RE: Pen test - Attorney client Privilege?

From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Oct 19 2005 - 19:19:41 EDT


Hi

Privilege is the right to refuse to divulge information obtained in a
confidential relationship. I have some knowledge of Civil or Roman Law
(as the US) but would forgo commenting on this. In the case of common
law jurisdictions (eg Australia and the UK) there are particular
circumstances for privilege as confidential communication;

        journalist's privilege
        privilege against self-incrimination
        reporter's privilege
        deliberative process privilege
        executive privilege
        informant's privilege (eg whistle blower legislation)
        qualified privilege and absolute Privilege

To cover each of these individually, Informant's privilege, journalist's
privilege, and reporters privilege fail to apply. Thus we can disregard
these all together.

Next, privilege against self-incrimination will not apply. You have the
right to not mention the Pen Test in certain situations, but not to
withhold a document. You could forgo telling the court that you
deliberately ignored the results of a pen test for example. This would
not stop the test being reviewed by an external party and expert
witnesses being used to comment on your judgement etc.

This leaves two types of privilege where confidential communication is
defined statement made to a defined person, eg a physician, solicitor or
barrister (attorney for those in the US), priest (or Rabbi, Vedas etc),
or spouse (and this is not always covered). The person in this instance
cannot be legally compelled to divulge the information.

This is a clear process where I am making the assumption that the legal
council is not the Pen Tester.

A deliberative process privilege is a privilege exempting a government
body (agency, dept. etc) "from disclosure (as in discovery) of
government agency materials containing opinions, recommendations, and
other communications that are part of the decision-making process within
the agency"

Executive privilege is the "principle that members of the executive
branch of government cannot legally be forced to disclose their
confidential communications when such disclosure would adversely affect
the operations or procedures of the executive branch". This would apply
to the office of the President in the US or the Legislative council in
Australia.

What is wanted is to argue that a Pen Test is an absolute Privilege - "A
privilege that exempts a person from liability esp. for defamation
regardless of intent or motive". An example is a privilege that exempts
high public officials from liability for statements made while acting in
their official capacity without regard to intent or malice - such a
privilege covers members of parliament while parliament is in sitting.
Pen Testing is never covered by this unless we are talking about a
minister doing this for some reason - and than this would be shaky
ground.

There could be selected uses of "qualified privilege". This would not
help in criminal cases, but may have some bearing in a civil case. Also
called "conditional privilege" this may be defeated by demonstrating
actual malice. Thus deliberate disregard. The document would in this
case be delivered to the court (failure is contempt) and the Judge would
decide on the admissibility.

Generally (at least in common law jurisdictions - I can not talk for
civil law jurisdictions) the document (i.e. the Pen Test report) would
be admitted subject to weight. The Judge does not however need to
instruct council how much weight is being placed on the evidence.

A Pen Test Report is conducted for reasons other than legal instructions
or advice. The argument that we did this to assess the firms liability
could open the defendant to criminal sanctions. The absolute duties of
the companies executive (i.e. directors) could be used to make this
information divulged and failure to do so may have repercussions of a
criminal nature.

>From a CISP/VISA etc perspective - audit or pen test materials need to
be disclosed and available for independent review. Thus they would be
excluded from privilege of any sort. They could be considered
confidential in some cases - but they would be open to the court.

Testing for SOX (3.2 and 404) is similarly open to discovery for similar
reasons.

In certain jurisdictions, where there is no agency issue with the
company (i.e. the directors are also the shareholders and the company is
not public) there may be an argument for limited privilege (i.e.
conditional). Withholding information on vulnerabilities that where not
fixed however (eg A failed audit/pen test) from a suit brought by
disgruntled clients with stolen information from your companies failure
is clearly a demonstration of malice. Thus this would result in
discovery being allowed subject to weight.

To sum it up - I see more issues as a result of trying to hide the test
than would otherwise be an issue for the company.

Craig

-----Original Message-----
From: Paul Robertson [mailto:compuwar@gmail.com]
Sent: 20 October 2005 8:08
To: Craig Wright
Cc: pen-test@securityfocus.com; rob havelt
Subject: Re: Pen test - Attorney client Privilege?

On 10/19/05, Craig Wright <cwright@bdosyd.com.au> wrote:
[snip a buncha stuff I agree with]

> Discovery could request the reports directly from the Pen Tester -
> thus by passing privilege any way.

Previous disclaimers apply- but here's my understanding-

Who you get the information from doesn't change its protection unelss
it's been disclosed outside of the necessary participants- in which case
privilege is lost.

For instance, when I work on an affidavit for a client with their
counsel, it's generally still protected material so long as only the
counsel, myself and the client are party to the work product. Once it's
filed, the affidavit itself is not protected (unless it's under
seal,) but the work product that got us to the final version is
protected to a very large extent.

My analysis of opposing counsel's affidavit is probably a better
example, but I don't do that all too frequently (lack of interesting
engagements.)

It shouldn't matter if you go after me, the client or the attorney-
privilege is extended under the correct circumstances to the
communication, as it's done with counsel in preparation for a lawsuit.

Paul

--
www.compuwar.net
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:04 EDT