RE: Pen test - Attorney client Privilege?

From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Oct 19 2005 - 17:44:28 EDT


Not all communications are considered privileged

Not all privileged conversations can be kept from the court

There are cases where so called "privileged" information can be made
available in discovery. It depends on the nature of the information.
Often this will be delivered to the court and the judge will decide if
it should remain closed

A Pen test is highly unlikely to remain in this form

Discovery could request the reports directly from the Pen Tester - thus
by passing privilege any way.

-----Original Message-----
From: Paul Robertson [mailto:compuwar@gmail.com]
Sent: 19 October 2005 11:01
To: Lyal Collins
Cc: rob havelt; pen-test@securityfocus.com
Subject: Re: Pen test - Attorney client Privilege?

On 10/19/05, Lyal Collins <lyal.collins@key2it.com.au> wrote:
> I'm not a lawyer either, but see a couple of interesting twists to
> this approach, in some situations.

I'm still not a lawyer...

>
> In the case of the credit card PCI standard, evidence of
> vulnerability/pen-test activities need to be made available to the
> accredited PCI auditor (for mid-large sites, anyway).
>
> Taking this to one possible extrapolation, will the lawyers be
> providing relevant statements regarding conduct of tests to the PCI
> auditor who then relies upon these statements for their own legal
> indemnity in making statements towards the site's PCI compliance?
>
> Are the lawyers going to make assessments as to the meanings and
> outcomes of the pen/vuln testing to PCI or other auditors?
> Does this make lawyers involved in liability to one or more third
> parties with whom the law firm (usually) has no commercial,
> contractual or legal relationship (e.g. Acquiring Bank, Card Scheme,
PCI Auditor)?
> Would/could this cause the confidentiality shield to be punctured?

Yes, it would. According to my research, disclosure to any 3rd party
not directly involved in the litigation or pre-litigation process on
behalf of the client or the client's counsel invalidates privilege.

Paul

--
www.compuwar.net
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:04 EDT