On 10/19/05, Lyal Collins <lyal.collins@key2it.com.au> wrote:
I'm not a lawyer either, but see a couple of interesting twists to this
approach, in some situations.
I'm still not a lawyer...
In the case of the credit card PCI standard, evidence of
vulnerability/pen-test activities need to be made available to the
accredited PCI auditor (for mid-large sites, anyway).
Taking this to one possible extrapolation, will the lawyers be providing
relevant statements regarding conduct of tests to the PCI auditor who then
relies upon these statements for their own legal indemnity in making
statements towards the site's PCI compliance?
Are the lawyers going to make assessments as to the meanings and outcomes of
the pen/vuln testing to PCI or other auditors?
Does this make lawyers involved in liability to one or more third parties
with whom the law firm (usually) has no commercial, contractual or legal
relationship (e.g. Acquiring Bank, Card Scheme, PCI Auditor)?
Would/could this cause the confidentiality shield to be punctured?
Yes, it would. According to my research, disclosure to any 3rd party
not directly involved in the litigation or pre-litigation process on
behalf of the client or the client's counsel invalidates privilege.
Paul
--
www.compuwar.net
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
