Penetration Testing mailing list archives
Re: Pen test - Attorney client Privilege?
From: Paul Robertson <compuwar () gmail com>
Date: Wed, 19 Oct 2005 09:00:48 -0400
On 10/19/05, Lyal Collins <lyal.collins () key2it com au> wrote:
I'm not a lawyer either, but see a couple of interesting twists to this approach, in some situations.
I'm still not a lawyer...
In the case of the credit card PCI standard, evidence of vulnerability/pen-test activities need to be made available to the accredited PCI auditor (for mid-large sites, anyway). Taking this to one possible extrapolation, will the lawyers be providing relevant statements regarding conduct of tests to the PCI auditor who then relies upon these statements for their own legal indemnity in making statements towards the site's PCI compliance? Are the lawyers going to make assessments as to the meanings and outcomes of the pen/vuln testing to PCI or other auditors? Does this make lawyers involved in liability to one or more third parties with whom the law firm (usually) has no commercial, contractual or legal relationship (e.g. Acquiring Bank, Card Scheme, PCI Auditor)? Would/could this cause the confidentiality shield to be punctured?
Yes, it would. According to my research, disclosure to any 3rd party not directly involved in the litigation or pre-litigation process on behalf of the client or the client's counsel invalidates privilege. Paul -- www.compuwar.net ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pen test - Attorney client Privilege? rob havelt (Oct 15)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 16)
- Message not available
- Re: Pen test - Attorney client Privilege? rob havelt (Oct 16)
- Message not available
- RE: Pen test - Attorney client Privilege? Lyal Collins (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 19)
- Re: Pen test - Attorney client Privilege? ma.teo (Oct 19)
- Re: Pen test - Attorney client Privilege? Thor (Hammer of God) (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 16)
- <Possible follow-ups>
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 20)