Companies act quickly when there is a cyber incident. The company isolates systems, contacts vendors, and demands answers from executives. In that haste, companies very frequently overlook or waive the attorney-client privilege.
Attorney-client privilege does not automatically apply. To apply, it must be established as such and continually maintained throughout the process of protecting the privilege from the moment a cyber incident is believed to have occurred.
Courts do not retroactively grant the attorney-client privilege simply because lawyers are brought into a case at a later date. The courts will review the events immediately following the discovery of the cyber incident, including who directed the initial investigation, why it was initiated, and who communicated with whom regarding it.
If employees (IT, Compliance, Operations) initiate an investigation and then bring legal in afterwards, the privilege may have been weakened. Any internal email correspondence, chat messages, and draft reports created before legal involvement may be subject to discovery.
For in-house counsel, the top priority is to have complete authority over all investigative activities immediately upon identification of a potential cyber incident.
Legal must conduct the investigation.
Steven Okoye states that in-house counsel must provide a formal written instruction as soon as a cyber incident is identified. The instruction must indicate that the investigation is being conducted at the request and supervision of counsel for the purpose of obtaining legal advice to assist the organization.
This instruction is essential for clarifying the investigation’s intent, defining team roles, and establishing a defensible document trail for future attorney-client privilege disputes.
Counsel’s instructions should direct the investigation teams to forward findings to legal counsel, avoid speculative language, and preserve all relevant evidence according to applicable law and regulations. They should also prohibit any summaries of conclusions reached.
Outside counsel should hire forensic vendors.
A fundamental decision for breach counsel is whether to hire forensic vendors. Steven Okoye strongly advocates that outside breach counsel retain the services of forensic vendors rather than the IT or procurement departments of the organization.
Forensic vendors hired by counsel are more likely to tie their investigative efforts to the provision of legal advice. Forensic vendor reports generated pursuant to the direction of counsel are typically addressed to counsel, drafted as part of attorney work-product and distributed only by counsel.
Forensic vendors hired by the business are more likely to produce reports that are merely business records and, therefore, less likely to receive protections afforded by the attorney-client privilege in the event of litigation or regulatory reviews.
Separate legal analysis from operational response.
Organizations experiencing a cyber incident must perform two separate functions simultaneously. First, the organization must take action to address the problems arising from the cyber incident. Second, the organization must evaluate the legal implications associated with the cyber incident.
According to Steven Okoye, while both functions must occur concurrently, they must remain independent and separate. Operational teams must have access to accurate information to restore systems, notify customers, and stabilize operations. Legal teams must be able to develop an unbiased assessment of the legal implications of the cyber incident, including notification requirements, contractual exposure, and regulatory risk.
Although these functions are distinct, merging them can compromise the integrity of the attorney-client privilege. All legal analyses should be shared on a “need-to-know” basis and clearly labeled. All operational communications should focus on describing the actions taken, not on drawing legal conclusions.
Communications via written documents require discipline.
Emails and other internal communications often pose the greatest threat to the preservation of attorney-client privilege. Steven Okoye provides guidance to in-house counsel on establishing protocols early in the incident response process for how teams communicate. All communications should steer clear of speculative language and emotional statements. Labeling or referring to specific individuals or groups should also be avoided. The use of language carries significant weight, particularly when reviewed by opposing counsel months after the original communication.
Counsel should assist the organization in developing and distributing internal communications that are factual, limited, and consistent with evolving information. By centralizing communications distribution through legal counsel, the organization can minimize the risks associated with inconsistent messaging.
All disclosures must be intentional.
Despite statutory, regulatory, or contractual requirements for certain disclosures, the act of making them can still waive the attorney-client privilege. Steven Okoye cautions We should carefully scrutinize communications with regulatory agencies, insurance carriers, and third-party entities.
It is unlikely that full forensic reports will be required. Typically, a summary of the report will be sufficient. In some instances, providing an oral briefing may be safer than providing a written submission.
Each disclosure should be made intentionally, documented, and limited to the minimum amount of information reasonably necessary to comply with the legal requirement.
Preparation enables privilege to be defensible.
Steven Okoye is adamant that the most effective way to defend against privilege challenges is to prepare for the possibility of a cyber incident long before it occurs. Organizations that have prepared will make more informed decisions under pressure.
Preparation includes having a breach response plan that designates counsel as the lead; having pre-selected outside counsel; having pre-vetted forensic firms retained through counsel’s office; and conducting tabletop exercises to test the legal structure of the response plan and not merely the technical aspects of responding to a cyber incident.
Speed is essential when responding to a cyber incident. However, structure is equally essential. According to Steven Okoye, in-house counsel who exercise leadership early in the process, supervise the investigation and managing communications will provide their organizations with the greatest level of legal protection when the inevitable scrutiny occurs.