Managing the Ramifications of a Network Security Investigation
March 28, 2003
Although operations personnel may not be able to articulate the legal issues presented by corporate espionage, hackers, stolen information, the hijacking of a computer network to distribute an attack or failure to comply with regulatory standards or contractual obligations, each of these scenarios present a potential liability. Even professionals in the information technology field are encouraging one another to seek legal redress for contractual and statutory failings and for foreseeable wrongs actively or passively facilitated by the owner of an unprepared network. In addition, regulators in the United States and in Europe are focusing on the importance of resilient networks that can withstand an attack.
This increased focus means businesses should consider launching an investigation of its network security; however, the resulting report should not become a piece of potentially incriminating evidence. To avoid this problem, counsel should consider ensuring that any report adheres to the following:
- provides to management and operations the necessary information without being unduly inflammatory
- provides to counsel the necessary information to evaluate the potential for legal liability, to advise on risk reduction and to assess insurance coverage
- does not gratuitously set industry standards against which actions, and inaction, might be measured as negligent
- is not widely distributed outside of a "control group" as a way to reduce the risk of a negative report being revealed to the press, competitors or to employees that might take it as a roadmap for compromising your network (this is not meant to suggest that information be withheld from management or the board of directors if such information would be normally provided)
- is managed in such a way as to enhance protection under a privilege
Possible Protection Under Privilege
As indicated above, reports and conclusions can be protected from discovery if they fall within the attorney-client privilege or, in some jurisdictions, within the self-critical analysis privilege.
Attorney-Client Privilege
The touchstone case in the United States concerning the general application of the attorney-client privilege is the U.S. Supreme Court decision in Upjohn. In this case, the Upjohn Corporation launched an internal investigation of whether one of its overseas subsidiaries had made questionable payments to overseas governments. The internal investigation was managed by counsel and used questionnaires and required responses from a wide-range of employees. The Supreme Court held that the investigation, questionnaire and responses were protected by the privilege. Thus, applying the Upjohn line of thinking to the conduct of an internal network security investigation, privilege can be asserted if there is a fundamental legal reason for seeking the information and the correct measures are put into place to increase the likelihood of the privilege being established and preserved.
Privilege for Self-Critical Analysis
Another possible avenue for protecting a self-critical report is that provided by the common-law privilege for self-critical analysis. This privilege, where recognized, is designed to encourage parties to engage in candid self-evaluation without fear that such criticism will be used against them. Although network security audits would seem to fall squarely within this privilege, the practitioner needs to be aware that the U.S. Supreme Court and many of the circuit courts have not definitively accepted or denied a privilege for self-critical analysis. Rather, there is division among the courts about this privilege, and, in many instances, when confronted with a claim of such a privilege they have refused on narrow grounds to apply it to the facts before them. Therefore, it is difficult to ensure that if a self-critical report is produced it will be protected by the privilege.
However, self-critical reports have been protected in instances involving OSHA compliance, environmental audits and non-routine self-evaluation by financial institutions. Some courts, while not explicitly agreeing that such a privilege exists, have considered what the test would be for protecting such an analysis: the information must result from a critical, non-routine, self-analysis undertaken by the party seeking protection; the public must have a strong interest in preserving the free flow of the type of information sought; and the information must be of the type whose flow would be curtailed if discovery allowed.
Possible Steps to Manage the Process
In view of the two potentially relevant privileges, the following steps should be considered to enhance the possibility that privilege will be maintained: identify the legal reasons for an investigation; have management identify counsel as the person conducting the investigation and the legal purpose for the investigation; have management instruct employees that the investigation is highly confidential and the investigation and results should not be discussed with anyone who is not a "need to know" employee or part of the consulting team; have your counsel engage any outside consultants to investigate and provide the facts necessary for legal analysis and operational remediation; use counsel to sift through results with an eye towards the legally relevant; and use counsel to manage the report's tone and format. Ask consultants for confidentiality provisions that prohibit the sharing of any information gathered, even in an unattributed or aggregated manner.
Businesses should consider restricting information access to a control group of employees to reduce the risk of inadvertent disclosure or disclosure by a disgruntled employee. It is also important to consider an initial oral report, institute document control and prohibit electronic distribution of the report. If other employees (outside of the control group) need information, it should be considered whether such information can be segregated from other aspects of the report.
If there are decisions not to undertake certain remediation measures, businesses should seek counsel about the legal ramifications and the duty to act reasonably under the circumstances with respect to any foreseeable risks to others, the duty to minimize damage to others if an incident occurs and whether reasonable decisions need to be documented. It is also important to consider how identified risks might be transferred through appropriate insurance coverage, as well as remediation efforts.
Finally, businesses should consider disclosure responsibilities. Depending on the findings of such an investigation, the benefits of maintaining the privilege may be offset by greater considerations, such as compliance with audit rules, fiduciary duties and other circumstances that need to be evaluated carefully. As an example, if a lawyer involved with a network security audit discovers evidence of a material violation of security laws that implicates disclosure requirements, the Sarbanes-Oxley Act requires the lawyer to notify the appropriate legal officer of the company and then wait for an appropriate response from that person. Of course, this requires the lawyer to evaluate whether the response was appropriate and whether further notification "up-the-ladder" is necessary.
International Obligations
Multinationals need to be aware of the regulatory requirements to which they may be subject in other countries. For example, in Europe, a new European Union directive places obligations on certain telecommunications operators to take particular steps to ensure the integrity of their network is maintained.
Companies should, therefore, also consider whether they are required to be in compliance with these provisions. If they are, and any network investigation reveals a failure to comply, this could lead to additional regulatory problems and also amount to prima facie evidence of wrongdoing. Companies based in the United States that carry out any non-routine investigations should also be aware of the radically different ways in which privilege operates in overseas jurisdictions and consult their lawyers before commencing investigations in such places.
