Not all communications are considered privileged
Not all privileged conversations can be kept from the court
There are cases where so called "privileged" information can be made
available in discovery. It depends on the nature of the information.
Often this will be delivered to the court and the judge will decide if
it should remain closed
A Pen test is highly unlikely to remain in this form
Discovery could request the reports directly from the Pen Tester - thus
by passing privilege any way.
-----Original Message-----
From: Paul Robertson [mailto:compuwar@gmail.com]
Sent: 19 October 2005 11:01
To: Lyal Collins
Cc: rob havelt; pen-test@securityfocus.com
Subject: Re: Pen test - Attorney client Privilege?
On 10/19/05, Lyal Collins <lyal.collins@key2it.com.au> wrote:
I'm not a lawyer either, but see a couple of interesting twists to
this approach, in some situations.
I'm still not a lawyer...
In the case of the credit card PCI standard, evidence of
vulnerability/pen-test activities need to be made available to the
accredited PCI auditor (for mid-large sites, anyway).
Taking this to one possible extrapolation, will the lawyers be
providing relevant statements regarding conduct of tests to the PCI
auditor who then relies upon these statements for their own legal
indemnity in making statements towards the site's PCI compliance?
Are the lawyers going to make assessments as to the meanings and
outcomes of the pen/vuln testing to PCI or other auditors?
Does this make lawyers involved in liability to one or more third
parties with whom the law firm (usually) has no commercial,
contractual or legal relationship (e.g. Acquiring Bank, Card Scheme,
PCI Auditor)?
Would/could this cause the confidentiality shield to be punctured?
Yes, it would. According to my research, disclosure to any 3rd party
not directly involved in the litigation or pre-litigation process on
behalf of the client or the client's counsel invalidates privilege.
Paul
--
www.compuwar.net
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
