RE: Pen test - Attorney client Privilege?

From: Lyal Collins (lyal.collins@key2it.com.au)
Date: Wed Oct 19 2005 - 08:51:04 EDT


I'm not a lawyer either, but see a couple of interesting twists to this
approach, in some situations.

In the case of the credit card PCI standard, evidence of
vulnerability/pen-test activities need to be made available to the
accredited PCI auditor (for mid-large sites, anyway).

Taking this to one possible extrapolation, will the lawyers be providing
relevant statements regarding conduct of tests to the PCI auditor who then
relies upon these statements for their own legal indemnity in making
statements towards the site's PCI compliance?

Are the lawyers going to make assessments as to the meanings and outcomes of
the pen/vuln testing to PCI or other auditors?
Does this make lawyers involved in liability to one or more third parties
with whom the law firm (usually) has no commercial, contractual or legal
relationship (e.g. Acquiring Bank, Card Scheme, PCI Auditor)?
Would/could this cause the confidentiality shield to be punctured?

Of course, this is just ramblings on topics I'm not skilled in - but it
looks like anything could happen in PCI environments, imho

Lyal

-----Original Message-----
From: Paul Robertson [mailto:compuwar@gmail.com]
Sent: Sunday, 16 October 2005 10:50 PM
To: rob havelt
Cc: pen-test@securityfocus.com
Subject: Re: Pen test - Attorney client Privilege?

Disclaimer: I am not a lawyer and I don't play one on the 'Net.

On 10/15/05, rob havelt <rob@cobal.org> wrote:
> Hi All,
>
> Lately I've been seeing some stuff on the legal end of Penetration
> Testing, and have had some clients ask, and I thought that it would be
> an interesting question to pose to the list.
>
> Mainly I've been seeing articles like this one:
> <http://webmail.intelligentconnections.net/exchange/rhavelt/Inbox/FW:%
> 20Contract%20Question.EML//exchweb/bin/redir.asp?URL=http://searchsecu
> rity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?
> track=NL-358%26ad=530198USCA>http://searchsecurity.techtarget.com/orig
> inalContent/0,289142,sid14_gci1131713,00.html?track=NL-358&ad=530198US
> CA
>
>

Frankly, I'm surprised Shawna wrote that without any dissenting opinion.
I've spent some time doing some research on privilege (it seems to me to be
a good shield when doing computer forensics where generally we're working on
evidence for a case or in preparation for a
case.) It doesn't seem to me that pen-testing can be construed as such
except in a very narrow set of cirucmstances. I don't know who else Shawna
talked to for the story, of if her research says something other than mine,
so I'm going to try to drag her into this discussion via BCC- hopefully if
she responds the list moderators will let it through if she's not subscribed
to the list.

> That suggest that a penetration test should be commissioned by, and
> the results delivered to an organization's legal department in such a
> way where the results of the test will be covered by attorney client
> privilege...

Nice thought, however privilege isn't blanket and generally is extended only
to things where (a) they're directly related to legal advice or litigation
and (b) the attorney is acting as counsel *not* as a corporate officer. In
this case, I'd think you'd trip both of those exceptions rather quickly by
running the contract through the legal department.

"Hey, we need some legal advice on the vulnerability of our network" seems
to be a pretty large stretch to me. Enron would have been difficult to
catch if they'd just gotten more legal advice on their accounting practices,
trading practices and oversight, eh?

For the SDNY's take on this, see:

http://www.torys.com/publications/pdf/CM1996-1N.pdf

If you look at the citations, you'll quickly come to the conclusion that at
least in the 2nd circuit the courts would take a dim view of such attempts
to cover business process with privilege.

> The main crux of the suggestion was to insulate an organization
> against the liability of not implementing all the suggestions and
> recommendations in the report - I.E. if they were sued later the
> results of the penetration test would be available to the plaintiff
> during the discovery process under normal circumstances - the test was
> commissioned by the IT or Risk Management department, but it would be
> privilege info if it were commissioned by legal...

If shielding common business practice by routing it through the legal
department were possible, then *everything* would go through the legal
department. The courts have become increasingly wary of granting privilige
over the years, and such abuse is likely to be summarily dealt with by the
bench.

I wonder if the folks cited in the article have really done any homework on
this, or if they're simply outside counsel looking for billable hours? Next
thing someone will suggest the lawyers actually
*do* the testing.

> Has anyone faced this in their client interactions? Or done this
> before? How does setting that up look exactly?
>
> And does anyone have any thought of the effectiveness of this?

IMO, zero. Privilege is extended to communiations made in confidence
between two parties for the purpose of obtaining or providing legal
assistance to the client- I don't think pen testing meets the bar of legal
assistance. You'd also be hard-pressed to make a 5th ammendment argument,
which is the other potential bar I found in my research.

Now, each state has its own statutes, so there may be a state or two where
the statute provides some wiggle room for shielding, but overall I think
it's disingeneous to think that just having a legal department do the
contracting is going to shield the results from legal discovery during due
process. Judges sign discovery orders, and they're not all that likely to
limit the power of due process without a compelling reason.

> To me it seems like that would be a very easy way to get an
> unfavorable report buried very quickly so that it ostensibly has no
> visibility in the organization. I've also wondered how the results are
> communicated between say, legal and the IT group or the rest of the
> organization in this case?
>
> Anyway, just something I though was interesting is all...

Frankly, if I were asked about something like this, I'd advise going after
the pen-test company first- if they recommended it, handing out legal advice
might be an issue.

If the client wants to do things that way, I'd suggest revamping your
contracts to plant defense and discovery costs firmly in their court.
Though if you're contracting with legal, expect your pre-sales legal work to
skyrocket, and contract negotiations to be a lot more difficult, and terms
not as favorable. I don't expect lawyers to hold to generic contracts when
they're one of the contracting parties.

Paul

--
www.compuwar.net
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:04 EDT