With significant input from Orrick’s Cybersecurity, Privacy and Data Innovation team, the influential Sedona Conference and its Working Group 11 last week published important guidance on the application of the attorney-client privilege and work-product protection in the cybersecurity context. The comprehensive Sedona Conference commentary provides a framework for federal and state policymakers to amend existing law in several respects, including carving out a limited privilege for information prepared in the cybersecurity context without the involvement of lawyers.
Partner Doug Meal, head of our cyber and privacy litigation practice, served as vice-chair of the conference’s Working Group 11 steering committee and editor-in-chief of the team that drafted the commentary, released in April for public comment. The conference’s Working Group 11 is the body charged with addressing legal issues in the Privacy & Cybersecurity area, and its membership includes a cross-section of prominent plaintiffs’ and defense lawyers, regulators, forensic experts, law professors, judges, in-house counsel and others who specialize in privacy & cybersecurity law.
The Commentary released last week evaluates the application of the attorney-client privilege and work-product protection to an organization’s cybersecurity information (CI). The Commentary seeks to move the law forward by assessing the arguments for and against the discoverability of CI being determined under general principles of attorney-client privilege and work-product protection law as opposed to modifying those principles in the context of CI. Finally, the Commentary considers various proposals for adapting existing attorney-client privilege and work-product protection law, or developing entirely new protections, in the CI context.
Doug and David Cohen, Of Counsel in our cyber and privacy practice who also worked on the project, provide these key takeaways from the Commentary, which will be particularly useful to in-house counsel seeking to understand what factors courts currently use to determine whether the privilege and protection will apply to documents/communications generated before and after a cyber breach.
Among the key findings: