Ensuring Privilege of a Pre-Breach Cybersecurity Assessment
September 20, 2017
The question of whether an organization will confront an attack on its information technology systems has, unfortunately, become a question of when, not if. In response, organizations of all sizes and types are taking steps to identify and mitigate cybersecurity risks in advance of an attack. While overall, this is desirable exercise, in doing so, many organizations are inadvertently creating a roadmap to their cyber shortcomings which a plaintiff’s attorney will seek to capitalize on during litigation following an attack. However, by involving counsel early in the pre-breach assessment process, organizations positions themselves to argue that their pro-active assessments are not subject to disclosure because they constitute privileged attorney-client communications.
Otterbourg’s Erik Weinick discusses these and other related issues in an article entitled: “Ensuring Privilege of a Pre-Breach Cybersecurity Assessment,” published in the September issue of the New York State Bar Association Journal, a copy of which may be found here.