While it is possible the company may later elect to waive privilege (depending upon specific facts and circumstances), it is always best for the company to have the option to waive privilege, rather than failing to establish privilege in the first instance.

Second, consider utilizing three-way contracts (a Master Services Agreement) between: (a) outside counsel, (b) the investigator, and (c) your company when engaging a cyber security expert to investigate and remediate a data breach. In a perfect world, companies would put these agreements in place in advance of any breach, so as to be prepared to move quickly in the event of an attack.

Ideally, the Master Services Agreement will explicitly state that:

• The cyber security expert is being hired by outside counsel for the benefit of the company “in order to aid the obtaining of legal advice.” (These terms would also ideally be used in the event a cybersecurity expert is being engaged to conduct penetration testing as part of the company’s data breach prevention plans prior to a data breach incident.)
• The expert’s work is being performed “in anticipation of litigation” (when the cyber security expert is being engaged as the result of a breach incident).
• The expert is working “at the direction of” outside counsel, and that outside counsel will have final say over all statements to outside parties, including customers, third-parties, regulators and the press.
• The contract should indicate that the internal point of contact at the company is the General Counsel (rather than the Chief Information Officer or the Data Privacy Officer).
• The scope of the work should be made as explicit as possible in the contract, through a detailed statement of work (“SOW”) that is incorporated into the contract by reference.  If needed, additional SOW’s can be added later and incorporated into the contract by reference.
• The contract should be signed by both the forensic expert and the outside attorney, in addition to the company.

The hiring of a cyber security expert through a traditional vendor purchase agreement driven and signed by the IT Department will likely not provide attorney-client privilege protections for communications related to the engagement. Nor will it provide the protections afforded by the attorney work product or testifying expert privileges.

Post-breach, things will be moving quickly as the target company is working to assess and contain the breach, fulfill its notification obligations, and return its attention to core business operations. Accurate and transparent information flow is essential at this time, and the last thing a GC wants to worry about is how business-critical, urgent communications might appear to an outside party in subsequent litigation.

By taking steps to attach privilege (and work-product protections) during the preparedness phase, long before any breach, and being mindful of preserving the privilege throughout the post-breach investigation phase, the GC can help maximize the protections provided by the attorney-client privilege and work product protection so that their company can be in a position to decide whether, and when, it will waive privilege in fulfilment of its strategic objectives and in the best interests of its shareholders.

Complete the form and receive our eBook: “Cyber risk in every business relation”