To print this article, all you need is to be registered or login on Mondaq.com.
As reported last week, a state-sponsored hacker may have
breached multiple U.S. government networks through a widely-used
software product offered by SolarWinds. The compromised product,
known as Orion, helps organizations manage their networks, servers,
and networked devices. The hacker concealed malware inside a
software update that, when installed, allowed the hacker to perform
reconnaissance, elevate user privileges, move laterally into other
environments and compromise the organization’s data.
Orion is not only used by government agencies, but is widely
used in both the public and private sectors. According to
another blog, victims of the attack include “government,
consulting, technology, telecom and extractive entities in North
America, Europe, Asia and the Middle East.” SolarWinds’s
recent SEC filings estimate that about 18,000 of its customers may
have downloaded the malware-laden software updates for Orion. To
learn more information about this attack and evolving cybersecurity
threats, please visit the
NSA’s Cybersecurity Advisories & Technical Guidance.
For a list of steps an organization might take to assess the impact
of this issue on its specific situation,
see this blog post.
Whether or not you are one of the impacted customers, the
SolarWinds attack is a reminder of the importance of conducting
incident response and risk assessments under privilege whenever
possible, the importance of performing due diligence before
engaging vendors, and why businesses should implement procedures to
minimize information disclosed to or accessed by vendors. The
attack is also highlights the care that needs to be taken by both
customers and vendors when negotiating data security provisions in
technology contracts.
Conducting Privileged Dual-Purpose Risk
Assessments
The aftermath of the SolarWinds cybersecurity attack has left
organizations scrambling to determine whether their systems have
been breached and the scope of any such breach. Unfortunately, the
documents created by an organization as it evaluates its security
posture are exactly the types of documents that a plaintiff’s
counsel or regulator would like to get their hands on if there is
an investigation or litigation.
To mitigate this concern, risk assessments can be structured in
a way to serve both a business purpose (assessing the state of
security) as well as a legal purpose (assisting counsel evaluate
risks related to the state of security), allowing certain
protections to limit discoverability, including privilege, work
product, and protections under FRCP 26(b)(4)(D). Assessments that
serve both legal and business purposes are known as
“dual-purpose” risk assessments.
Under developing case law, there are a number of ways to conduct
a dual-purpose risk assessment. While courts will consider the
totality of the evidence when deciding whether materials generated
during the course of a risk assessment are privileged or
discoverable, recent cases have emphasized the following
factors.
- Involvement of Counsel: Counsel should be actively
– not passively – involved in every step of the
assessment, from the initial scoping of the assessment (discussed
below), to fact-finding, retaining experts, and drafting any
reports. In other words, as recent cases make clear, it is not
enough to simply state that the assessment was performed at
counsel’s direction. Given that courts look at the totality of
the circumstances when deciding whether or not to maintain
privilege over risk assessment materials, the greater the evidence
that counsel was actively involved, the easier it will be to
distinguish the assessment and investigation from other
ordinary-course-of-business assessments or investigations that
would not necessarily involve counsel. - Scope of the Assessment: The scope of the
assessment, and the process by which the scope is defined, should
indicate that the assessment is driven by a legal purpose. This
means that the scope should be different from those of assessments
conducted in the ordinary course of business, and should clearly
and expressly convey that the assessment is conducted for a legal
purpose. Toward this end, counsel should have at least some direct
involvement in defining the scope, and, as discussed above, the
greater the involvement, the more evidence to support privilege
protection. While the scope will clearly convey a legal purpose,
any stated business purpose for the assessment should be, as one
court explained, “profoundly interconnected” with the
legal purpose. - Distribution of Materials: While materials
generated during the course of dual-purpose risk assessments can be
used for certain business purposes without destroying privilege
protections, some courts have found that the extent to which these
materials are distributed is probative the purposes for which the
work product was initially produced. Wide distribution of these
materials may suggest they were created further to a business, as
opposed to a legal, purpose. As discussed above with respect to
scoping the assessment, permissible business uses generally relate
to areas where the business and legal purposes interconnect.
In the more extreme cases an organization may want to consider a
“Dual Track” approach where separate privileged and
non-privileged investigations proceed in parallel. As the
SolarWinds cybersecurity attack is likely to trigger organizations
to investigate their networks for vulnerabilities and data theft,
it is important to consider the downstream consequences should the
assessment uncover related (or unrelated) vulnerabilities and/or
intrusions. Conducting a risk assessment under privilege may help
companies limit the discoverability of what they learn.
Mitigating Risk Using Diligence, Contractual Obligations and
Data Minimization
The SolarWinds cybersecurity attack serves as a cautionary tale
for all companies and vendors entering into outsourcing software
agreements in their business. No one can predict when a malicious
cyberattack will occur, especially one with the scale and
sophistication of a nation-state attack like this one, but
companies and vendors can take steps now to mitigate their
risks.
- Diligence: Companies and vendors should conduct thorough
diligence (either directly or through a third-party consultant)
prior to finalizing material software or IT vendor agreement.
Outsourced software solutions provide cost-savings and increased
efficiencies, but moving operations off of company systems or
introducing third-party software on to company’s networks can
introduce a fracture point which cyber criminals may target.
Companies and vendors should be aware of each other’s data
security practices, history of cybersecurity incidents, and any
security audits conducted. As the SolarWinds cybersecurity attack
demonstrates, even sophisticated software companies may face
cybersecurity attacks, so after conducting cybersecurity due
diligence, companies and vendors must be prepared to respond and
cooperate if and when a cybersecurity attack occurs.
Additionally, companies and vendors should review and agree
on cybersecurity insurance policies as part of the due diligence
process. - Contractual Obligations: With cybersecurity attacks, one
of the first things companies and vendors do is review their
agreements and determine what steps the parties are required to
take and who is responsible for the costs. As such, when
negotiating software agreements, companies and vendors should pay
careful attention to data breach notification provisions which may
require notification of suspected security incidents sooner than as
required by law. Such provisions may also require the parties to
engage nationally-renowned forensics firms and to promptly respond
to the security incidents or breach. Contractually stipulating each
parties’ notification obligations in the event of a breach may
help clarify the parties’ responsibilities and timing with
respect to notifications to government regulators and the clients
of the company. - Data Minimization: Lastly, the SolarWinds cybersecurity
attack demonstrates that even with detailed diligence, vendors may
be targeted by a breach. Contractual obligations may limit the
costs associated with a breach and downstream legal obligations,
but they cannot retrieve company or customer data once it has
already fallen into the hands of cyber criminals. The only way to
limit the amount of data exposed through cybersecurity attacks is
to limit the amount and type of data shared between companies and
vendors. This may not always be possible, but the companies and
vendors can work together to implement and maintain data
minimization procedures which require employees and any other
individuals accessing the software solution minimize the amount and
type of information provided or generated on such solution.
The SolarWinds cybersecurity attack serves as yet another
reminder that organizations must implement technical, physical and
administrative safeguards to reduce the risk of suffering a breach,
either directly or by a vendor, and to plan ahead in the event that
a breach does occur. By assessing organizational risk and taking
proactive steps when drafting software agreements, companies and
vendors can be better prepared should they become the next
target.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
