SANS Digital Forensics and Incident Response Blog

Cloak Your Incident Investigation with Confidentiality

Summary: When an enterprise investigates a data security incident, it is often wise to involve legal counsel early. Counsel may be able to ensure the details of the investigation are kept confidential by law.

Infosec Law and Politics Are Dangerous.

The law and politics surrounding data security are highly adversarial. Legal and political adversaries have incentive to prove that an enterprise like a corporation or a government agency made a mistake (e.g., suffered a breach).

Plaintiff lawyers these days make a lot of money suing enterprises for breaches of patient or customer data.

And, politicians like state attorneys general attract a lot of media attention by hollering at local companies or healthcare entities that have lost personal data.

There is nothing inherently wrong with lawyers bringing lawsuits or politicians complaining in the media.

But an enterprise does not want to expose itself to these attacks if it can avoid them.

Legal Standards Are Subjective and Open to Interpretation.

No enterprise desires to expose sensitive data that has been entrusted to it. But legally speaking, whether data has been "exposed" in any given situation can be a controversial issue. The enterprise and its infosec team may honestly conclude, after carefully reviewing the facts, that the security of data was not breached.

But an adversary, looking at the same facts, might conclude that a breach did happen.

Alternatively, if the enterprise does announce it had a breach, the adversary might conclude the enterprise handled the breach incorrectly and the adversary might exploit this conclusion to extract money or attract attention.

No enterprise wants to give its adversaries unnecessary ammunition to argue that it made a mistake.

Legal Adversaries Can Disagree with the Enterprise's Interpretation of the Facts.

A case in point is a breach at Lucile Packard Hospital in California. In that case, the hospital saw it had an incident; it conducted an investigation; it reached a conclusion from its investigation; and it acted on its conclusion. The hospital concluded that as of a certain date it had suffered a breach and promptly after that date it gave notice of the breach to patients.

Then an adversary, the California Department of Public Health, disagreed with the conclusion of the hospital's investigation. The CDPH said the hospital knew it had a breach two weeks earlier than the date the hospital determined it had the breach. Therefore, said CDPH, by law the hospital sent the notices out late. The health department tried to fine the hospital $250,000.

The hospital disagreed. The parties eventually settled this disagreement for a mere $1100, and both parties declared victory. (smiley face)

But the lesson of the case is that after an enterprise like a hospital conducts an investigation, an adversary has incentive to review the details of the investigation, and second-guess the analysis and conclusion of the investigation.

For the enterprise, the risk that an adversary will comb back through an internal investigation is dangerous. For Packard Hospital the risk ultimately (after lots of argument) cost only $1100. But in other cases the risk could cost much more.

Data Investigations are Tricky.

Data holders like universities and the Packard Hospital commonly conduct investigations of incidents. At the outset of any particular investigation, they don't know what the conclusion will be. They must collect myriad facts and then evaluate those facts.

In infosec law the evaluation of facts is often not a simple, cut-and-dried exercise. The investigation can face many abstract questions, such as:

A. What is definition of a "breach"? and

B. At what point does the enterprise have enough credible evidence to conclude it did have a breach for which notice must be given?

The Packard Hospital case was all about question B.

Subjective Legal Standards Yield Conflicting Conclusions.

Conclusions to these abstract questions are often governed by subjective standards, such as whether the data subjects were exposed to a significant risk of harm. When standards are subjective, different people can draw contrary conclusions from the same set of facts.

When an enterprise sees an incident, it conducts an internal investigation, gathering and assessing the facts. The investigation might conclude, for example, there is no breach because there is no significant risk of harm to data subjects. So the enterprise may honestly decide not to give notice of breach.

But adversaries like legislators, plaintiff lawyers or a state health department would love to second guess the enterprise. They'd like to review the enterprise's investigation . . . all the nitty, gritty details. And they might conclude that there was a significant risk of harm, there was a breach, and therefore the enterprise should be punished for having a breach and for failing to give notice!

The Enterprise Longs for Confidentiality.

Accordingly, the enterprise has incentive to keep its investigation confidential.

secretOne way to promote confidentiality is to involve a lawyer early in the investigative process. The lawyer may cloak the investigation with legal confidentiality under a doctrine called "attorney work product."

If the details of an investigation qualify as attorney work product, then those details cannot be forced out through a subpoena, a lawsuit or other legal process. That is powerful.

Coordinate with Your Attorney in Advance.

Whether and how attorney-work-product should apply to an investigation is to be decided by the attorney in question. The attorney applies the work product doctrine according to standards of law and professional ethics.

In other words, the message to DFIR folks is this: Get to know your legal department. Talk about the attorney-work-product doctrine. Set procedures for invocation of it, before the next incident investigation arises.

What do you think of this idea?

==

Benjamin Wright is an attorney in private practice. At the SANS Institute, he teaches the Legal 523 course, known as Law of Data Security and Investigations.