When your organization is addressing a cyber-attack or other data breach, protecting privilege is crucial. In the aftermath of a data breach, events can move very quickly. However, appropriate steps should be taken to ensure that the privileged and confidential documents generated in your breach investigation and response stay that way. Shortcuts taken for expediency's sake can lead to problems later, particularly in the event of litigation. Protecting privilege is important to preserve the confidentiality of your discussions with counsel and other documents generated in your breach response, to guard against the risk of such materials being producible in future litigation.

Here are our top five tips for protecting privilege in the context of a data breach:

  1. Avoid using your organization's computer systems if they are compromised. If there is reason to believe that your organization's internet technology (IT) infrastructure remains compromised, you should not use it to communicate (internally or externally) about the breach. Otherwise, any privileged communications could be intercepted by the threat actor, exacerbating the data breach. Instead, consider using phone calls or a secure and uncompromised external email address to communicate regarding the breach response.
  2. Engage legal counsel as soon as possible. A data breach should be treated as a legal incident for the organization, with counsel involved from the outset of the response. Internal counsel should be notified right away of a breach. In the case of a significant breach, it also may be prudent to retain outside litigation counsel immediately. This can help bolster claims for solicitor-client privilege because it underscores the legal, as opposed to business-related, nature of the advice being given. It also emphasizes the litigation-oriented objectives of any forensic expert reports into the data breach, bolstering a claim for litigation privilege. Solicitor-client and litigation privileges can apply with respect to in-house counsel, but only when in-house counsel is providing legal rather than business advice. Because in-house counsel often provide both kinds of advice in the aftermath of a data breach, privilege claims involving internal counsel may be more closely scrutinized by the courts in the event of a dispute.
  3. Structure retainers with third-party consultants with privilege in mind. Communications with and documents generated by an external forensic expert hired to investigate the data breach can be privileged, provided that the retainer is structured appropriately. For example:

    • Where possible, external counsel and the organization should retain the third party jointly

    • Even if the organization has an ongoing relationship with the consultant, a separate retainer or statement of work should be entered into with respect to the breach to distinguish the privileged work from any other non-privileged work

    • The terms of the third-party retainer should reflect the legal nature of the advice given and that all communications and documents relating to the engagement should be marked and treated as privileged by all involved

    • The third-party adviser should take instructions from, and report to, counsel (and ideally external counsel

    • Payment to the third-party adviser should be recorded and treated as a legal expense (for example, paid out of the organization's legal budget)

  4. Control dissemination of privileged material in your organization. Privileged communications should not be copied or disseminated more widely within your organization than is necessary. It will usually also be prudent for internal or external counsel to be copied on communications regarding the breach, although doing so does not automatically cloak those communications with privilege. All communications and any notes or other documents regarding the breach or reflecting privileged advice should be marked as "privileged and confidential."
  5. Beware of divulging privileged material externally. Some regulators may have authority to compel your organization to produce privileged documents, such as a forensic investigator's report. When responding to these demands, it should be stated expressly that your organization does not intend to waive privilege through such disclosure. Voluntary disclosure of potentially privileged information to law enforcement should be approached with caution. The organization should also avoid inadvertent disclosure of privileged information, such as in pleadings and other legal filings, which may imply waiver of privilege. If disclosure of any privileged information is truly necessary, the disclosure should be as narrow as possible, and it should expressly be stated that no waiver of privilege is intended.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.