Canada:
Top Five Tips To Protect Privilege In A Data Breach
To print this article, all you need is to be registered or login on Mondaq.com.
When your organization is addressing a cyber-attack or other
data breach, protecting privilege is crucial. In the aftermath of a
data breach, events can move very quickly. However, appropriate
steps should be taken to ensure that the privileged and
confidential documents generated in your breach investigation and
response stay that way. Shortcuts taken for expediency’s sake
can lead to problems later, particularly in the event of
litigation. Protecting privilege is important to preserve the
confidentiality of your discussions with counsel and other
documents generated in your breach response, to guard against the
risk of such materials being producible in future litigation.
Here are our top five tips for protecting privilege in the
context of a data breach:
- Avoid using your
organization’s computer systems if they are
compromised. If there is reason to believe that your
organization’s internet technology (IT) infrastructure remains
compromised, you should not use it to communicate (internally or
externally) about the breach. Otherwise, any privileged
communications could be intercepted by the threat actor,
exacerbating the data breach. Instead, consider using phone calls
or a secure and uncompromised external email address to communicate
regarding the breach response. - Engage legal counsel as soon
as possible. A data breach should be treated as a legal
incident for the organization, with counsel involved from the
outset of the response. Internal counsel should be notified right
away of a breach. In the case of a significant breach, it also may
be prudent to retain outside litigation counsel immediately. This
can help bolster claims for solicitor-client privilege because it
underscores the legal, as opposed to business-related, nature of
the advice being given. It also emphasizes the litigation-oriented
objectives of any forensic expert reports into the data breach,
bolstering a claim for litigation privilege. Solicitor-client and
litigation privileges can apply with respect to in-house counsel,
but only when in-house counsel is providing legal rather than
business advice. Because in-house counsel often provide both kinds
of advice in the aftermath of a data breach, privilege claims
involving internal counsel may be more closely scrutinized by the
courts in the event of a dispute. - Structure retainers with
third-party consultants with privilege in mind.
Communications with and documents generated by an external forensic
expert hired to investigate the data breach can be privileged,
provided that the retainer is structured appropriately. For
example:
-
Where possible, external counsel and the organization should
retain the third party jointly -
Even if the organization has an ongoing relationship with the
consultant, a separate retainer or statement of work should be
entered into with respect to the breach to distinguish the
privileged work from any other non-privileged work -
The terms of the third-party retainer should reflect the legal
nature of the advice given and that all communications and
documents relating to the engagement should be marked and treated
as privileged by all involved -
The third-party adviser should take instructions from, and
report to, counsel (and ideally external counsel -
Payment to the third-party adviser should be recorded and
treated as a legal expense (for example, paid out of the
organization’s legal budget)
-
- Control dissemination of
privileged material in your organization. Privileged
communications should not be copied or disseminated more widely
within your organization than is necessary. It will usually also be
prudent for internal or external counsel to be copied on
communications regarding the breach, although doing so does not
automatically cloak those communications with privilege. All
communications and any notes or other documents regarding the
breach or reflecting privileged advice should be marked as
“privileged and confidential.” - Beware of divulging
privileged material externally. Some regulators may have
authority to compel your organization to produce privileged
documents, such as a forensic investigator’s report. When
responding to these demands, it should be stated expressly that
your organization does not intend to waive privilege through such
disclosure. Voluntary disclosure of potentially privileged
information to law enforcement should be approached with caution.
The organization should also avoid inadvertent disclosure of
privileged information, such as in pleadings and other legal
filings, which may imply waiver of privilege. If disclosure of any
privileged information is truly necessary, the disclosure should be
as narrow as possible, and it should expressly be stated that no
waiver of privilege is intended.
For permission to reprint articles, please contact the
Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Litigation, Mediation & Arbitration from Canada
source http://dominiclevent.com/blog/top-five-tips-to-protect-privilege-in-a-data-breach-litigation-mediation-arbitration-cana/
No comments:
Post a Comment