Robert Anderson, a shareholder at Lindabury, McCormick, Estabrook & Cooper and a member of the firm’s Cybersecurity & Data Privacy practice group was recently questioned by Tom Hughes of ROI-NJ, regarding the reasons a business should consult an attorney to oversee cybersecurity planning and preparation. In short; the answer is: attorney-client privilege.
If you have a breach and your company gets sued — and it will, Anderson said — having all of your preparation protected could result in huge savings of both money and reputation. Anderson, speaking at a recent ROI-NJ Thought Leadership Series panel, explained how. “When you’re first starting to put together a program to protect your company, one of the things that you will typically want to do is hire someone called an ethical hacker, who will try to get into your system,” he said. “The results of this kind of a penetration testing that determines the vulnerabilities and weaknesses in your system will be in a report that goes on for pages and pages of all the problems in your system. If you do end up with an attack and end up in litigation, Exhibit A in the litigation is going to be this detailed report that shows all the vulnerabilities of your system, and they’ll be able to see how you elected to prioritize the problems. “The litigants are then going to say you knew you had these vulnerabilities and spot the one you didn’t fix.” Having legal counsel order the penetration test would likely shield that document by virtue of attorney-client privilege, Anderson said.