While gearing up for the Sedona Conference’s Working Group 11 mid-year meeting, the news broke about Cambridge Analytica’s data practices. Creating a trifecta of Monday morning data privacy and security news, Sedona WG11 also released its Incident Response Guide.
Sedona WG11 is focused on Data Security and Privacy Liability with a direct mission of identifying trends in data security and privacy law. Needless to say, Cambridge Analytica and Facebook were a topic of conversation and questions at the meeting. How does a company plan for and respond to a data breach? What is considered private data? What are a company’s obligations to keep data private? When the data is used for various purposes, what disclosures are required? Should the United States have a federal standard for data breach notifications? Raising, of course, the topic of GDPR with the ever-impending May 25, 2018 effectiveness date.
One solution discussed was of the use of third-party vendor management. While vendors fulfill a need in data security and flavor the recent Cambridge Analytica news, this topic is discussed often in the e-Discovery context. Prior to engaging with any vendor, due diligence is necessary. Due diligence includes knowledge of the vendor’s data security practices and notification requirements of breaches, plus the continual audit and management of vendors. Whether the vendor is handling a production in litigation and authorized to externally provide data to another organization or the vendor’s services are only used inside your organization, such as an internal investigation, these same over-arching protocols should be followed.
Another topic discussed was the privilege designation of forensics reports generated before and/or after a data breach. The pre-incident reporting may include infrastructure mapping, vulnerability scans, penetration tests, internal/external audits, risk assessments and cybersecurity policies/procedures. While all pre-incident information may not be privileged, an attorney may be involved in providing advice on legal standards and often weighs in on gap assessment remediation prior to an incident ever occurring. Once a breach does occur, the same questions arise as to the requirements of asserting privilege and the work product doctrine that arise so often in e-Discovery within the cybersecurity landscape.
While other Sedona commentary touches on the applicability of privilege in the cybersecurity space, the Incident Response Guide outlines the need for pre-incident planning with practical considerations for organizations. One of the very first notes in the Introduction is the cautionary notice that the Guide is based on information as of the date of publication. While this is true for every publication, it truly resonates with the rapidly changing laws in cybersecurity practice. If you have not reviewed the Guide within its first week of publication, I urge a review in the coming weeks. The Incident Response Guide is relevant to in-house lawyers at various organization sizes and outside counsel representing clients in all industries, even with individuals as clients. It provides practical competencies for us all, including what to consider in an Incident Response Plan, breach notification requirements and after-action reviews.
Not only is this relevant to all of us professionally, with our own personal data we will all remain in-tune to the current newsbreak, new legislation and future data breaches.