As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product, known as Orion, helps organizations manage their networks, servers, and networked devices. The hacker concealed malware inside a software update that, when installed, allowed the hacker to perform reconnaissance, elevate user privileges, move laterally into other environments and compromise the organization’s data.

Orion is not only used by government agencies, but is widely used in both the public and private sectors. According to another blog, victims of the attack include “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.” SolarWinds’s recent SEC filings estimate that about 18,000 of its customers may have downloaded the malware-laden software updates for Orion. To learn more information about this attack and evolving cybersecurity threats, please visit the NSA’s Cybersecurity Advisories & Technical Guidance. For a list of steps an organization might take to assess the impact of this issue on its specific situation, see this blog post.

Whether or not you are one of the impacted customers, the SolarWinds attack is a reminder of the importance of conducting incident response and risk assessments under privilege whenever possible, the importance of performing due diligence before engaging vendors, and why businesses should implement procedures to minimize information disclosed to or accessed by vendors. The attack is also highlights the care that needs to be taken by both customers and vendors when negotiating data security provisions in technology contracts.

Conducting Privileged Dual-Purpose Risk Assessments

The aftermath of the SolarWinds cybersecurity attack has left organizations scrambling to determine whether their systems have been breached and the scope of any such breach. Unfortunately, the documents created by an organization as it evaluates its security posture are exactly the types of documents that a plaintiff’s counsel or regulator would like to get their hands on if there is an investigation or litigation.

To mitigate this concern, risk assessments can be structured in a way to serve both a business purpose (assessing the state of security) as well as a legal purpose (assisting counsel evaluate risks related to the state of security), allowing certain protections to limit discoverability, including privilege, work product, and protections under FRCP 26(b)(4)(D). Assessments that serve both legal and business purposes are known as “dual-purpose” risk assessments.

Under developing case law, there are a number of ways to conduct a dual-purpose risk assessment. While courts will consider the totality of the evidence when deciding whether materials generated during the course of a risk assessment are privileged or discoverable, recent cases have emphasized the following factors.

  • Involvement of Counsel: Counsel should be actively – not passively – involved in every step of the assessment, from the initial scoping of the assessment (discussed below), to fact-finding, retaining experts, and drafting any reports. In other words, as recent cases make clear, it is not enough to simply state that the assessment was performed at counsel’s direction. Given that courts look at the totality of the circumstances when deciding whether or not to maintain privilege over risk assessment materials, the greater the evidence that counsel was actively involved, the easier it will be to distinguish the assessment and investigation from other ordinary-course-of-business assessments or investigations that would not necessarily involve counsel.
  • Scope of the Assessment: The scope of the assessment, and the process by which the scope is defined, should indicate that the assessment is driven by a legal purpose. This means that the scope should be different from those of assessments conducted in the ordinary course of business, and should clearly and expressly convey that the assessment is conducted for a legal purpose. Toward this end, counsel should have at least some direct involvement in defining the scope, and, as discussed above, the greater the involvement, the more evidence to support privilege protection. While the scope will clearly convey a legal purpose, any stated business purpose for the assessment should be, as one court explained, “profoundly interconnected” with the legal purpose.
  • Distribution of Materials: While materials generated during the course of dual-purpose risk assessments can be used for certain business purposes without destroying privilege protections, some courts have found that the extent to which these materials are distributed is probative the purposes for which the work product was initially produced. Wide distribution of these materials may suggest they were created further to a business, as opposed to a legal, purpose. As discussed above with respect to scoping the assessment, permissible business uses generally relate to areas where the business and legal purposes interconnect.

In the more extreme cases an organization may want to consider a “Dual Track” approach where separate privileged and non-privileged investigations proceed in parallel.  As the SolarWinds cybersecurity attack is likely to trigger organizations to investigate their networks for vulnerabilities and data theft, it is important to consider the downstream consequences should the assessment uncover related (or unrelated) vulnerabilities and/or intrusions. Conducting a risk assessment under privilege may help companies limit the discoverability of what they learn.

Mitigating Risk Using Diligence, Contractual Obligations and Data Minimization

The SolarWinds cybersecurity attack serves as a cautionary tale for all companies and vendors entering into outsourcing software agreements in their business. No one can predict when a malicious cyberattack will occur, especially one with the scale and sophistication of a nation-state attack like this one, but companies and vendors can take steps now to mitigate their risks.

