Legal Privilege

Disclaimer

First I want to start out by saying I am not a lawyer and I don’t play one on TV. This blog post is a summation of legal advice I have been given over the course of my career as a CSO/CISO. These are my opinions and should not be considered legal advice. If you need legal advice seek out a lawyer within your company or your professional network. Legal advice will differ based on your company’s risk profile, your lawyer’s background and experience, the specific situation, what geographic regions your company operates in and the industry you are in. I highly recommend you and your team have regular briefings from your legal department to refresh the concept of legal privilege and any other legal concepts they think are important.

Ok, with that out of the way let’s dive in.

What is legal privilege?

Legal privilege is a form of protected communication between you and a lawyer for forms of recorded communication (like email). Specifically, this communication needs to seek or convey advice from the lawyer. For example:

“Dear Lawyer, I need legal advice about the following…”

Why Is Legal Privilege Important?

When seeking legal advice, legal privilege protects the communication from legal discovery. This means if your company is sued and you go to court these communications about this legal advice can’t be used as evidence. It also gives you an option to use a form of recorded communication and invoking legal privilege so that communication is on record, or using an alternate, non recorded form of communication so the communication is not on record. This is a really important concept for a CSO to understand and a tool to use to protect themselves, their team and ultimately the company. By invoking legal privilege for key conversations, that are discoverable, you can ensure those conversations will be protected from a legal standpoint.

How Do I Invoke Legal Privilege?

Generally, legal privilege can be invoked by you to a lawyer, or by a lawyer to you. The exact details of how to do this may vary depending on your company, your legal counsel, etc. but here are a few ways to invoke legal privilege via email.

  • Include the lawyer in the To: line
  • Keep the audience to an absolute minimum
  • Header and Body should include the word PRIVILEGED at the start (or some other indicator specified by your counsel)

How Do I Include Other People In The Legal Privilege?

If you need to include other people in the email (like your management chain), then ask your legal counsel to include them. If someone gets added that shouldn’t be on the thread, ask the lawyers to remove them from the thread. If someone claims they need to be included, forward their claim to the lawyers to evaluate if they truly need to be on the thread or not. The wider the audience, the more difficult it is to claim legal privilege and it is even possible to lose legal privilege.

Can I Lose Legal Privilege Once It Is Invoked?

Yes, if the email thread is distributed to a larger audience than needed this can cause you to lose legal privilege. For example, if you are discussing a security incident with your lawyers and someone unnecessarily copies an email distro to the thread this can cause you to lose privilege. This means all of the emails will now be discoverable.

Are There Other Circumstances Where I Am Not Protected?

This should be a no brainer, but you are not protected from legal privilege if you are participating in crime or fraud.

You are also not protected from legal privilege if you don’t invoke it. This means non-privileged documents are not protected just because they are in the possession of a lawyer.

Is Legal Privilege The Same Everywhere?

No. Legal privilege differs by country. The bar for establishing and maintaining legal privilege can be much higher in some countries, than in others. If you are part of a global company, I recommend you get briefings from lawyers that are familiar with the laws in the countries where your company does business.

Examples Of When To Use Legal Privilege

First off, I just want to say legal privilege does not mean you should copy your legal counsel on every email. Legal privilege is not designed to protect all your emails / communications. It is only designed to protect advice between you and a lawyer. That being said if you are communicating with a lawyer it is a good idea to always invoke legal privilege that way it is protected.

Here are some examples of when to invoke legal privilege:

Discussing A Security Incident

Dear Lawyer, please advise what course of action we should take due to this incident…”

This is probable the most common way a CSO will use legal privilege. Discussing an active incident, customers impacted, legal ramifications, etc. should all be done under legal privilege between you and your legal counsel.

Changes To Industry Regulations

“Dear Lawyer, please advise how our company should adjust to this new industry regulation…”

I recommend seeking the advice of and invoking legal privilege for changes to industry regulations. I recommend this because the interpretation of the change may indicate your company is not compliant or is going to take some other course of action.

Disclosing Information To Customers

Dear Lawyer, I am unsure how to respond to this customer, please advise…”

Transparency should always be the goal, but sometimes there are things that shouldn’t be disclosed externally. When a customer makes a request for a new piece of information I recommend seeking the advice of your legal counsel about how to respond and then standardize that response for other customers. Sometimes the response will be – “we don’t provide that information externally”. Or, the response may be a limited set of the information requested. It will all depend on what your legal counsel recommends based on the risk publicly disclosing the information presents to your company.

Legal privilege is a complex area to navigate, but one that is an essential for every CSO to have in their toolbox. Understanding when to invoke it, how to invoke it and how to maintain it is essential for success in the role. The legal department is an essential partner for any CSO and their organization. I recommend building a relationship with them and having legal help you work through scenarios where legal privilege is needed. When in doubt, I recommend explicitly invoking privilege between you and your lawyer.

Unknown's avatar

Author: Lee Vorthman

I'm a U.S. Navy veteran and the Global Chief Security Officer (CSO) at a Fortune 100 cloud company where I've built a successful security program from the ground up and have partnered with the business to increase trust and reduce risk. I have over 25 years experience across a wide variety of industries such as technology, government & defense, education and oil & gas. I hold a number of professional certifications such as, EC-Council's Certified Chief Information Security Officer (C|CISO), Digital Director's Network (DDN) Board Certified Qualified Technology Expert (QTE) and ISC(2) Certified Information Systems Security Professional (CISSP). Previously I was the Chief Technology Officer (CTO) for Civilian Agencies and Cybersecurity Initiatives at NetApp U.S. Public Sector and the Chief Information Security Office for an Oil & Gas software company. I am available for consulting and speaking opportunities. Thoughts and opinions are my own and do not represent any employer past or present.

2 thoughts on “Legal Privilege”

  1. Pingback: Building A Security Budget To Address Risk – 370 Security Blog
  2. Pingback: Opsec During Incidents – 370 Security Blog

Leave a comment