You are the CEO of a small or medium-sized company and someone from your IT team runs to your office, pale-faced, to tell you that the company’s network has been hacked. They don’t know how the penetration occurred, when, or whether any data or confidential material has been stolen. Who do you call first? Your cyber forensic expert? The cybersecurity consultant you hired to help fortify your systems? The Board of Directors? No, your first call should be to your attorney.
Why should your first call be to your attorney? Whether you call in-house or external counsel, you will want to know what federal and state reporting obligations must be addressed, whether and when to involve law enforcement, and how best to respond to the incident to preserve evidence and limit your legal liability in the event of a regulatory action or lawsuit. However, the most urgent and often overlooked reason is to ensure that your company’s response to the incident falls under the umbrella of attorney-client privilege.
If your company is subject to a data breach and customer records are lost, you likely have an obligation to report the loss. Once reported, your company may face a civil suit, regulatory investigation, or government enforcement action. Imagine if your pre-incident security assessment revealed critical weaknesses in your cybersecurity system and there are emails describing those weaknesses. Would you want those emails to be discoverable in a civil litigation? What about emails discussing what or what not to include in your company’s cybersecurity policy or after-the-fact internal criticism of the way your team responded to a breach?
In United States v. Kovel, the Second Circuit Court of Appeals extended attorney-client privilege to third parties, such as accountants, who assist lawyers representing their clients. The reasoning of the 1961 Kovel decision has been broadened over the years and is now being extended to cybersecurity consultants. In 2015, a federal judge ruled in favor of Genesco Inc. in a dispute with Visa to compel the production of documents from IBM, which Genesco had retained to provide consulting and technical services to help Genesco’s counsel. Visa was attempting to recoup $13 million in damages assessed after a data breach, but the judge found that IBM’s documents and communications with Genesco were protected by the privilege.
Companies cannot, however, simply copy their attorneys on every email with their cybersecurity consultants or invite their attorney to a cybersecurity meeting to read the newspaper in a corner. To protect communications with and work product of your cybersecurity team, you need them to truly be working hand-in-hand with your attorneys to advise not only on the technical but legal and regulatory aspects of pre- and post-incident activity. This is why it is so important to have your cybersecurity team in place long before an incident ever occurs.
Companies should engage third-party cybersecurity consultants through outside counsel and any contract with that consultant should be signed by the attorney as well. The contract’s statement of work should make clear that the work is being performed in conjunction with counsel and in anticipation of litigation. Communications that truly relate to the provision of legal advice should be appropriately labeled and, to the extent possible, attorneys should direct the work of the cybersecurity consultants.
There is no guarantee that all communications and work product will be protected by the privilege. However, engaging counsel both before and after a cybersecurity incident can increase the efficiency of your cybersecurity consultants who may not be focused on the company’s legal requirements and demonstrate to regulators how seriously your company takes the problem.