Securing corporate information assets against a data breach, and responding to a data breach when it occurs, is not just a technology problem. While information security certainly has a major technological component, it is also a public relations problem, a human resources problem, an enterprise risk management problem, an insurance problem and a multi-faceted legal problem, raising issues of privacy compliance, regulatory scrutiny and litigation readiness.
In this blog post, I explain why it is crucial, in the event of a suspected data breach, to hire a lawyer before any other expert advisors, to act as the hub of your investigation and advisory team. Why? Solicitor-client privilege. Allow me to explain.
Why You Should Care about Solicitor-client Privilege in a Data Breach Scenario
In litigation and regulatory investigations, parties are generally required to produce to the other parties or the regulator, as the case may be, any information that is relevant to an issue in dispute. Solicitor-client privilege is an exception to the general rule that requires disclosure. Solicitor-client privilege protects confidential communications between lawyer and client made for the purpose of obtaining legal advice. The basis for this protection against disclosure is the importance of facilitating full and frank discussion between lawyer and client, so that the client can get meaningful advice. When solicitor-client privilege applies to the communications, the client does not have to fear that information communicated with the lawyer can be used against the client by a regulator or party to litigation.
Direct Communications between the Client and Non-lawyers are Generally Disclosable
It is only communications between a client and lawyer that benefit from protection from disclosure.
Imagine if you have a data breach, and a forensic consultant investigating the breach gives you a preliminary conclusion that a hacker got to your private customer data because of errors made by your internal IT staff. Even if later evidence shows that the data breach was unavoidable, a plaintiff’s class action lawyer will want to obtain the initial communication to further an argument that the corporation was negligent in the protection of customer data.
In fact, communications directly between lawyer and client can lose the protection of solicitor-client privilege if there has been disclosure of the communications to a third party with the client’s knowledge and consent. If this occurs, the legal privilege over the lawyer-client communications is said to be “waived” and production will be required.
You May be Able to Protect the Advice of Specialists in a Data Breach Investigation and Response
Despite the concept of waiver, communications with non-lawyer third parties may also be protected from disclosure in appropriate circumstances. If a third party consultant is integral to providing legal advice to the client, either by assisting the lawyer to develop and execute strategy or by helping counsel understand the client’s circumstances so that the lawyer can provide effective advice, solicitor-client privilege might attach to the findings, advice and related communications of the consultant.
The Question is Whether the Third Party Advice is Integral to Legal Advice
In a data breach situation, public relations and forensic investigation services can be key to the provision of effective legal advice. If those services are properly coordinated by your lawyer, solicitor-client privilege can be asserted over the communications with those experts.
For example, in a complex hacking incident, I might well need the expertise of a forensic investigator who understands standards for information security and the intricacies of the client’s IT system, its safeguards and vulnerabilities. I might also need the expertise of an expert in crisis communications to help control public speculation and the spreading of false information about the data breach. The advice of these advisors can be crucial to properly developing and implementing legal strategy to deal with regulators, customers and other stakeholders and to minimize the risk of and prepare for litigation.
Whether solicitor-client privilege will protect communications with a particular third party advisor is a fact-driven determination. The court/regulator will consider whether the facts are consistent with solicitor-client privilege attaching to the communications. The purpose and course of communications and the retainer agreement will be examined. There are no hard and fast rules.
One thing is perfectly clear, however: In order to be able to assert solicitor-client privilege over communications with any third party advisor in a data breach, your lawyer must be involved in directing the relationship and communications with the advisor. In the event of a data breach, call your lawyer first.