Publications
February 19, 2019

Does Attorney-Client Privilege Extend to Penetration Testing?

By Scott T. Lyon
Risk Management

The attorney-client privilege is a bedrock of jurisprudence, with communications by and between lawyer and client being protected from compelled disclosure to any third party. But in this age of high-profile data breaches and resulting technical statutes and regulations mandating that organizations adopt and implement comprehensive information security programs, is there anything akin to the attorney-client privilege that extends to cybersecurity professionals providing services such as penetration testing? If they are not retained to provide legal advice, the answer is a resounding no.