[BreachExchange] An Ounce of Data Breach Prevention…Address Attorney-Client Privilege in Your Breach Planning

Thu Jul 27 19:24:02 EDT 2017

https://www.natlawreview.com/article/ounce-data-breach-
prevention-address-attorney-client-privilege-your-breach-planning

Data breach “horror” stories have become a new staple in today’s business
environment. The frequency of attacks which threaten (or compromise) the
security of business networks and information systems continually increases
— in the health care space alone (which holds the dubious honor of Most
Likely To Be Attacked), a FBI and HHS’ Office for Civil Rights report notes
that ransomware attacks occur at the rate of 4,000 per day, a four-fold
increase from 2015. Experienced data breach forecasters continue to predict
that cyber-attacks will continue to increase in frequency. Although data
security and breach response are constantly in the headlines, studies
demonstrate that organizations remain unprepared to effectively respond to
a data breach.

For entities that are covered under HIPAA (or their business associates),
or other state or federal cybersecurity regulations (such as the NYS DFS
regulations we previously discussed in our articles, Getting Prepared for
the New York Department of Financial Services’ Proposed Cybersecurity
Regulations, and New York Releases Revised Proposed Cybersecurity
Regulations) breach response preparedness is required. This would include
periodic assessment and development of an effective incident response plan.
Breach response readiness is not only required for many organizations, it
is just sound business practice in today’s environment.

Is your organization ready? It may have an incident response plan, drafted
a couple of years ago, adorning a forlorn shelf (blow the dust off
carefully), but perhaps the plan has not been updated or tested, or staff
has not been trained (and re-trained) — or legal counsel may not have
provided input on the plan.

Legal counsel is valuable not only to provide input on legal definitions,
notification processes, and third party contract provisions in the incident
response plan. Another important benefit to including legal counsel in the
planning process (as well as data breach response) is to ensure that the
incident response plan is drafted to appropriately address legal counsel’s
role, thereby protecting attorney-client/work product privileges. These
protections are not absolute – in fact, there is significant case law
discussing how and when they apply. Therefore, legal counsel should be
involved in plan development and the plan should clearly provide that
investigations are initiated and overseen by legal counsel as part of the
breach response (and litigation risk assessment) process.

A May 18, 2017 decision of the United States District Court in the Central
District of California underscores the benefits of legal counsel in breach
response preparation and planning. In this decision, rendered in the
context of the Experian breach litigation, the plaintiffs sought access to
a forensic consultant’s report. The forensic consultant had been retained
by Experian’s legal counsel immediately after the breach was discovered by
Experian, and the report was used by legal counsel to develop a legal
strategy for Experian’s response to the breach. The plaintiffs claimed the
report should be disclosed because it was also used for the purpose of
meeting Experian’s legal duty to investigate the data breach.

Despite the fact that the forensic consultant had previously worked for
Experian (doing a very similar analysis), the court noted when the forensic
consulting firm was retained by legal counsel, as well as the way legal
counsel directed the form and content of the report (so that only portions
could be disseminated to Experian’s incident response team, ensuring
privilege was not waived), and held that this demonstrated that the report
was work product and should not be disclosed to the other side.

The decision discusses another important point – whether the plaintiffs
were entitled to disclosure of the report because they would not be able to
re-create the investigation of the servers as it was performed on “live”
operating networks, and therefore would suffer a substantial hardship. In
this case, however, the report was prepared using server images, rather
than the live systems. Consequently, the court held that there was no
substantial hardship calling for the report to be disclosed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170727/b40d651b/attachment.html>