This article appeared in the Spring 2010 issue of The Secure Times, the newsletter of the American Bar Association Section of Antitrust Law’s Privacy and Information Security Committee. The article discussed the application of attorney-client privilege and self-evaluative privilege, and suggested best practices to increase the chances that an audit report will be protected from disclosure. While a rigorous data security and privacy audit can identify and help a company to remedy vulnerabilities in its systems and policies, a written audit report can pose its own dangers if obtained by civil litigants or regulators seeking to build a case against the company.

Data Security and Privacy Audits: Steps to Protect Reports