Businesses have a major need to assess their own cybersecurity risks, and to openly exchange internal information within the company to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation. A company’s good faith internal report of its cybersecurity weaknesses can potentially serve as almost an admission that it has found its cybersecurity protections for personal and confidential data to be inadequate.
Similarly it is of extreme importance that in the midst of dealing with a cyber breach event, that the company’s personnel freely exchange information related to the breach crisis situation quickly and without undue worries about how the disclosure of that information might look in a future litigation discovery proceeding.
The involvement of the company’s legal counsel in all important aspects of a cybersecurity risk assessment and breach response is crucial because of the protections that involvement can potentially provide the company under the doctrines of (i) attorney-client privilege, and (ii) work product protection.
The “attorney-client privilege” protects the future disclosure of confidential communications between attorneys and their clients that relate to a request for legal advice. For the attorney-privilege to apply, the attorney must be involved and be central to the communications. The attorney-client privilege can protect communications relating to a cybersecurity risk investigation which is primarily designed to gather facts a lawyer needs to provide the company with the legal advice it has sought. This can be enormously important in the context of future litigation arising out of a cybersecurity issue.
As part of a company’s retention of an attorney to address compliance with cybersecurity laws, the engagement of third party cybersecurity consultants should be done with attorney involvement (and there should be language in the consultant’s agreement that the work is being done in conjunction with the company obtaining legal advice). The attorneys should be included on all e-mails and other correspondence between the company and its cybersecurity consultants.
Similarly, when addressing an actual breach situation it is absolutely crucial that the company’s attorney be involved in all communications dealing with the breach and evaluating the legal compliance issues it creates. Attorney-client privilege may be able to provide protections from disclosure of the communications occurring in investigating the breach and discussions of how best to mitigate and address the potential damage. This in turn can help make all the participants at the company feel more comfortable speaking freely about what has happened, resulting in a more effective response to the situation.
There are various nuances to the attorney-client privilege protections, and the privilege can be lost if the individuals involved do not act carefully. Companies should work closely with their attorneys to ensure that the privilege is not inadvertently lost through failure to take such nuances into account.
The “work product doctrine” can protect documents relating to an investigation if the company was in (or anticipated) litigation at the time, and the documents’ creation was primarily motivated by such litigation matters (rather than by some other purpose). If documentation falls within the work product doctrine, then disclosure of that documentation in a litigation context may potentially be avoided. The work product doctrine has various limitations, however. A litigant against a company in a cybersecurity breach situation may be able to overcome the protections of the doctrine if the litigant can make the case that it needs the particular documents and cannot obtain the substantial equivalent of such documentation without undue hardship.
The bottom line is that the attorney-client privilege and work product doctrine are crucial means for a company to protect itself in cybersecurity compliance and breach situations. Close collaboration between the company and its attorneys is essential.