Canada:

Top Five Tips To Protect Privilege In A Data Breach

To print this article, all you need is to be registered or login on Mondaq.com.

When your organization is addressing a cyber-attack or other
data breach, protecting privilege is crucial. In the aftermath of a
data breach, events can move very quickly. However, appropriate
steps should be taken to ensure that the privileged and
confidential documents generated in your breach investigation and
response stay that way. Shortcuts taken for expediency’s sake
can lead to problems later, particularly in the event of
litigation. Protecting privilege is important to preserve the
confidentiality of your discussions with counsel and other
documents generated in your breach response, to guard against the
risk of such materials being producible in future litigation.

Here are our top five tips for protecting privilege in the
context of a data breach:

    1. Avoid using your
      organization’s computer systems if they are
      compromised.
      If there is reason to believe that your
      organization’s internet technology (IT) infrastructure remains
      compromised, you should not use it to communicate (internally or
      externally) about the breach. Otherwise, any privileged
      communications could be intercepted by the threat actor,
      exacerbating the data breach. Instead, consider using phone calls
      or a secure and uncompromised external email address to communicate
      regarding the breach response.
    1. Engage legal counsel as soon
      as possible.
      A data breach should be treated as a legal
      incident for the organization, with counsel involved from the
      outset of the response. Internal counsel should be notified right
      away of a breach. In the case of a significant breach, it also may
      be prudent to retain outside litigation counsel immediately. This
      can help bolster claims for solicitor-client privilege because it
      underscores the legal, as opposed to business-related, nature of
      the advice being given. It also emphasizes the litigation-oriented
      objectives of any forensic expert reports into the data breach,
      bolstering a claim for litigation privilege. Solicitor-client and
      litigation privileges can apply with respect to in-house counsel,
      but only when in-house counsel is providing legal rather than
      business advice. Because in-house counsel often provide both kinds
      of advice in the aftermath of a data breach, privilege claims
      involving internal counsel may be more closely scrutinized by the
      courts in the event of a dispute.
    1. Structure retainers with
      third-party consultants with privilege in mind.

      Communications with and documents generated by an external forensic
      expert hired to investigate the data breach can be privileged,
      provided that the retainer is structured appropriately. For
      example:

        • Where possible, external counsel and the organization should
          retain the third party jointly
        • Even if the organization has an ongoing relationship with the
          consultant, a separate retainer or statement of work should be
          entered into with respect to the breach to distinguish the
          privileged work from any other non-privileged work
        • The terms of the third-party retainer should reflect the legal
          nature of the advice given and that all communications and
          documents relating to the engagement should be marked and treated
          as privileged by all involved
        • The third-party adviser should take instructions from, and
          report to, counsel (and ideally external counsel
        • Payment to the third-party adviser should be recorded and
          treated as a legal expense (for example, paid out of the
          organization’s legal budget)
    1. Control dissemination of
      privileged material in your organization.
      Privileged
      communications should not be copied or disseminated more widely
      within your organization than is necessary. It will usually also be
      prudent for internal or external counsel to be copied on
      communications regarding the breach, although doing so does not
      automatically cloak those communications with privilege. All
      communications and any notes or other documents regarding the
      breach or reflecting privileged advice should be marked as
      “privileged and confidential.”
    1. Beware of divulging
      privileged material externally.
      Some regulators may have
      authority to compel your organization to produce privileged
      documents, such as a forensic investigator’s report. When
      responding to these demands, it should be stated expressly that
      your organization does not intend to waive privilege through such
      disclosure. Voluntary disclosure of potentially privileged
      information to law enforcement should be approached with caution.
      The organization should also avoid inadvertent disclosure of
      privileged information, such as in pleadings and other legal
      filings, which may imply waiver of privilege. If disclosure of any
      privileged information is truly necessary, the disclosure should be
      as narrow as possible, and it should expressly be stated that no
      waiver of privilege is intended.

For permission to reprint articles, please contact the
Blakes
Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Litigation, Mediation & Arbitration from Canada

Considerations On Service Of A Statement Of Claim

McLennan Ross LLP

In today’s increasingly litigious world, it is imperative for both those in the legal field and non-legal field who may be involved in litigation to have a solid understanding…

Web Of Lies

McMillan LLP

Opposing counsel just sent a long awaited email responding to his client’s undertakings from a hard fought pre-trial examination. You scan the brief email, and find your frustration rising.

Source link

Dominic Levent Solicitors
Email: Enquiries@dominiclevent.com
Phone: 020 8347 6640
Url: https://www.dominiclevent.com
cash, check, credit card, invoice
1345 High Rd
London, London N20 9HR