialPresentacion ingeniería social
Presentacion ingeniería socialLily Diéguez
 
Ransomware Presentation.pptx
Ransomware Presentation.pptxRansomware Presentation.pptx
Ransomware Presentation.pptxMirMurtaza39
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Hacking
HackingHacking
HackingShubham Kolapkar
 
Detecting the presence of cyberbullying using computer software
Detecting the presence of cyberbullying using computer softwareDetecting the presence of cyberbullying using computer software
Detecting the presence of cyberbullying using computer softwareAshish Arora
 
Monografía sobre Seguridad Informática
Monografía sobre Seguridad InformáticaMonografía sobre Seguridad Informática
Monografía sobre Seguridad InformáticaYelitza Romero
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)phexcom1
 
Network security
Network security Network security
Network securityVikas Jagtap
 
Introducción a la seguridad informática
Introducción a la seguridad informáticaIntroducción a la seguridad informática
Introducción a la seguridad informáticaJesús Moreno León
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentationNitesh Dubey
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Jayanth Dwijesh H P
 
Ataques informaticos
Ataques informaticosAtaques informaticos
Ataques informaticosadrianruiz81
 
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedMan In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedInfoSec Institute
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on HoneypotAmit Poonia
 
Seguridad web
Seguridad webSeguridad web
Seguridad webcamposer
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
Detection of cyber-bullying
Detection of cyber-bullying Detection of cyber-bullying
Detection of cyber-bullying Ziar Khan
 
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.gmorelli78
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
Suplantación de identidad ¿Qué es.pptx
Suplantación de identidad ¿Qué es.pptxSuplantación de identidad ¿Qué es.pptx
Suplantación de identidad ¿Qué es.pptxAlbertoLopezLopez12
 
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...HospitalityLawyer.com
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Financial Poise
 

Más contenido relacionado

La actualidad más candente

Monografía sobre Seguridad Informática
Monografía sobre Seguridad InformáticaMonografía sobre Seguridad Informática
Monografía sobre Seguridad InformáticaYelitza Romero
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)phexcom1
 
Introducción a la seguridad informática
Introducción a la seguridad informáticaIntroducción a la seguridad informática
Introducción a la seguridad informáticaJesús Moreno León
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentationNitesh Dubey
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Jayanth Dwijesh H P
 
Ataques informaticos
Ataques informaticosAtaques informaticos
Ataques informaticosadrianruiz81
 
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedMan In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedInfoSec Institute
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on HoneypotAmit Poonia
 
Seguridad web
Seguridad webSeguridad web
Seguridad webcamposer
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
Detection of cyber-bullying
Detection of cyber-bullying Detection of cyber-bullying
Detection of cyber-bullying Ziar Khan
 
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.gmorelli78
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
Suplantación de identidad ¿Qué es.pptx
Suplantación de identidad ¿Qué es.pptxSuplantación de identidad ¿Qué es.pptx
Suplantación de identidad ¿Qué es.pptxAlbertoLopezLopez12
 

La actualidad más candente (20)

Monografía sobre Seguridad Informática
Monografía sobre Seguridad InformáticaMonografía sobre Seguridad Informática
Monografía sobre Seguridad Informática
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
 
Network security
Network security Network security
Network security
 
Introducción a la seguridad informática
Introducción a la seguridad informáticaIntroducción a la seguridad informática
Introducción a la seguridad informática
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing Attacks
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorism
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentation
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
 
Ataques informaticos
Ataques informaticosAtaques informaticos
Ataques informaticos
 
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedMan In The Middle - Hacking Illustrated
Man In The Middle - Hacking Illustrated
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
 
Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on Honeypot
 
Seguridad web
Seguridad webSeguridad web
Seguridad web
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
Detection of cyber-bullying
Detection of cyber-bullying Detection of cyber-bullying
Detection of cyber-bullying
 
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
Suplantación de identidad ¿Qué es.pptx
Suplantación de identidad ¿Qué es.pptxSuplantación de identidad ¿Qué es.pptx
Suplantación de identidad ¿Qué es.pptx
 

Similar a Incident Response and the Attorney Client Privilege - ShmooCon 2019

HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...HospitalityLawyer.com
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Financial Poise
 
IICJ Article Trade Secret Mediation
IICJ Article Trade Secret MediationIICJ Article Trade Secret Mediation
IICJ Article Trade Secret MediationErica Bristol
 
