White Hat Privilege: The Legal Landscape for a Cybersecurity Professional Seeking to Safeguard Sensitive Client Data

White Hat Privilege: The Legal Landscape for a Cybersecurity Professional Seeking to Safeguard Sensitive Client Data

The law affords unique protections to communications between a lawyer and client, commonly referred to as the "attorney-client privilege." This tool is indispensable because a lawyer can best advocate for a client when the client is free to disclose both the good and the bad. The law affords similar protections to communications between a physician/therapist and patient.

Cybersecurity professionals have no equivalent. This is true despite the fact that cybersecurity professionals are regularly entrusted with more sensitive information (about an individual/company) than what is entrusted to a lawyer or doctor. Security consultants can hold their clients' darkest secrets, or perhaps information that could "bring down" the company. These professionals are asked to find flaws, infiltrate networks, gather sensitive data, and document exactly how it happened, all-the-while contemplating how to use the information to the worst detriment of the target.

Although security consultants have no straightforward legal privilege for protecting client data, they may have the best mechanism of all: White Hat Privilege. By using this term, the speakers submit that a white hat professional is perhaps able to utilize technical savvy to implement technological solutions to the problem of protecting client data while staying within the confines of the law.

In this talk, we will examine the legal landscape for cybersecurity professionals seeking to safeguard a clients' sensitive client data. We will cover issues including contract formation, risk allocation, and other legal issues that arise during formation of services contracts. We will pivot to legal regimes for handling PII, cross-border data transfers, IP rights, and export-control issues. And because security professionals are not static beings, we will also examine border crossings, including authority of TSA/Customs to search and seize devices that might hold client data. While examining these issues, where possible, we will discuss potential technological solutions to legal problems.

Presented by