Seyfarth Synopsis: The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney. Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived.
A growing number of ransomware attacks have begun including data exfiltration capabilities. This is in response to victims refusing to pay ransomware ransoms and instead recovering from backup or other means. In response, threat actors have decided that taking data provides them some insurance against this activity, thus increasing their chance of obtaining payment after a successful attack.
This generally plays out as follows:
- The threat actor deploys the ransomware.
- A demand for payment in Bitcoin is made. The amount demanded is typically based on the volume of encrypted data. Meanwhile, the malware begins siphoning data and uploading it to the threat actor. As the song and dance of negotiation with the threat actor plays out, data is leaving the organization, many times without their knowledge.
- If the victim organization ultimately refuses to pay the ransom to obtain the decryption key for their data, the threat actor then responds with a new demand: “We actually have your data as well. We will publicly release it unless payment of X Bitcoin is made within 120 hours.” Usually, the amount of this extortion is more than the original price of the ransom itself where the threat actor is offering decryption services. This is certainly a punitive response by the threat actors.
- Finally, if the extortion demand isn’t paid, the data is typically released on the Dark Web.
Case Law Summary
While publicly disclosed stolen/leaked documents do not automatically lose their privileged status, there are situations in which a party’s own actions to prevent such leakage—or fail to reclaim the leaked data—can cause a waiver.
To determine whether a waiver has occurred, courts typically look to: (1) whether the disclosure was inadvertent or involuntary; and (2) whether reasonable protections were taken to safeguard the privileged material.
Courts will generally protect privilege where the disclosure is involuntary or compelled, i.e., where it is accomplished by another person “through criminal activity or bad faith.” Walton v. Mid-Atl. Spine Specialists, P.C., 694 S.E.2d 545, 551 (Va. 2010)); see, e.g., Resolution Trust Corp. v. Dean, 813 F. Supp. 1426, 1429 (D. Ariz. 1993) (unauthorized disclosure of internal memo subject to strict confidentiality restrictions did not waive privilege); In re Dayco Corp. Derivative Sec. Litig., 102 F.R.D. 468, 470 (S.D. Ohio 1984) (diary subject to attorney-client and work product privilege remained privileged after publication of excerpts in a newspaper where no indication existed that the diary was voluntarily supplied to the paper).
Where the disclosure is in part due to a person’s inadvertence, however, courts will limit the waiver to the disclosed information. See City of Pontiac General Employees’ Retirement System v. Wal-Mart, Inc., No. 5:12-cv-5162, 2018 WL 1558572, at *2-3 (W.D. Ark. 2018) (media publication of stolen privileged documents waived privilege as to those documents, but not as to undisclosed information); Ewald v Royal Norwegian Embassy, No. 11-cv-2116, 2014 WL 1309095, at *7 (D. Minn. 2014) (“If a court finds that a party waived privilege by inadvertently disclosing privileged information, the waiver is limited to the disclosed information and does not extend to the entire subject matter of the disclosed information.”)).
Irrespective of whether the court finds that the conduct was inadvertent or involuntary, privilege will only be maintained “where reasonable precautions have been taken against eavesdropping or theft.” Dukes v. Wal-Mart Stores, Inc., No. 01-cv-2252 CRB (JSC), 2013 WL 1282892, at *4–6 (N.D. Cal. 2013); Suburban Sew ‘N Sweep, Inc. v. Swiss–Bernina, Inc., 91 F.R.D. 254, 260 (N.D. Ill. 1981) (noting that “if the client or attorney fear such disclosure, it may be prevented by destroying the documents or rendering them unintelligible before placing them in a trash dumpster”).
In cases of involuntary disclosure, at least one court has held that waiver occurs only when the holder has failed to take reasonable steps to reclaim the protected material. See United States v. de la Jara, 973 F.2d 746 (9th Cir. 1992) (privilege had been waived as to communications disclosed under compulsion by law enforcement authorities where defendant failed to avail himself of various legal means that would have enabled him to claim the privilege or recover his property).
Why this Matters
Where a victim organization both refuses to pay the decryption ransom and the extortion ransom, their data is almost certainly going to be released publicly. When this happens, if we follow the logic in Dukes, one can clearly see the issue for the victim organization. Is failure to pay a ransom reasonable? Does that failure still allow the organization to assert privilege over it when they alone were in a position to intervene and prevent its release?
In a world where cybersecurity insurance is becoming common and necessary, this further lowers the victim organization’s out-of-pocket expenses relating to protection of privilege in situations of data exfiltration/extortion by threat actors. Parties may spend large amounts of money reviewing documents in litigation for privilege and withholding them from other parties in litigation, but then when faced with ensuring protection of those same types of documents against public disclosure, they may fail to take steps to do so.
Ultimately, courts have not opined on this situation directly, but any organization faced with extortion demands should be extremely wary of ignoring a ransomware/extortion demand where this may result in a waiver of privilege and confidentiality over any documents that are summarily leaked to the public domain based on that decision. Certainly, if it is determined that the threat actor is on the OFAC (Office of Foreign Assets Control) list and the organization is prohibited by law from paying the ransom/extortion, courts may afford greater protection to the victim organization where their reasonable protection of paying the ransom was legally prohibited. The Ewald case being an example of compelled involuntary disclosure. However, where a victim organization is in a position to protect their own data and fails to do so, it will be difficult to argue that privilege is maintained once documents are publicly available.