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101Financial Poise
 
Getting The Deal Through: Litigation Funding 2017
Getting The Deal Through: Litigation Funding 2017Getting The Deal Through: Litigation Funding 2017
Getting The Deal Through: Litigation Funding 2017Matheson Law Firm
 
Mba Admission Essay Writing Services Onlin
Mba Admission Essay Writing Services OnlinMba Admission Essay Writing Services Onlin
Mba Admission Essay Writing Services OnlinRenee Jones
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
Public RM Journal
Public RM JournalPublic RM Journal
Public RM JournalChris Gill
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceFinancial Poise
 
Accuracy Post M&A disputes research
Accuracy Post M&A disputes researchAccuracy Post M&A disputes research
Accuracy Post M&A disputes researchHeiko Ziehms
 
International/Cross Border Legal Malpractice
International/Cross Border Legal MalpracticeInternational/Cross Border Legal Malpractice
International/Cross Border Legal MalpracticeEthan Burger
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Madoff attempts to right the wrong
Madoff attempts to right the wrongMadoff attempts to right the wrong
Madoff attempts to right the wrongIlene Kent
 
Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...Financial Poise
 
University Of Illinois At Urbana Champaign Essay Requirements
University Of Illinois At Urbana Champaign Essay RequirementsUniversity Of Illinois At Urbana Champaign Essay Requirements
University Of Illinois At Urbana Champaign Essay RequirementsSarah Meza
 
Scotland Composite Legal Expenses ATE Proposal Form
Scotland Composite Legal Expenses ATE Proposal Form Scotland Composite Legal Expenses ATE Proposal Form
Scotland Composite Legal Expenses ATE Proposal Form CompositeLegalExpenses
 
Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...
Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...
Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...NationalUnderwriter
 

Similar a Incident Response and the Attorney Client Privilege - ShmooCon 2019 (19)

HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
HospitalityLawyer.com | CONVERGE May-June 2013 Issue - Insurance Coverage for...
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
 
IICJ Article Trade Secret Mediation
IICJ Article Trade Secret MediationIICJ Article Trade Secret Mediation
IICJ Article Trade Secret Mediation
 
Managing the Risk of Fraud Investigation
Managing the Risk of Fraud InvestigationManaging the Risk of Fraud Investigation
Managing the Risk of Fraud Investigation
 
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
 
Getting The Deal Through: Litigation Funding 2017
Getting The Deal Through: Litigation Funding 2017Getting The Deal Through: Litigation Funding 2017
Getting The Deal Through: Litigation Funding 2017
 
Mba Admission Essay Writing Services Onlin
Mba Admission Essay Writing Services OnlinMba Admission Essay Writing Services Onlin
Mba Admission Essay Writing Services Onlin
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?
 
Public RM Journal
Public RM JournalPublic RM Journal
Public RM Journal
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
Accuracy Post M&A disputes research
Accuracy Post M&A disputes researchAccuracy Post M&A disputes research
Accuracy Post M&A disputes research
 
International/Cross Border Legal Malpractice
International/Cross Border Legal MalpracticeInternational/Cross Border Legal Malpractice
International/Cross Border Legal Malpractice
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
 
Madoff attempts to right the wrong
Madoff attempts to right the wrongMadoff attempts to right the wrong
Madoff attempts to right the wrong
 
Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: INTELLECTU...
 
University Of Illinois At Urbana Champaign Essay Requirements
University Of Illinois At Urbana Champaign Essay RequirementsUniversity Of Illinois At Urbana Champaign Essay Requirements
University Of Illinois At Urbana Champaign Essay Requirements
 
Protection for submission
Protection for submissionProtection for submission
Protection for submission
 
Scotland Composite Legal Expenses ATE Proposal Form
Scotland Composite Legal Expenses ATE Proposal Form Scotland Composite Legal Expenses ATE Proposal Form
Scotland Composite Legal Expenses ATE Proposal Form
 
Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...
Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...
Experience, Expertise, and Preparation: Keys to a Successful Workers' Compen...
 

