Litigation is a real risk in the aftermath of a cyber-breach:

  • customers might complain that their personal data has been disclosed;
  • shareholders might say that you should have done more to protect the organisation from attack;
  • financial institutions might allege that you did not take adequate steps to secure payment details;
  • your business partners might claim breach of contract.

You may also face a regulatory investigation. If litigation proceeds, you may be required to hand over documents to the other side, including expert reports/documents which might show your security practices were inadequate or that policies and procedures were not followed.

This is when legal professional privilege becomes crucial. Communications that are legally privileged are not disclosable.


Legal professional privilege is a rule of law which protects the confidentiality of communications made between a lawyer and a client, and communications made in contemplation of litigation.

It can be divided into two strands:

  • legal advice privilege;
  • litigation privilege.


Legal advice privilege applies to confidential communications between a lawyer and a client for the purpose of giving or seeking legal advice. Legal advice from your lawyers on your liability to customers/suppliers following a cyber-breach should be protected from disclosure in litigation.

Legal advice privilege only applies to lawyer-client communications: it does not protect communications with a third party. If, for example, you hire an expert to prepare a report on the cause of a cyber breach, you are unlikely to be able to claim legal advice privilege over the report (though litigation privilege may apply).


Litigation privilege applies to confidential communications between a lawyer and a client, or between either of them and a third party, for the dominant purpose of gathering evidence for use in legal proceedings or for giving legal advice about legal proceedings.

Litigation privilege only applies where:

  1. litigation had commenced or was anticipated at the time the communication was made; and
  2. the communication was made for the dominant purpose of the litigation.

The ‘dominant purpose’ requirement can create difficulties in practice.

For example, before instructing your lawyers, you ask a computer forensic expert to report on the cause of the breach and the steps you should take to better protect your systems. If you later try to claim privilege over the report in litigation arising from the breach, you might have a difficult time convincing the court that the dominant purpose of procuring the report was the litigation, and not for internal management reasons. (Read a related article on this here).


  • Keep privilege at the forefront of your mind at all times: Whether you are putting together a Cyber Incident Response Plan or dealing with a cyber breach, think ‘privilege’. Ask yourself: are these communications likely to be disclosed in future litigation? Is there anything I can do now to reduce the risk of disclosure? 
  • Raise awareness of privilege within your organisation: Ensure all personnel understand the importance of privilege, how it may be asserted and how it may be lost. 
  • Involve your lawyers as early as possible: Instruct lawyers with cyber- security experience. Involve them at the cyber-breach planning stage. Ensure they understand your business and the impact a cyber-breach could have on it. Get their legal advice on the adequacy of your security practices and the adequacy of your Cyber Incident Response Plan. 
  • Have your lawyers on speed dial: The first step in your Cyber Incident Response Plan should be to consult your lawyers. Get your lawyers on board before any internal investigations are commenced and before other consultants/advisors are engaged. Ask your lawyers to manage any internal investigations into the cyber-breach. This will help minimise the risk that the results of the investigation will have to be handed over in subsequent litigation.


Where litigation is not in being or contemplated, the only possible privilege is legal advice privilege. Remember, this only applies to lawyer/ client communications.

  • Nominate key decision-makers in your organisation as the point of contact with your lawyers: Route all communications with your lawyers through this group.
  • Restrict the circulation of all communications pertaining to legal advice: Only circulate legal advice on a “need to know” basis and instruct the recipient not to communicate it further. Do not forward or create documents that summarise legal advice. Mark all communications seeking or containing legal advice “Privileged and Confidential”
  • Ensure that any communication of legal advice is on a confidential basis: If you must communicate legal advice (e.g. to a regulator), do so on a confidential basis only. Request the recipient to confirm in writing that (i) they understand that the legal advice is privileged; (ii) you are communicating the advice for a limited and specific purpose; (iii) you are not waiving privilege; and (iv) they will not communicate the advice further. 
  • Be careful when drafting minutes of meeting: Do not include a summary of any legal advice given by a lawyer at a meeting in the minutes of the meeting. Create a separate document and refer in the minutes only to the fact that legal advice was given.


  • Record the fact that litigation is contemplated: If litigation is contemplated, record this on the face of the communication. Be as specific as possible. 
  • Avoid dual purpose communications: Documents created for more than one purpose may not be privileged. To avoid any potential issue, create two separate communications: one for use in the litigation and the other for the other purpose. 
  • Label your communications: Mark all communications “Strictly Privileged & Confidential – In Contemplation and/or In Furtherance of Proceedings”. This may help bolster an argument that the dominant purpose of the communication was for use in litigation. 
  • Get your lawyers to instruct any relevant experts: This may help strengthen an argument that the expert was retained for the purposes of the litigation.