Let’s start with a trivia question. Q: What do the companies Target, Genesco, and Experian all have in common? Is it (A) they all experienced data breaches which exposed sensitive consumer information; (B) they all found themselves the subject of lawsuit(s) over the loss of this information; (C) they all invoked the doctrine of privilege — specifically under attorney-client and work product– to protect a retained forensic firm’s investigative findings; or (D) all the above. If you chose D, then you, dear reader, can go on your merry way reading.
Cyber attacks and the loss of sensitive information are at the forefront of nearly every corporate executive’s mind. According to a recent study by the Business Continuity Institute, cyber attacks represent the number one concern among business professionals. A proliferation of high-profile breaches over the past twelve months (e.g., HBO, Yahoo, Democratic National Committee, etc.) have left owners of businesses big and small asking the same question: For past, present and future data breach incidents, what’s the one thing you must do to mitigate legal liability? Simple, really. Hire an attorney.
The Benefit of Attorney-client and Work Product Privileges
For any business concerned about the inherent risk and liability emanating from a cyber attack, the hiring of outside counsel (with cybersecurity expertise, I may add) isn’t an option. It’s a necessity. Before you chalk this article up to purely selfish motives, hear me out. The decision to retain an attorney offers a benefit of almost immeasurable proportions — the protection and confidentiality of cybersecurity work and communications.
Long ago, the Supreme Court of the United States established the principle that the communications and work between an attorney and a client warrant protection. With limited exceptions, the attorney-client privilege and work product doctrine cloak in confidentiality both communications and work that occurs between an attorney and his/her client. In the context of attorney-client communications, the privilege protects discussions exchanged for the purpose of rendering legal advice. Alternatively, the work product doctrine (or privilege) covers work prepared in anticipation of litigation.
The application of either privilege is easiest to understand after the occurrence of a data breach. Take the Genesco case for example. In Genesco, hackers successfully broke into the retail giant’s internal network to steal payment card information. The hackers then used this information to siphon off money from transactions processed by Genesco’s banks. After Visa levied thirteen million in fines against these banks for the failure to ensure Genesco complied with the Payment Card Industry Data Security Standards (“PCI DSS”), the banks turned around and assessed these fines on Genesco. Genesco disputed Visa’s fines and promptly filed a lawsuit.
As one of its first order of business, Visa requested Genesco turn over materials related to the forensics investigation performed after the data breach incident had occurred. Genesco refused, citing both attorney-client and work product. The Court sided with Genesco. Because Genesco’s outside counsel hired the forensics firm as a way to render legal advice and in anticipation of litigation, the Court upheld privilege over the firm’s discoveries. As a result, Visa lost a critical piece of evidence (i.e., Genesco’s failure to implement necessary security measures) necessary to its case.
Privilege Before a Breach
With unquestionable benefits post-breach, there’s even a strong argument to be made for the extension of the privileges prior to the occurrence of any incident. However, this is only made possible through a company’s decision to involve an attorney from the very get-go. Practically speaking, this means a company allows outside counsel to coordinate and direct the efforts of a third-party cybersecurity firm.
A cybersecurity firm’s services, which may include things such as a vulnerability assessment, the implementation of critical security controls, and the development of an incident-response plan to name a few, should operate in tandem with and for the purpose of outside counsel’s legal advice (i.e., the very basis of attorney-client privilege).
Imagine the following scenario: Prior to any known or suspected data breach, a company proactively hires a cybersecurity firm to document its information security shortcomings. Of the findings chronicled in the cybersecurity firm’s report, the company chooses to correct few, if any, of the problems identified. Thereafter, the company experiences a data breach and is promptly sued by the affected parties. In the absence of the involvement of an outside attorney and the application of attorney-client privilege, the report would likely act as the critical piece of evidence that the company failed to behave in a responsible way. This scenario encapsulates a “better safe than sorry” approach, as the omission of early attorney involvement could prove detrimental in the long run.
As companies continue to combat the growing threat of digital intrusions, the need for legal expertise in cybersecurity is mission critical. An effective cybersecurity attorney should act as a surveyor of legal landmines, mitigating and alleviating risk through the application of attorney-client and work product privileges. Bottom line: the sooner a company retains, the more protection it stands to gain.