Data Breach incidents are a continuing threat to modern commercial activities. Almost every company of every size is affected by data breach. Large companies are obvious targets due to the size, nature and scope of their data collection practices. Similarly, small companies that often serve as vendors are targeted as gateways into larger companies and government agencies. Data breach is the modern equivalent of employment lawsuits that developed in the 1970’s and 80’s. Every company needs to be familiar with the laws and implement procedures to reduce liability.
The good news with respect to data breach incidents is that the attorney-client privilege and attorney work product doctrine are powerful tools that companies can use to effectively and honestly examine their cybersecurity holes, prepare for breaches and respond to breaches without providing evidence that could be used to establish liability. This is very important because most companies have serious security gaps and poor security hygiene. Without the protection of privilege, companies would be stuck in the classic Catch 22.
First, what is the scope of the two applicable privileges. Attorney-client privilege protects communications between clients and lawyers for the purpose of providing legal advice. The work product privilege applies to materials prepared related to litigation or in preparation of litigation. Both privileges are rather broad and appropriate to apply to data breach incident preparation.
Data breach preparation and planning is a crucial exercise. This entails identifying security weaknesses, drafting plans to remedy the weaknesses and penetration testing. The privilege promotes open communication among stakeholders which strengthens the efficacy of incident preparation and response.
Outside counsel should be retained to spearhead all incident preparation efforts so that the work may fall under the privileges. Assignments and tasks should be structured by counsel. Team members need to funnel all reports and communication through counsel to preserve privilege. All third party vendors should be retained by outside counsel. These vendors are key as they are often used for forensic analysis and penetration testing.
The privilege is not unlimited. Routine operational tasks are typically not covered by the privilege. That is why it is critical to define operational tasks at the outset and in order to properly plan which tasks can integrate counsel and be dropped into the privilege bucket. It is harder to protect preparation activities that are performed pre data breach than it is once breach occurs. Remember, the privilege only protects activities performed in anticipation of litigation. The upside of increasing regulation in this space is that it makes the privilege argument easier as there are more laws and agencies that must be navigated for compliance.
Data breach and privacy attorneys are of the greatest value before the breach occurs. This is the time when liability can be severely limited. The biggest differentiators in the cost of a data breach incident are preparation activities like a canned response team, proper insurance and penetration testing. All of this work must be protected by the privilege because odds are that deficiencies will have been discovered in the pre-breach preparation process. Such facts are often seized upon by clever class action attorneys and peppered throughout a complaint. These bad facts can often influence a judge’s opinion or convince a plaintiff’s lawyer to take a case that normally would not be appealing. In other words, the proper and thoughtful application of the privileges may prevent catastrophic damages in the tens of millions.