Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when. And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster. Often overlooked, however, is the need to include a carefully-crafted crisis communication or public relations strategy and to do so in a way that extends the attorney-client privilege to the crisis communication firm.
Today, data breaches are headline news events that require a swift and nimble response, often in the public eye. In light of the potentially severe reputational damage that can arise from a data breach, a thoughtful crisis communications strategy is an essential component of an incident response plan. As the steady drumbeat of recent high-profile data breaches have taught us, the chaos and flurry of activity that surrounds a major hacking isn’t a traditional “crisis” event. Data breaches generally are not detected until long after-the-fact and hackers may have gained access to sensitive records and personally identifiable information weeks or even months before the breach is detected.
Complicating matters further, a host of communications may need to be made quickly including potential notifications to regulators and law enforcement, correspondence with customers and media, and statements to the general public. Managing the flow and timing of public statements and information will be critical especially if the victimized company is public and subject to U.S. Securities and Exchange Commission disclosure requirements. Hastily informing (or, worse yet, misinforming) customers and the public or having to retract statements can only serve to inflame an already tense situation. Failure to develop appropriate messaging and handle these communications promptly may also bring a loss of trust, damage to brand and reputational harm far beyond direct monetary damages.
When a data breach hits, a crisis communication team prepped and at the ready can, among other things, help a company field incoming press inquiries, establish a hotline for customer questions, manage a dedicated microsite as a clearing house for affected persons, prepare FAQs and distribute up-to-date news and information about the breach.
But simply working with an outside firm and designing a crisis communication strategy is not enough. Strong consideration must be given to the manner in which these non-lawyers are engaged and what and how information is provided to them. In engaging and working with a public relations firm in the wake of a breach, attorneys must be mindful that their relationship does not compromise the attorney-client privilege or work product doctrine. Under United States v. Kovel, 296 F.2d 918 (2d Cir. 1961), non-legal professionals may receive attorney-client privileged materials within the scope of the attorney-client privilege and communications with counsel may be protected, where those professionals are retained by counsel to provide advice and expertise that assists counsel in providing legal advice and/or services to his or her client. However, this safe harbor is tightly construed, and may not be recognized by certain courts when it comes to a public relations firm. In retaining and working with a public relations firm, attorneys must exercise caution and ensure that communications are made solely for the purpose of providing legal advice. Even so, a court may not ultimately extend the attorney-client privilege to such communications, and care should be taken in sharing information throughout the crisis communications planning and response process.
Indeed, the law is highly fact specific, with cases going either way depending on the precise role of the PR firm. For example, courts have upheld the extension of the attorney-client privilege to an outside PR firm when the impact of media coverage might influence whether criminal charges are brought and would therefore influence counsel’s strategy. In re Grand Jury Subpoenas, 219 F.3d 175 (2d Cir. 2000). In other instances, the outcome went the other way. McNamee v. Clemens, 2014 WL 6572899 (E.D.N.Y. 2013).
While there are no guarantees that a court will uphold a claim of privilege, here are some steps that a company can take to improve its odds of maintaining a privilege assertion over communications with a PR firm:
- The public relations or crisis management firm should be engaged directly by outside counsel, not the client.
- The engagement letter should be carefully written by outside counsel to make clear that:
- the PR firm is working under the direction of outside counsel and reporting directly to the law firm;
- all communications between the PR firm and outside counsel and/or the client’s representatives shall be confidential and made solely for the purpose of assisting counsel in rendering legal services to the client;
- all documents and work product prepared by the PR firm are confidential and should be treated as such; and
- the PR firm has an obligation to protect the confidentiality of the information exchanged with counsel and all documents it prepares.
- To the extent practicable, communications between the client and the PR firm should be through outside counsel or in the presence of outside counsel.
- PR firms should label documents (including email traffic) as “Attorney-Client Privilege/Work Product Communications.”
- Because it is essential that the services provided by the PR firm facilitate legal advice and services, great caution should be taken to define what services the PR firm is being asked to perform.
- Careful consideration should be given to the nature of each service the PR firm is undertaking when contemplating a disclosure to it. If, in connection with a particular assignment, the PR firm is not engaged in helping outside counsel formulate legal strategy, sharing privileged information should be avoided.
- The PR firm should invoice the law firm for its services whenever possible.