Más de Wendy Knox Everette

FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)Wendy Knox Everette
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"Wendy Knox Everette
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Wendy Knox Everette
 
SeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeSeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeWendy Knox Everette
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaWendy Knox Everette
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Wendy Knox Everette
 

Más de Wendy Knox Everette (13)

FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018
 
SeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeSeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & Me
 
Green Locks for You and Me
Green Locks for You and MeGreen Locks for You and Me
Green Locks for You and Me
 
An Encyclopedia of Wiretaps
An Encyclopedia of WiretapsAn Encyclopedia of Wiretaps
An Encyclopedia of Wiretaps
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Incident Response and the Attorney Client Privilege - ShmooCon 2019

  • 1. Incident Response and the Attorney Client Privilege - ShmooCon 2019 Wendy Knox Everette @wendyckPhoto: dfectuoso17
  • 2. Who am I? Senior Security Advisor at Leviathan Security Group. Hacker lawyer. I am a lawyer. I am very much not your lawyer. Shmoo 2019 - @wendyck
  • 4. What are we protecting and why? Shmoo 2019 - @wendyck
  • 5. Incident Response Reports… but also Advisory reports, Pen test reports, vulnerability scans… Shmoo 2019 - @wendyck
  • 6. why worry about protecting them? Shmoo 2019 - @wendyck
  • 7. So what is the attorney-client privilege and why are lawyers involved in this anyway? Shmoo 2019 - @wendyck
  • 8. What is discovery? Part of civil procedure, the rules that govern civil (not criminal) trials ● Discovery is the process by which both sides share information that is relevant to the dispute ● “designed to prevent ‘trial by ambush’ where one side doesn’t learn of the other side’s evidence or witnesses until the trial, when there’s no time to obtain answering evidence” https://www.americanbar.org/groups/public_education/resources/law_related_e ducation_network/how_courts_work/discovery/ Shmoo 2019 - @wendyck
  • 9. Fun discovery fact! The information has to be relevant - but it doesn’t have to itself be admissible in trial. Shmoo 2019 - @wendyck
  • 11. But! Some information is NOT discoverable, such as information protected by the attorney-client privilege Shmoo 2019 - @wendyck
  • 12. What is attorney- client privilege? What it protects: ● Communications between a client and attorney ● For the purposes of rendering legal advice ● That are made in confidence (don’t repeat that information to anyone else!) Shmoo 2019 - @wendyck
  • 13. But wait, there’s more Shmoo 2019 - @wendyck
  • 14. 1 2 3 Courts recognize three privileges attorney-client privilege work-product doctrine “non-testifying expert” privilege Shmoo 2019 - @wendyck
  • 15. Work Product doctrine Attorney notes about investigations are only discoverable (under FRCP 26(b)(3)) if the other side can show that they have a “substantial need” for them, and the facts couldn’t be obtained any other way “without undue hardship.” The underlying facts are not protected, but opinion work product that includes information about what happened is protected if it is prepared in anticipation of litigation. Shmoo 2019 - @wendyck
  • 16. Non-testifying consultants & privilege FRCP 26(b)(4)(D)(ii) ● opposing counsel cannot discover the work of an expert who is not expected to be called as a witness at trial, unless the opposing side can show “exceptional circumstances” demanding that disclosure United States v. Kovel, 296 F.2d 918 (2d. Cir 1961): ● Accountant acts as a “translator” for the law firm, helping them to understand the complex technical issues. Work is related to the attorney’s job representing clients Genesco Inc. v. Visa (M.D. Tenn. 2014): ● “in the Court’s view, the Stroz representative would necessarily be applying his or her specialized knowledge. Thus, Visa’s characterization of its Stroz discovery requests as involving a fact witness is inappropriate..” Shmoo 2019 - @wendyck
  • 17. What isn’t protected? “is you taking notes on a criminal fucking conspiracy?” Shmoo 2019 - @wendyck
  • 18. Ok, we’re experts on protecting information now! Shmoo 2019 - @wendyck
  • 19. Into the breach:Let’s walk through a data breach, but from the perspective of working with counsel Shmoo 2019 - @wendyck
  • 20. Lawyers are usually non-technical – but they have a specialized skill set that can have its place in an investigation into a computer security incident Shmoo 2019 - @wendyck
  • 22. Data breach notification considerations Some timelines are imposed by regulations like the GDPR, or state laws. The state data breach laws all vary in what constitutes a breach, who must be notified and how. Attorneys can help craft the relevant responses to meet regulatory requirements about content and deadlines. Shmoo 2019 - @wendyck
  • 23. Before a security incident 1. Create a plan 2. Consider retaining a lawyer who can help with tabletops and work with you if you suffer a security incident. Ask them about IR teams they’ve worked with and consider retaining one of these teams. 3. Decide on your communications channels 4. Look at your insurance policies (Do you have to notify? Do they have preferred firms?) Shmoo 2019 - @wendyck
