Attorney–Client Privilege and Data Breaches

Your company has just been hacked. Awaiting you is hundreds of hours of work putting your network back together, investigating the damage, and dealing with affected customers. After all that, you may well have to defend a multimillion-dollar lawsuit.

Now well into the trial, you watch in horror as the cybersecurity expert you hired is cross-examined. “Why is this happening?” you think. “Isn’t there something called attorney–client privilege?”

There is, but it doesn’t apply here. At least not if you haven’t planned for this scenario.

It’s often assumed that any communication between the attorney and their client is privileged. It is also assumed that anything prepared by an attorney for litigation is protected by the work-product doctrine. Both assumptions are wrong.

To be entitled to the privilege, certain elements must be present, one of which is communication between privileged parties. This communication must be made in confidence and for the purpose of obtaining legal assistance.

Two-track process

In theory, the best way to protect the attorney–client privilege and the work-product doctrine is to establish a two-track process consisting of multiple cybersecurity organizations.

There will be an in-house company hired by the victim/defendant. They will be paid as a business continuity expense, and their report will contain only bare facts and be circulated to anyone.

The other track will be a forensic company hired by the defendant’s outside counsel specifically to help the outside counsel prepare for litigation.

The forensic company will be paid from the legal expenses account, with the payment and purpose carefully documented. The second forensic company’s report can contain opinions, analysis, and recommendations, but it must have a restricted and documented circulation.

If the two-track process is followed, it will be clear that the forensic company was hired to provide legal services specific to litigation. The forensic company’s report will not be created in a similar form to the in-house company. Instead, it will anticipate litigation and assist in providing legal advice.

Preserving attorney–client privilege

Even with these precautions, there is still a question as to whether the privilege can be preserved. Lawyers will need cybersecurity advice to try the case, and this extends beyond simply interpreting the facts.

They will also need guidance when it comes to technical observations and recommendations on whether the organization’s practices and responses were appropriate.

Organizations are increasingly restricting efforts by lawyers to gain this information by instructing forensic companies to limit their reports or not write any final report at all.

This may protect the privilege, but it obviously inhibits the breach victim or their insurers from acting to prevent such breaches in the future.

As such, if the court feels that the defense is using privilege to limit normal discovery, it will limit the privilege.

The best way to protect attorney–client privilege is to ensure that the organization manages its response to a security incident in a consistent and effective manner. It should have a plan and know exactly what approach it will take if an incident occurs.

It should know which law firm it will retain and which forensic team it will select. The selected outside counsel and forensic team should be aware of the scope of their employment. The contents of the report (if there is to be one) should be considered.

This plan should not be set in stone. The state of the law will change along with the needs of the organization and the type of attacks it suffers, so it should be reviewed at least annually.

The best way to accomplish these goals is to adopt ISO 27001. It’s the international standard that describes best practice for information security management, and adopting its framework demonstrates the organization’s due care.

Moreover, adopting ISO 27001 should substantially lower the probability of a security breach in the first place, reducing the chances that attorney–client privilege would be needed.

You can find out more about the benefits of ISO 27001 by downloading our free green paper: Cybersecurity and ISO 27001 – Reducing your cyber risk.

This guide explains the information security threats that your organization faces and demonstrates how the Standard can be used to bolster your defenses.