Legal privilege is a crucial substantive right and a cornerstone of the legal system. It enables a company to communicate openly with its lawyers about a data breach in order to seek candid legal advice, without risk of these interactions and accompanying records being disclosed to others.
When a company suffers a cybersecurity breach, it’s vital to take the appropriate measures to preserve the attorney-client privilege and work product, especially if the company confronts government inquiries or litigation. Courts are interpreting the privilege more narrowly, and they can order a company to divulge information in litigation that it thought was confidential, such as details on how a company was hacked and how many of its clients were affected.
To protect communications and work products, companies should show that they were created for legal counsel or in anticipation of litigation, rather than for ordinary commercial purposes.
Also Read: Four Ways Technical Debt can Threaten Cybersecurity Posture
Here are five critical steps that businesses should take to preserve privilege during a cyber-attack.
Include legal counsel from the start
Every part of a breach investigation should be led and supervised by counsel. In-house counsel should be alerted as soon as a cyber-issue occurs or is suspected. However, because they frequently provide business and legal advice, it is prudent to retain outside counsel as well, since several countries only apply the privilege to investigations involving external counsel.
Third parties should be retained by counsel
Third parties, such as forensic teams, should be retained with a retainer agreement that states the third party is being retained to assist counsel in giving legal advice in anticipation of litigation. A court is more likely to find it was prepared in the ordinary course of business if a company hires them directly.
Have a separate vendor agreement in place for data breach response
Vendors are hired to handle everything from penetration testing to audits for businesses.
If an organization keeps the same vendor in response to a cyber-event, breach counsel should do so under a separate agreement that clearly defines the incident-specific scope of work as opposed to the pre-existing business relationship. If a separate statement of work is utilized for breach response rather than a master services agreement, communications and work products are more likely to remain confidential.
Restriction on the dissemination of protected information
Organizations should not share forensics reports or other confidential communications with anybody other than those who need to know. This includes avoiding using the information for commercial purposes such as public relations or answering shareholder questions. To illustrate restricted spread, distribution should be tracked. If more information needs to be disclosed, businesses should do so in a way that does not jeopardize privilege or work-product protection.
Also Read: Cybersecurity Begins With Employee Wellness
Even if the information is protected, continue to be vigilant against the risk of disclosure
Despite the fact that privilege might prevent disclosure, businesses should presume that protected information can be disclosed. As a result, avoid speculating, addressing things that are outside the scope of a cyber-event, and including damaging business information that is unrelated to the investigation in protected communications and work outputs.
What constitutes attorney-client private information or work product is continuously changing under the law. Nonetheless, appropriate practices can reduce the likelihood of disclosure. Retaining a counsel, who subsequently retains third parties with agreements tailored to incident response, is critical after detecting an event.
Similarly, during investigations, separating business and legal analyses is crucial, as is delivering reports only to those who need to know and paying legal charges from legal budgets. Finally, and perhaps most critically, organizations can minimize the quantity of information that is exposed to exposure in the first place by assuming disclosure is possible.
For more such updates follow us on Google News ITsecuritywire News.