Center for Applied Cybersecurity Research

Lessons lost: how lawyers undermine cybersecurity investigations

Co-hosted with the Luddy School and the Hamilton Lugar School

Lawyers lead the investigations for many cybersecurity incidents, ranging from data breaches to ransomware, in part because they can often shield any materials produced after a breach from discovery under either attorney-client privilege or work product immunity.

Moreover, by limiting and shaping the documentation that is produced by breached firms’ personnel and third-party consultants in the wake of a cyberattack, attorneys can limit the availability of potentially damaging information to plaintiffs’ attorneys, regulators, or media, even if their attorney-client privilege and work product immunity arguments falter.

This talk draws on a project involving over sixty interviews with a broad range of actors in the cybersecurity landscape—including lawyers, forensic investigators, insurers, and regulators—to explore the impact of legal leadership on cybersecurity investigations and reveal how, in their zeal to preserve the confidentiality of incident response efforts, lawyers may sometimes undermine the long-term cybersecurity of both their clients and society more broadly.

Bio

Josephine Wolff is associate professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University. Her research interests include liability for cybersecurity incidents, international Internet governance, cyber-insurance, cybersecurity workforce development, and the economics of information security. Her first book You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches was published by MIT Press in 2018. Her second book Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks was published by MIT Press in 2022. Her writing on cybersecurity has also appeared in Slate, The New York Times, The Washington Post, The Atlantic, and Wired. Prior to joining Fletcher, she was an assistant professor of public policy at the Rochester Institute of Technology and a fellow at the New America Cybersecurity Initiative and Harvard's Berkman Klein Center for Internet & Society.