When Do You Call The Lawyer After a Breach
Nick Merker, partner at Indianapolis based law firm Ice Miller, spoke at Black Hat on the subject. Nick has been involved in over 500 cyber incidents and has learned a few things in the process.
When lawyers become involved in a cyber incident, the consider things like compliance (like HIPAA), insurance, liability, evidence preservation and lawsuits. It is rare that IT folks think like lawyers; especially when their house is on fire.
Courts are starting to think differently about attorney-client privilege and that requires some serious contemplation.
In particular, the underlying facts of a breach are probably not confidential.
If you want to protect privilege, you have to do it right.
One example he gave was a document used in a real case. A redacted version of the document was used in court, but an unredacted one was given to regulators. That probably won’t work.
A lawyer can help you. below is a story on how not to do it. Credit: ZDNet
The Rutter’s gas station/convenience store chain was ordered to turn over a data breach report to opposing attorneys. U.S. Magistrate Judge Karoline Mehalchick said the report, authored by Kroll Cyber Security, could not be shielded from discovery as customers who were affected by the breach are suing Rutters.
Mehalchick said that privilege does not apply to the specific report in question because there was no evidence that Rutter’s or its law firm ordered the third-party investigation with any reasonable or obvious expectation of a future lawsuit.
That is a really odd thought. Who would think that after a major breach you weren’t going to get sued?
The problem is that Rutter’s did not get legal advice or if they did, they need to sue the lawyer for malpractice.
Generally, using an attorney that already has a relationship with the company to run a breach investigation or using an in-house attorney is generally problematic since privilege only exists if there is an expectation of a lawsuit and if you are expecting to be sued, you are probably not going to use your general business lawyer or in-house counsel to run your defense.
Bottom line, there are number of ways to do this right and maximize your odds being able to invoke privilege successfully, but flying by the seat of your pants is not one of them. Credit: SC Media