In-House Counsel: Best Legal Practices in Data Breaches

It’s clear that data breaches disrupt and cause losses. If your organization has not yet experienced a sizeable data breach, get ready. Read about Best Legal Practices in Data Breaches in this blog.
Data Breaches
Facebook
Twitter
Pinterest
LinkedIn

BLUF - Bottom Line Up Front

Organizations face a 28% chance of a data breach within two years, highlighting the need for strong data security. Key strategies include coordinating with various departments to mitigate risks, ensuring staff is trained against threats, and maintaining compliance across the organization and with third parties. Protect communication and documents under attorney-client privilege. Engage with law enforcement, data owners, regulators, and the public. Regular assessments and collaboration are crucial in preventing breaches.

According to The Ponemon Institute’s 2018 Cost of a Data Breaches Study: Global Overview, the probability of your organization experiencing a significant data breach within the next two years stands at nearly 28%. What’s noteworthy is that this risk has risen compared to the previous year, underscoring the growing importance of robust data security measures in today’s digital landscape.

Counsel & Compliance Officers’ Best Strategy for Data Breaches

Counsel’s best strategy is to insist on a strong organizational plan to quickly and effectively respond to data breaches and, ultimately, prevent them in the future. The consensus of counsel and compliance officers is to employ best practices at all times, which means that counsel must:

  1. Coordinate with a variety of departments and divisions in the organization to identify and mitigate exposure. Counsel should routinely interact with human resources to ensure that new and current employees are trained in identifying and responding appropriately to phishing or social engineering attempts and SQL injections, and managers are expected to emphasize the importance of compliance to employees.
  2. Work with cyber professionals to identify and assess risks and measure compliance with the plan all the while ensuring that written data, assessments, and recommendations are produced as attorney work product.

 “This effort may seem unnecessary to those who aren’t attorneys. It’s absolutely necessary since all written or oral materials, such as data, assessments, recommendations, etc., prepared by or for an attorney in the course of legal representation are protected from discovery and disclosure in an adverse action. This protection should encourage organizations to conduct routine assessments to prevent future data breaches.”

  1. Protect confidential communications between lawyers and their staff and the client (the organization’s ­staff and management) under the attorney-client privilege. Everyone in the legal department should mark all sensitive information communicated as “privileged” to resist efforts to compel the company to disclose privileged information either through discovery or testimony in an adverse action.

Require that third parties, such as contractors and consultants, implement the organization’s compliance program, assess their exposures and mitigate their risks, in the contracts signed by the organization and third parties.

Unfortunately, written words don’t suffice. Counsel must extend its compliance oversight to third parties’ operations through routine assessments. The results of assessments must also be protected through privileged communication and work product efforts described above. It’s therefore critical that counsel works closely with counsel who represents third parties. Remember, a third party’s breach is your breach. Data breaches getting bigger and . It is also prior importance that counsel must communicate with:

  1. law enforcement, whether it’s your local police department, the U.S. Federal Bureau of Investigation (FBI), Secret Service or the Postal Service;
  2. data owners, whether employees, customers, vendors, to satisfy their need to understand and assess their exposure and to determine their course of action;
  3. regulators, where necessary, at the state and federal level; if the data breach involves protected health information, then report the breach to the U.S. Federal Trade Commission (FTC);
  4. with the public, as appropriate.

The organization’s statements must comport with attorney-client privilege and attorney work product claims that may be made and, consequently, counsel must control the communications with all parties. This, no doubt, requires significant coordination with many others and ongoing evaluation of what may happen in the future.
Muat read

How do you assess your company’s compliance program? Ignyte can help you assess your risk before you’re in rapid response mode. See Ignyte Assurance PlatformTM to take your first step.

Stay up to date with everything Ignyte