The privilege waiver effect of voluntary disclosures to the Government after CISA

images-1The Cybersecurity Information Sharing Act of 2015 (CISA) in broad terms allows companies to monitor and cyberthreats. In particular, under CISA companies can share with DHS Cybersecurity threat indicator (CTI) and Defensive measures (DM). More on CISA here.

CISA is a voluntary program for companies but if they participate, they obtain significant benefits from monitoring and sharing. In particular, disclosing companies obtain protection under several perspective, e.g.. antitrust, limited regulatory use, waiver of privilege and FOIA protection.

I will focus on attorney client-privilege protection.

While there is no case law as yet, CISA is quite clear in excluding a waiver of the privilege when disclosing information under the act.

Section 105(d)(1) Information Shared With Or Provided To The Federal Government:

(1) NO WAIVER OF PRIVILEGE OR PROTECTION. The provision of cyber threat indicators and defensive measures to the Federal Government under this title shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.

While CISA has this privilege protection built in the law, generally voluntarily disclose of information to a governmental agency almost always constitute a waiver of the attorney-client privilege. Because companies might obtain advantages from the voluntary disclosure (voluntary disclosure to the DOJ might result in a reduction of penalties), the decision whether to disclose, so jeopardizing the privilege, to obtain those benefits, is a difficult one.   Some parties have tried to limit the risk of privilege waiver by entering into non-waiver agreements with the government. It has rarely worked. See In re Columbia/HCA Healthcare Corp. Billing Practices Litig., 293 F.3d 289, 295-304 (6th Cir. 2002), making the point that majority of courts reject the selective waiver doctrine. The Sixth Circuit correctly pointed out that the attorney- client privilege “is not a creature of contract, arranged between the parties to suit the whim of the moment”.

Disclosure under CISA does not put disclosing parties in such a between-a-rock-and-a-hard-place position.

Consider however that the material that you disclosure, might not be covered by attorney client privilege or work-product protection, to begin with. See the definition of CTI (Section 102(6) and DM Section and 102(7)). Therefore, one should not be lulled into believing that CISA might be a blank statement of protection of what you disclose.

For more information, Nathan M. Crystal & Francesca Giannoni-Crystal.