Here’s a sobering stat from an FBI and HHS’ Office for Civil Rights report: There are 4,000 ransomware attacks per day, and the frequency of these attacks will only increase. How’s that incident response plan and does it address attorney-client privilege?
Rosemary McKenna, Principal in the Albany, New York, office of Jackson Lewis P.C., recently reported on breach preparedness for The National Law Review. Studies show, said McKenna, that despite the cyber-attack coverage, companies are not as prepared as they should be to respond to data breaches.
McKenna playfully chides those companies with dusty, forgotten incident response plans and encourages updating and testing plans, training and retraining staff and bringing in legal counsel for their expertise.
Not only can legal counsel provide valuable input on a response plan, such as legal definitions, notification processes and third party contract provisions, but also “appropriately address legal counsel’s role, thereby protecting attorney-client/work product privileges.”
McKenna emphasizes that a breach response plan should clearly state legal counsel’s role in initiating and overseeing investigations. The publication points to a 2017 Supreme Court decision on the Experian breach as evidence of legal counsel’s value in plan preparation and execution.
When plaintiffs sought a report by the forensic consultant hired by Experian, which Experian used to develop a legal strategy in response to the breach, the found that report was work product and should not be disclosed.
“[T]he court noted when the forensic consulting firm was retained by legal counsel, as well as the way legal counsel directed the form and content of the report (so that only portions could be disseminated to Experian’s incident response team, ensuring privilege was not waived) …”
It can’t be emphasized enough: Not only is up-to-date data breach preparation a must for companies, but also that prep must include counsel’s expertise and role clarification.