Okay, the breaking glass part is for dramatic effect and is optional. However, once the specter of a data breach rears its ugly head, your company should immediately retain breach counsel before it hires cyber security and forensics firms to access the scope of the breach. Why? Because if the law firm truly directs and manages the internal investigation and any loss mitigation efforts, the attorney-client privilege and protections of the work product doctrine should apply. Given that litigation often follows a data breach, the ability to investigate with an assurance of confidentiality will promote more candid communications with company personnel and will allow the company to better control the flow of information and public relations messaging. If outside counsel are not directing the investigation and loss mitigation efforts, the whole process will be discoverable in litigation and information may be misconstrued or mischaracterized.
The rationale behind the attorney-client privilege is to encourage free and open communication between the client and his or her lawyer, thus promoting informed, effective representation. The privilege protects communications between a lawyer and a client, or an agent of either, that are made in confidence for the purpose of obtaining or providing legal advice for the client. There is a serious question as to whether the privilege applies in the case of in-house lawyers interviewing company employees. Clearly, if no lawyer is involved in the communication, or if a third party is present when the communication is made, there is no privilege
In comparison, the work product doctrine protects an attorney’s mental impressions, opinions and legal conclusions from disclosure based on the rationale that an attorney should be afforded privacy to prepare her client’s case. Work product protection is provided to documents or tangible things, prepared by or for a party, and prepared in anticipation of litigation or for trial. See FED. R. CIV. P. 26(b)(3). Unlike the attorney-client privilege, the work product doctrine confers a qualified privilege and if the opposing party can show compelling reasons that requested information should be produced, for example, if it is not available anywhere else, the court in its discretion may order production.
For the “hire counsel first” strategy to work, the law firm retained must be prepared to respond almost immediately and to hit the ground running. Preferably, the firm will have the capability of fielding a rapid reaction team of experienced attorneys that can rapidly assess the situation, retain the appropriate experts from a pre-vetted panel, properly conduct an internal investigation and promptly provide cogent legal advice on damage control strategies. Your prospective breach counsel should be able to discuss up front a proposed plan of action (“POA”). The POA will vary depending upon the circumstances, but might look something like this:
- Retain breach counsel;
- Obtain high level overview of factual circumstances;
- Retain appropriate forensic experts;
- Ensure data is no longer being compromised (retain expert for determination as needed);
- Identify scope of breach if possible and type of data (e.g., financial, personal, medical, etc.);
- Physically secure the data systems, data and documentation;
- Implement document and data retention plan;
- Conduct interviews with key personnel to determine circumstances of breach;
- Determine how the breach occurred and whether it was accidental or malicious (inside or outside job);
- Assess security factors and improvements neded going forward;
- Retain public relations experts as appropriate;
- Assess legal and regulatory requirements;
- Determine if law enforcement, or other officials should be alerted;
- Provide detailed opinion to client on legal and regulatory obligations, as well as loss mitigation action plan;
- As appropriate retain data breach response firm;
- Provide hotline and on line information resources for affected personnel;
- As appropriate provide notification of breach to regulators, government and affected persons;
- As appropriate provide mitigation resources to affected persons (e.g., credit monitoring), and,
- Provide assessment of steps needed to avoid or reduce the risk of future data breaches.
The POA above is bare-bones and generic. The bottom line is that breach counsel should be retained soon as a potential breach is discovered, and that once retained should be prepared to immediately implement a plan of action agreed upon with the client. If that plan is properly executed by the law firm, the protections of the attorney-client privilege and work product doctrine should apply to most of the investigation and mitigation efforts. Preservation of the privilege could prove to be vitally important in future litigation.