Lawyers advise enterprises to establish preemptive legal protection before suffering a cyberattack. While one might expect lawyers to say that, there are some reasons to take this advice.
Namely, a federal district court in Minnesota found in October that "certain documents created during Target's internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine," according to the Cybersecurity Law Report.
The court told Target that it didn't have to produce certain documents that the plaintiffs wanted to see. The reason: they were part of the investigation.
That was post-attack, but after the company established attorney client-privilege, it helped Target. However, under some circumstances, attorney-client privilege may also come into play before a hack takes place, according to a report by Amy Terry Sheehan, Editor-in-Chief of the Cybersecurity Law Report.
In a post-hack scenario, "data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege," Michael Gottlieb, a partner at Bois, Schiller, and Flexner, told The Cybersecurity Law Report.
Advantages of not having to provide documents include, importantly, less poking around into corporate affairs, which can in-turn lead to more lawsuits, among other reasons.
'Aftermath' or before
But what if you get legal advice before a cyberattack takes place? Would that count under attorney-client privilege if you ever had to go to court for actual attack reasons? Say, for example, your organization was being sued by customers.
It's hard, but possible, Sheehan thinks.
Primarily, "preserving the privilege when preparing for a breach is difficult unless a company properly distinguishes legal analysis from regular operational tasks," for one thing.
Prep for hacks
However, companies do have a right to look into potential cybersecurity problems and to prepare for hacks "without concern that discussions and recommendations about a company's vulnerabilities will be subject to future litigation," Sheehan says in her report.
Enterprises shouldn't have to worry about pre-hack assessments becoming public and triggering more litigation, Sheehan added.
What steps to take?
Involving "counsel from the beginning of pre-incident planning to direct the analysis, recommendations and planning" would preserve privilege in the event of a breach, Sheehan recommends in her report.
Additionally, "assignments and activities" related to planning should be structured at the request of counsel, she thinks.
Plus, team members must report back to counsel; legal memos must integrate technical "or other specific investigations;" and all third-party vendors should be engaged through counsel.
In addition, routine "operational efforts" should be separated from "activities undertaken to provide legal advice."
Counsel could be internal or external, Sheehan says.
"'Retaining privilege in pure preventative preparation can be difficult,' particularly where the work is 'entirely about the company's systems or operational concerns and would fall into the CISO or IT bucket,'" Gotlieb is quoted as saying in the report.
Target "is one of the first cases we are seeing in the data breach context where the privilege issue has been tested," Michelle A. Kisloff, a partner at law firm Hogan Lovells, said in an article on The Cybersecurity Law Report's website.
Sheehan said this privilege applies prior to an incident, too.
In any case, lawyers can help enterprises figure if they've done enough for cybercrime prevention, the report says.
This article is published as part of the IDG Contributor Network. Want to Join?