Adoption of the Cyber Security Act at the end of 2015 spurred new interest in sharing of cybersecurity threat indicators. The act encouraged companies to share cybersecurity information by offering liability protections for sharing conducted under the act.
As they expand their sharing on security information, companies are relying more on companies that create products and services to make information sharing more efficient and practical. I’m on the advisory board of one such company, TruSTAR Technology. TruSTAR makes a product that standardizes and anonymizes reports of cybersecurity incidents; the reports can then be shared with other companies in a highly controlled fashion. The control allows companies to expand their level of trust and comfort with sharing at their own pace. It’s an effective and inexpensive way for companies to share cybersecurity information, not just with other companies but with other parts of their own companies.
But turning over this data to a third party, even with anonymization in place, usually brings company lawyers to the table. In an era when Microsoft, Google, Amazon and Apple have all had high-profile court fights with law enforcement over customer data, most in-house lawyers want to know whether they are opening their data to subpoenas served on third-party suppliers, including those who facilitate information sharing.
It’s a legitimate concern, but the risk can be greatly reduced by careful planning. First, most third-party data processors recognize that the data they handle is not theirs. It remains the property of their customer. It is almost always better for everyone if law enforcement or civil litigants serve their discovery requests on the party that owns the data. Only the owner knows the context and meaning of the material. Only the owner can search it efficiently and at least cost. Only the owner knows which material is privileged and should not be produced.
These are not just practical arguments for dealing with the law enforcement agency that serves the subpoena. They are legal defenses that can be raised by the third-party service provider that receives the subpoena. Third parties are often in a better position to resist subpoenas than litigants or the subjects of investigation, because the third parties are strangers to the dispute. So a subpoena served on them is akin to a draft notice, calling on the third party to perform free labor for a government agency. The government can do that, but the draftee is entitled to argue in court that the government is imposing an “undue burden.” That’s a particularly appealing argument when the government can get the same data from the party that owns it and is already under investigation. The fact that the third party would have to do more work than the owner to produce the same data is part of the burden-weighing exercise the court will conduct in a fight over a third-party subpoena.
To make sure its data service companies raise these arguments, a customer does need to negotiate a promise that they will notify their customer and resist such a subpoena in court — usually at the customer’s expense, since it’s the customer’s fight in the end. Such clauses are increasingly common in contracts for the handling of sensitive data.
One complication is the possibility that some law enforcement subpoenas will come with “gag” orders prohibiting the recipient from notifying its customer that an investigation is under way. This risk is often more theoretical than real. Gag orders are typically used to collect evidence without alerting the suspect that he is under surveillance. That makes sense with individual or even organized crime suspects. It makes less sense in the context of corporations of the sort that purchase data services. Rarely if ever will a corporation be so steeped in criminal intent that its security officers and data clerks cannot be trusted to comply with a subpoena, including any limits on informing the targets of the investigation.
Theoretical though the scenario may be, it does come up during contract talks. And it can be addressed there. For example, the service provider can promise that it will resist not only the subpoena but also the gag order in court. Gag orders are routinely challenged these days by Silicon Valley firms defending their customers, and a body of law restricting such orders is growing up. Any service provider can promise its customer by contract that it will take advantage of that body of law to resist a gag order.
Given how seldom third parties receive such subpoenas, let alone subpoenas with gag orders, it may not make sense to spend a lot of time negotiating over this contingency, but it’s not too hard to find a provision that is fair to both sides. For example, in return for promising to fight a gag order, the third party might ask for an assurance that, once it can notify its customer, it can also expect the customer to pay the costs incurred in defending its customer’s rights.
Another fact pattern that can arise concerns cybersecurity information that has been gathered under the lawyer-client and attorney work-product privilege. Sometimes the company that collected it needs a third party to assist in sharing the information efficiently. That can be done without waiving the privilege, just as an in-house counsel can use a contract secretary to type his memos without waiving their privilege. Services that are provided to lawyers to assist them in advising their clients can be performed under the privilege, as long as the parties to the service agreement take care to meet the requirements of privilege. If the privilege is properly maintained, information maintained by a third party for company lawyers is as well protected as information stored in the files behind their desk.
In short, while corporate lawyers are right to ask tough questions about the new breed of information sharing service providers, there are often good answers to those questions.