  • 24. Don’t just listen to me https://twitter.com/RobertMLee/status/1085291137072615426 Shmoo 2019 - @wendyck
  • 25. Hiring a Lawyer Shmoo 2019 - @wendyck
  • 26. What if we have in house counsel? Shmoo 2019 - @wendyck
  • 27. Business v Legal advice Make sure that in house counsel notes when they are giving legal advice vs business advice. Primary purpose test: doesn’t draw rigid distinction between a legal purpose on the one hand and a business purpose on the other. See In re Kellogg Brown & Root, Inc., 756 F.3d 754, 759 (D.C. Cir. 2014) Shmoo 2019 - @wendyck
  • 28. Confidential headers & email footers Rather than having a loooooooooong boilerplate footer at the end of every email, emails in which a legal opinion are given should have Privileged & Confidential as the first line. To: Nancy Drew, CISO From: Natalia Romanova, General Counsel Privileged & Confidential Regarding the security incident we’ve been investigating….
  • 29. More things to do before a security incident 1. Get your logging, monitoring, observability, alarms and audit logs in shape PLEASE (and please check your timestamps) 2. Make sure all your logs are logging in the same time zone 3. Review your audit log settings in cloud platforms 4. Check your retention: are you saving important logs? How long do you retain? Shmoo 2019 - @wendyck
  • 30. Don’t just listen to me https://twitter.com/MalwareJake/status/1085650856089837571 Shmoo 2019 - @wendyck
  • 31. In a breach – Is there a reportable incident? GDPR, CCPA, NYDFS, HIPAA, State data breach notifications…. Shmoo 2019 - @wendyck
  • 32. We have a reportable breach: now what? If you’re engaging an outside DFIR firm to assist, should your attorney engage a DFIR team? Shmoo 2019 - @wendyck
  • 33. Sometimes yes, as their professional opinions are shared with the lawyer and help form the basis of the lawyer’s advice: “At the direction of counsel” means the experts are performing the investigation to assist the attorney in giving legal advice Shmoo 2019 - @wendyck
  • 34. Crafting the engagement letter In Genesco v Visa, Genesco-Stroz retention agreement expressly provided that Stroz’s retention was “in anticipation of potential litigation and/or legal or regulatory proceedings.” Shmoo 2019 - @wendyck
  • 35. During... 1. Activate your IR team and communications channels 2. Secure evidence and follow directions of the team you hired 3. Follow the advice of the attorney on engaging with regulators and law enforcement Shmoo 2019 - @wendyck
  • 36. Gathering Evidence Following the advice of your DFIR firm and lawyer about how to gather evidence if you anticipate regulatory or legal proceedings Shmoo 2019 - @wendyck
  • 37. Communications: what is protected by attorney – client privilege Shmoo 2019 - @wendyck Messages to counsel seeking legal advice should make clear that the person is seeking legal advice & the lawyer’s professional opinion about whether there is a breach and if the breach is notifiable or causes any regulatory obligations
  • 38. Joint Defense Agreements Consideration for SAAS and cloud environments: if joint investigations are done, a Joint Defense Agreement should be in place; these are used where parties share a common interest in a legal matter. Schaeffler v. United States, 806 F.3d 34, 40 (2d Cir. 2015) Shmoo 2019 - @wendyck
  • 39. Are we going to monitor ongoing suspicious activity? Is it on our servers? (there are CFAA and ECPA concerns otherwise) Is it reasonable to allow intruders to remain in the network in this case? When should we engage law enforcement? Shmoo 2019 - @wendyck
  • 40. Interviewing employees and contractors Often having outside counsel conduct interviews offers the strongest protections if you are concerned about interview notes being discoverable Shmoo 2019 - @wendyck
  • 41. LOGS Please log things. Please pick a time zone. Please only put things in the report supported by the logs or other evidence. Shmoo 2019 - @wendyck
  • 42. Reports These should contain a timeline of the breach, the cause, evidence artifacts supporting the timeline and cause. Shmoo 2019 - @wendyck
  • 43. What happens if you share a lot of the findings of the report in your response to a court case? If you share too much, you may destroy privilege in the rest of the report. ‘Litigants cannot hide behind the privilege if they are relying on privileged communications to make their case’ or, more simply, cannot use the privilege as ‘a shield and a sword.’ In re United Shore Fin. Servs., LLC, 2018 BL 1881 (6th Cir. 2018) Shmoo 2019 - @wendyck
  • 44. Things to remember Shmoo 2019 - @wendyck
  • 45. Takeaways 1. Create a plan 2. Retain a lawyer 3. Set up communications channels 4. Log all the things 5. Secure evidence 6. Communications with your lawyer are seeking legal advice 7. Follow directions of the attorney you hiredShmoo 2019 - @wendyck
  • 46. Sources Civil Procedure: http://fordhamlawreview.org/wp-content/uploads/assets/pdfs/Vol_76/Rocci_Vol_76_Mar.pdf HIPAA Data Breach Notification: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html NYDFS: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf Joint Defense Agreements: https://www.dentons.com/en/insights/newsletters/2015/september/30/practice-tips-for- lawyers/joint-defense-vs-common-interest-agreements Protecting Reports: https://www.lanepowell.com/portalresource/Corporate-Counsel-Brecher-June-2016-Data-Breach- Response-Teams Crafting IR Plans: https://www.sans.org/reading-room/whitepapers/legal/paper/37487 Shmoo 2019 - @wendyck

