A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.

This part discusses the steps that employers can take to protect an investigation of a data security incident from disclosure using the attorney client privilege and the work product doctrine.

When a data security incident is first suspected, consider notifying your in-house or outside legal counsel. A primary benefit of involving counsel early in an investigation is to allow counsel to help you decide whether an investigation should be conducted under the cloak of attorney-client privilege.

The attorney client privilege and the attorney work product doctrine are judicially recognized evidentiary protections in the United States that are designed to ensure that a client (i.e., your organization) can provide factual information to an attorney for the purpose of obtaining legal advice without the fear that the communication or information will have to be shared with the government or opponents in litigation. In the context of a data security investigation, there is a strong argument that the following types of communications are covered by privilege:

  • Advice from your attorney concerning your statutory, regulatory, and contractual obligations in the event of a data breach,
  • Your attorney’s opinion concerning the likelihood that you will receive a legal challenge in connection with the incident.
  • Ways in which you can lower the risk of litigation.
  • Information that your attorney requests be collected in order for your attorney to be able to provide legal advice.

With regard to the collection of information, your attorney may recommend that a forensic investigation be led by your legal department or outside counsel as the information obtained in the investigation may be necessary for your attorney to provide your organization with legal advice. There are steps you can take to ensure the strongest argument that the privilege should protect the analysis and reports of those investigating the incident. For example, employees who participate in an investigation should copy counsel on all internal communications concerning the cause and the scope of the breach or, when speaking to others, clearly indicate that they are collecting information at the behest of counsel. If information needs to be gathered from IT or HR by email, consider putting in the subject line a clear statement that the communication is an “Attorney Client Communication: Information Requested By Counsel.” This helps make sure that anyone who reads the email at a later time understands the context in which it was sent, the purpose for which the information was collected, and the fact that the communication may be privileged and exempt from disclosure outside of the organization.

TIP: Third party forensic investigators are often retained through outside law firms – instead of through an organization’s IT department – to make clear that their purpose is to help your attorneys understand the factual situation surrounding an incident in order to provide legal advice. The contract with a forensic investigator often forms the foundation of your ability to assert that their analysis of forensic evidence is privileged.