Often times when conducting a security and privacy assessment, information about the organization’s controls, policies and procedures can be unintentionally harmful to an organization’s interests when reviewed by third parties adversaries such as regulators and plaintiff attorneys. A company embarking on such an assessment needs to develop a strategy that limits disclosure requirements in future litigation and regulatory investigations.
Today many types of information are statutorily protected by regulations that govern how an organization must handle protected information. Specific regulations require effective security programs that necessitate an enterprise-wide data security risk assessment in order to meet their fiduciary duty of care.
Without proper legal protections from disclosure, a risk assessment report may provide a very valuable roadmap for an adversary. Unfortunately, legal protections are limited when written assessments are prepared by a non-lawyer.
The most effective strategy is to retain outside law firm representation who can manage the assessment process and subsequent risk remediation strategies outlined in the report. In order to retain disclosure protection, outside counsel retains security assessment provider directly to perform the cyber security assessment and subsequent report about the organization’s vulnerabilities, threats, controls and remediation recommendations. It is critical that the report is addressed to the outside counsel and the information be incorporated into a more comprehensive report drafted by the law firm.
Courts have clearly recognized that reports generated by outside counsel are protected by attorney-client status. This strategy also requires that outside counsel is clearly providing legal advice and supervision around the assessment in order to enjoy attorney-client privilege.
While there is no guarantee that preparing the report under the guidance of outside law firms will ensure protection from discovery, carefully following the guidance of the Courts will significantly increase the odds that an organization can shield the final product from discovery.
 First Chicago Int’l v. United Exchange Co., 125 F.R.D. 55 (S.D.N.Y. 1989) and US v. ISS Marine Services, 905 F. Supp. 2d 121 (D.D.C. 2012)