Notas del editor

  1. https://www.flickr.com/photos/dfectuoso17/6866913836/
  2. I’m a a software developer who burned out and went to law school, where I did a concentration in National Security Law. I did a fellowship at ZwillGen here in DC, where I helped with some incident response work from the legal side, and I’m now a Senior Security advisor at Leviathan. So although I am a lawyer, this isn’t legal advice!
  3. Uber v Waymo trial - navigating attorney-client privilege protections can be hard, and doesn’t always succeed So jumping -This tweet from Sarah Jeong is from the Uber v Waymo trial. It was referring to the attempt to protect a forensics report in the Uber v Waymo trial. Stroz Friedberg did some forensics on some devices, and the opposing side wanted to access information from their work. As this shows, navigating attorney-client privilege protections can be hard, and doesn’t always succeed. So we’re going to walk through some ways to work with attorneys in during a security incident and where you might and might not be able to rely on privilege.
  4. So let’s start with what’s at risk https://www.flickr.com/photos/clevrcat/35356290074
  5. Reports with sensitive information about security measures There are various types of reports about computer security that a company might have generated: advisory, pen test reports, etc. But also incident response reports. Each of these has very sensitive information about the company’s security measures, and should be treated as highly confidential. https://www.flickr.com/photos/thomashawk/15778289832
  6. Consumers file suit So why worry about protecting them? Because oftentimes consumers or other parties will file suit after a data breach, and will seek to access IR reports help prove some theory of liability or to explain what happened. Sometimes people believe that a report might hint at what the company knew before the breach. https://www.flickr.com/photos/_zahira_/4089508430
  7. What attorney-client privilege is, why you’d want to use it, what needs to happen to invoke it So sometimes in a trial, companies will seek to protect information under the cover of attorney-client privilege. But as we just saw in Sarah’s tweet, that sometimes fails. In this talk we’re going to look at what the attorney-client privilege is, why you’d want to try to use it, and what needs to happen to invoke the privilege https://www.flickr.com/photos/36350735@N05/8204480370/
  8. part of the civil trial process - each side shares information with their opponent. occurs before the courtroom arguments. It’s meant to help courts with a thorough and transparent inquiry into a matter, although these days it also means that trials are often won or lost in discovery fights.
  9. not everything that’s discoverable can be used as evidence in a trial - seek discovery of things that are related that might lead you to things that are admissible. Information that’s discoverable is information that’s “relevant” to the dispute. But not everything that’s discoverable can be used as evidence in a trial and relied on in the courtroom to make your argument. Instead, sometimes you
  10. Yes, confidential - but discoverable - protective orders Information in IR reports, or pen tests, is highly sensitive and confidential. But confidential information is discoverable - the courts can issue a protective order to keep the general public from learning it, but the other side is entitled to know the information if it’s relevant. https://www.flickr.com/photos/neliofilipe/6097881969
  11. Communications with lawyers are shielded Not all information is discoverable. Any communications with your lawyers, for example, are shielded from discovery by the attorney-client privilege
  12. invisibility cloak Probably most of you have heard of this - what you tell your lawyer is protected from disclosure to the other side. You probably think it’s like a giant invisibility cloak covering all your conversations. This privilege protects information that is private to you and your lawyer from discovery by the opposing side in a trial
  13. But there’s more! There are two other related privileges that are even more important in incident response.
  14. work-product doctrine & non-testifying expert privilege
  15. notes that an attorney takes, drafts of trial filings Although If an attorney’s notes are the sole record of a particular event, then the other side MIGHT be able to get a copy of them, but it’s very rare. Usually opinions, thoughts, and other preparatory work are generally not discoverable.
  16. very relevant - consultant is NOT expected to be called as an expert witness in the trial - translator This one is very relevant - if your lawyer hires a technical consultant to work with them, but the consultant is NOT expected to be called as an expert witness in the trial, then the work is protected under this privilege. Note that this has to be someone that the lawyer hires, and who does work in anticipation of litigation, not just for the business as part of their regular job. https://www.theexpertinstitute.com/is-the-work-of-a-consulting-non-testifying-expert-subject-to-privilege/
