When data breach incidents occur, organisations will understandably be keen to identify the cause of incidents, close off any security vulnerabilities and put in place measures to limit any damage from a breach. However, sensitive internal communications and documents about the breach could be exposed to regulators or those pursuing civil damages claims if the material does not qualify for legal privilege.
In an environment where cyber attacks are increasingly prevalent and where the way businesses respond to incidents is as important as the actions they take to prevent them, businesses should seek the protection that can be gained through legal privilege.
Legal privilege and internal investigations
A document which is protected by legal privilege need not be shared with the regulators or enforcement agencies or a counterparty to litigation.
Privilege falls into two broad categories: legal advice privilege and litigation privilege.
Legal advice privilege is where confidential communications between organisations and their lawyers which relate to the provision of legal advice are protected and not subject to disclosure.
In a data breach context, companies that seek advice from their lawyer know that the advice they get will not be subject to scrutiny from data protection authorities, sector regulators or businesses or consumers that bring civil damages claims against them or criminal prosecutors.
Litigation privilege applies to communications and documents that have been prepared for the dominant purpose of defending legal proceedings.
Privilege can, however, be lost. If businesses sent documents on to third parties who are not linked to a data breach investigation, for example, this can cause privilege to be lost and the documents will then be vulnerable to disclosure.
Things businesses need to consider
When data breach incidents occur and businesses begin internal investigations they are unlikely to know precisely what conclusions they will reach. It is clear that documents created following a serious, adverse incident could have far reaching implications in any subsequent litigation or prosecution.
Businesses considering undertaking a 'privileged' investigation should seek legal advice as soon as possible after a breach.
In taking steps pre-incident to prepare for such a breach, businesses should have put in place an incident response plan and team. The team will comprise a network of experts from inside and outside an organisation, including legal, forensic and PR professionals, with each member bringing different skills to call upon in managing any data breach event.
Businesses should ensure that, in the aftermath of a breach, only this incident response team can access any documents created as part of an internal investigation. This might mean creating a closed worksite to prevent information being accessible to the wider workforce.
All communications concerning the data breach investigation should be marked 'privileged and confidential'.
In addition, companies should give clear instructions to the incident response team that they must not circulate legal advice given to the business to a wide group of people. Businesses should also issue clear instructions to the team on who will be responsible for generating documents related to the investigation.
Changing data protection landscape
In the UK, the Data Protection Act requires that data controllers implement "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
Businesses do not currently face an obligation to report personal data breaches to the Information Commissioner's Office (ICO) under the Act, however ICO guidance recommends that business voluntarily notify it of serious breaches.
Some organisations do face data breach notification requirements in the UK. Public sector bodies, regulated financial services companies and telecoms operators are among those who are obliged to inform sector agencies about certain data breach incidents they experience.
A broader data breach notification regime is anticipated under new EU data protection laws that are currently being negotiated. The planned General Data Protection Regulation could see businesses having to disclose details of data protection breaches to data protection authorities within 72 hours of becoming aware of them.
The sanctions regime is also set to be overhauled, raising the potential for much stiffer penalties to be issued to businesses over data security failings.
The ICO can currently impose a fine of up to £500,000 for a serious breach of the Data Protection Act, but fines of as much as 2% of a company's global annual turnover, could be levied under the new regime, according to the proposals being scrutinised by EU law makers.
These are game-changing reforms that are on the agenda. Businesses should be taking steps now to ensure that their response protocols for a data protection breach are robust.
With the new regime suggesting that data controllers will have to report the breach within three days, and the maximum fine being eye-watering, the first responses in the hours and days which follow a data security breach could be fundamental not only in terms of maintaining customer and client confidence but also to the potential defence of any civil litigation or criminal prosecution.
Laura Gillespie is an expert in dispute resolution and data protection law at Pinsent Masons, the law firm behind Out-Law.com. A version of this article was first published by Privacy Laws & Business.