  • Diligence: Companies and vendors should conduct thorough diligence (either directly or through a third-party consultant) prior to finalizing material software or IT vendor agreement. Outsourced software solutions provide cost-savings and increased efficiencies, but moving operations off of company systems or introducing third-party software on to company’s networks can introduce a fracture point which cyber criminals may target. Companies and vendors should be aware of each other’s data security practices, history of cybersecurity incidents, and any security audits conducted. As the SolarWinds cybersecurity attack demonstrates, even sophisticated software companies may face cybersecurity attacks, so after conducting cybersecurity due diligence, companies and vendors must be prepared to respond and cooperate if and when a cybersecurity attack occurs.  Additionally, companies and vendors should review and agree on cybersecurity insurance policies as part of the due diligence process.
  • Contractual Obligations: With cybersecurity attacks, one of the first things companies and vendors do is review their agreements and determine what steps the parties are required to take and who is responsible for the costs. As such, when negotiating software agreements, companies and vendors should pay careful attention to data breach notification provisions which may require notification of suspected security incidents sooner than as required by law. Such provisions may also require the parties to engage nationally-renowned forensics firms and to promptly respond to the security incidents or breach. Contractually stipulating each parties’ notification obligations in the event of a breach may help clarify the parties’ responsibilities and timing with respect to notifications to government regulators and the clients of the company.
  • Data Minimization: Lastly, the SolarWinds cybersecurity attack demonstrates that even with detailed diligence, vendors may be targeted by a breach. Contractual obligations may limit the costs associated with a breach and downstream legal obligations, but they cannot retrieve company or customer data once it has already fallen into the hands of cyber criminals. The only way to limit the amount of data exposed through cybersecurity attacks is to limit the amount and type of data shared between companies and vendors. This may not always be possible, but the companies and vendors can work together to implement and maintain data minimization procedures which require employees and any other individuals accessing the software solution minimize the amount and type of information provided or generated on such solution.

The SolarWinds cybersecurity attack serves as yet another reminder that organizations must implement technical, physical and administrative safeguards to reduce the risk of suffering a breach, either directly or by a vendor, and to plan ahead in the event that a breach does occur. By assessing organizational risk and taking proactive steps when drafting software agreements, companies and vendors can be better prepared should they become the next target.

Special thanks to associates Stephanie A. Diehl and Kevin P. Milewski for their contributions to this blog post.

Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range…

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).

Cybersecurity

Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.

Photo of Margaret A. Dale Margaret A. Dale

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and…

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and heads the Department’s Data Privacy and Cybersecurity Practice Group. Margaret has been recognized since 2017 in Benchmark Litigation’s Top 250 Women in Litigation.

Margaret’s practice covers the spectrum of complex commercial disputes, including privacy and data security matters, as well as disputes involving M&A, intellectual property, bankruptcy and insolvency, securities, corporate governance, and asset management.

Margaret regularly counsels clients before litigation commences to assess risk, adopt strategies to minimize or deflect disputes, and resolve matters without going to court.

Margaret is a frequent writer, including authoring a regular column on corporate and securities law in the New York Law Journal. She also serves as the lead editor of Proskauer’s blog on commercial litigation, Minding Your BusinessShe also authored the chapter titled “Privileges” in the treatise Commercial Litigation in New York State Courts (Haig, 5th ed.), as well as the chapter titled “Data Breach Litigation” in PLI’s Proskauer on Privacy.

Margaret maintains an active pro bono practice advocating on issues relating to women, children and veterans. She serves on the Board of Directors of CFR (Center for Family Representation), VLA (Volunteer Lawyers for the Arts), JALBC (Judges and Lawyers Breast Cancer Alert), and the City Bar Fund.

Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is a partner, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.

Jeff’s practice focuses on technology, media and advertising-related business transactions…

Jeffrey Neuburger is a partner, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.

Jeff’s practice focuses on technology, media and advertising-related business transactions and counseling, including the utilization of emerging technology and distribution methods in business. For example, Jeff represents clients in online strategies associated with advertising, products, services and content commercialized on the Internet through broadband channels, mobile platforms, broadcast and cable television distribution and print publishing. He also represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements.

Serving as a collaborative business partner through our clients’ biggest challenges, Jeff is part of the Firm’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team helping to shape the guidance and next steps for clients impacted by the pandemic.