  17. not everything is protected - there’s a Crime-fraud exception
  18. Now we’re experts
  19. take a look at working with lawyers on a security incident
  20. Regulations, risk You might ask why you’d want to involve lawyers in handling security incidents to begin with, but they’re very helpful when you have to deal with understanding really boring regulations and laws. Also experts in risk!
  21. HIPAA: covered entities notify individuals when breach of unsecured health information has very specific requirements about notification For example, HIPAA has very specific requirements around breaches - the HIPAA breach notification rule requires covered entities and business associates to notify individuals when there’s a breach of unsecured health information, and has very specific requirements about what the notification must include https://www.flickr.com/photos/tamasmatusik/12996154324
  22. GDPR’s Article 33 -notification to a supervisory authority in 72 hours state regulations like NYDFS notification timelines CCPA - California Consumer Privacy Act: supplements Data Breach Notification Law with a private right of action HIPAA: requires HIPAA covered entities & business associates to provide notification following a breach of unsecured protected health information The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. GDPR: Article 33, “controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority” https://www.flickr.com/photos/thomashawk/6265368346/
  23. Before you have a security incident is the best time to get your house in order Plan Retain lawyer Comms channels Insurance policies https://www.flickr.com/photos/thomashawk/12624808043
  24. IR expert on engaging IR firms and things to do TTX -> Tabletop exercises
  25. Engaging lawyer early; help draft policies; familiar with business; help with tabletops: understand how and when to engage them and how to work together Often, it’s very helpful to have an existing relationship with an attorney who can help you with other things, like drafting privacy policies, so they are familiar with your business and you feel comfortable working with them. And when your company conducts tabletop exercises, the lawyer should be involved so that all involved understand how and when to engage them and how to work together. https://www.flickr.com/photos/mr_t_in_dc/3756880888
  26. In house counsel really familiar with your business But also advising on business matters as well as giving legal opinions - especially with someone like a product counsel who is embedded in a team. And this can be a problem in a security incident. https://www.flickr.com/photos/thomashawk/7268347278
  27. Make clear legal v general business advice In house counsel should make clear when they’re giving legal advice, as opposed to general business advice. Legal advice, when they are acting as the firm’s lawyer, is protected by the attorney-client privilege. But business advice isn’t. Courts use a “primary purpose test” - asking, was the communication mostly about giving legal advice? If so, it’s more likely to be considered privileged. But it can get very fuzzy, so there are things you can do to make a clearer signal for very sensitive information. https://www.flickr.com/photos/isonic/8434544997
  28. Labeling Privileged & Confidential on some not all where a legal opinion is given, rather than on ALL emails, is one way to try to help protect the information in the email. It can be a signal to the court that this email is meant to be attorney-client communication & privileged.
  29. Review Logging Time zones Review cloud settings Retention of logs HTTPS logs being kept only 48 hours in a breach found 3 months later https://www.flickr.com/photos/thomashawk/12624808043
  30. Jake on visibility
  31. Set of policies for when you will engage lawyer: discuss the GDPR 72 hour notification rule, CCPA, NYDFS, state data breach notification laws other factors that play into the timeline figure out which of these apply to you and so what the relevant drivers for disclosure are https://www.flickr.com/photos/awphoto/16446807260
  32. Should your attorney engage an IR firm? Yes, to have the most protection, your outside counsel should be the one engaging the firm. https://www.flickr.com/photos/wecand/4862594210
  33. Attorney should direct the investigation - purpose to give them legal advice: acting as a translator limit distribution of information to non‐attorneys on a need‐to‐know basis in tension with getting your whole team involved in eradicating the problem Target case showed: team fixing issue, and another working with lawyer to advise If you’re seeking to protect the information, make sure that everyone is instructed to limit distribution of information to non‐attorneys on a need‐to‐know basis. This can obviously be in tension with getting your whole team involved in eradicating the problem and finding a root cause, so you should consider before the incident begins what strategy you’ll be following. One way courts say you can get around this is to have an internal team working on fixing the problem, and a second, parallel investigation running under the direction of counsel that is seeking to determine what happened that seeks to protection of privilege. https://www.flickr.com/photos/mywalkabout/2593530608
  34. Engagement letter: state in anticipation of legal proceedings In Visa case: “extraordinary circumstances” - Stroz applying specialized knowledge Calling them fact witness was inappropriate When you hire outside counsel or have them hire a forensics firm, the engagement letter should state that the work is in anticipation of legal proceedings or some similar wording. Visa must establish extraordinary circumstances for this discovery. As to Visa’s characterization of discovery of Stroz as fact discovery, in the Court’s view, the Stroz representative would necessarily be applying his or her specialized knowledge. Thus, Visa’s characterization of its Stroz discovery requests as involving a fact witness is inappropriate. To accept that characterization would effectively eviscerate and undermine the core purpose of Fed. R. Civ. P. 26(b)(4)(D). This Genesco objection is sustained. https://www.flickr.com/photos/paolobarzman/6353143069
  35. Get IR team & communications channel going Secure evidence, follow direction of lawyer & IR firm Follow lawyer advice on engaging with LE https://www.flickr.com/photos/wocintechchat/25392526603
  36. Following advice about gathering and securing evidence such as logs, emails, chats, etc https://www.flickr.com/photos/byzantiumbooks/14588963713/
  37. Emails to counsel: frame as asking legal advice / professional opinion Discovery tools can exclude based on these terms Any time you email your in house or external counsel, you should frame it as asking for legal advice or their professional opinion. Communications with these phrases in them can be marked privileged and excluded from discovery. Discovery tools like Relativity will do a search for phrases like this and mark them in a batch for lawyers to exclude from discovery relevance review. If they do go for further review, this is a strong signal that the communication is privileged and should be protected. https://www.flickr.com/photos/byzantiumbooks/14588963713/
  38. Close partner: Joint Defense Agreement Exception to rule that disclosing to others breaks attorney-client priv If you’re concerned that a suit might be filed both against you and some close partner, you may want to consider crafting a Joint Defense Agreement. These allow for an exception that disclosure to a 3rd party destroys the attorney-client privilege; because you have a common legal goal, you can share information. https://www.flickr.com/photos/rafa2010/8940019556
  39. Follow advice on monitoring - allow intruders to remain so you can investigate & ensure you have everything when you act to remove them You should also follow the direction of your counsel when considering how to respond to the breach. For instance, you may want to allow intruders to remain on a network so that you can monitor their activity and make sure that you can fully contain it when you respond. But there may be legal implications to following this path. https://www.flickr.com/photos/73014677@N05/6896177621
  40. Interviews: outside counsel greater protection During an investigation, employees and contractors may need to be interviewed. Having an outside counsel attorney do the interviews will help to protect the interview notes from disclosure. https://www.flickr.com/photos/134398826@N08
  41. Log considerations: timezones. Check what you have logged before incident Use logs to generate timelines in report, support COEs https://www.flickr.com/photos/sparkfun/6808622369/
  42. Deliver report to counsel directing investigations They should ask for clarifications etc When the forensics firm drafts the report, it should have all this information in it, and it should be delivered to the attorney overseeing the investigation, who should be the one seeking edits and clarifications. Especially if there’s information about remediations, which you want to protect so that opposing counsel doesn’t say that you were negligent in not implementing them earlier https://www.flickr.com/photos/sparkfun/6808622369/
  43. Disclosing too much can destroy privilege These reports are very sensitive, and if not protected as attorney work product can be discoverable by opposing parties in litigation https://www.flickr.com/photos/christopherf/8662091067
  44. Review some actionable advice around security incidents
  45. Before you have a security incident is the best time to get your house in order https://www.flickr.com/photos/tortured_artist_squee/3847546996