Disclosure risk is a further issue businesses must take into account if considering reporting a cyber crime to criminal authorities.
Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series.
We previously looked at which people are typically behind cybersecurity breaches and the methods they use, what the common vulnerabilities are and what good IT security looks like, and how the legal landscape and regulatory fines are changing. We have also assessed the rising threat of ransomware. Here we look at how businesses may be able to seek protection afforded by legal professional privilege, and what they need to consider when working with criminal authorities.
What is legal professional privilege?
Legal professional privilege is a form of protection against disclosure. Where it applies, certain documents and information provided to lawyers cannot be disclosed to third parties such as the courts, tribunals, regulatory bodies and enforcement agencies.
Importantly, legal professional privilege is an absolute right and, once it has been established, can only be overridden in very limited circumstances such as fraud.
How does it apply to a data breach?
There are two main contexts to consider. The first concerns regulatory investigations such as an investigation by the UK's Information Commissioner’s Office (ICO) or the Financial Conduct Authority (FCA). The second, often related, concerns litigation such as third party customer or employee claims.
In both contexts, a key focus is IT forensics investigations and any written reports produced. Regulators routinely ask for details of any third parties engaged to investigate the breach and copies of written reports produced by those third parties.
A common pitfall is for a commercial or IT security team to instruct external IT forensics team without any legal involvement. This gives rise to two main issues:
- First, it can be very difficult to assert that legal professional privilege applies.
- Second, the scope and basis of any written reports is likely to wider and potentially more damaging. For example, it is not unusual for IT forensics teams, in seeking to be diligent and comprehensive, to document known vulnerabilities and decisions not to invest in IT security in written reports produced as part of the breach response.
What do businesses need to do to gain protection?
The safest option is to involve internal and/or external legal advisers from the outset of a data breach.
IT forensics teams should be engaged through external legal advisers, who will carefully draft letters of engagement to refer to and take into account any contemplated litigation and/or regulatory proceedings.
The arrangement should be structured so that the IT forensics experts report to the external law firm. This helps when, inevitably, regulators request copies of reports, in terms of asserting that they are privileged in nature and therefore not disclosable.
On a practical level, IT forensics teams can be asked to prepare a factual report for regulators, if required.
Involving criminal authorities
There are a number of bodies tasked with dealing with cyber matters in the UK. The launch of the National Cyber Security Centre, which became operational in October last year but which was only recently officially opened by the Queen, has simplified matters a little.
The NCSC is the public-facing part of GCHQ and brings together the Centre for the Protection of National Infrastructure, the UK national computer emergency response team (CERT-UK), the Communications-Electronics Security Group (CESG) and the Centre for Cyber Assessment (CCA).
Late last year, Andrew Tyrie, on behalf of the Treasury Select Committee in the UK parliament, said the current "lines of responsibility and accountability for reducing cyber threats … appear to be somewhat opaque". Tyrie was referring specifically to cybersecurity oversight in the financial services sector.
At the time, Tyrie said "a single point of responsibility for cyber risk in the financial services sector, with full ownership of – and accountability for financial cyber threats" should be considered. He reiterated those calls in light of a cyber attack on Lloyds bank in January this year.
At present the National Cyber Crime Unit, part of the National Crime Agenc, leads the UK’s response to cyber crime and coordinates the national response to the most serious of cyber crime threats. It works closely with the Regional Organised Crime Units and the MPCCU (Metropolitan Police Cyber Crime Unit).
However, businesses wishing to report a cyber crime should first turn to Action Fraud. Action Fraud is part of the City of London Police and is the UK’s national reporting centre for fraud and cyber crime.
Reporting requires consideration
We have been very impressed with the lengths the Cyber Crime Units we have worked with have gone, and are going, to investigate cyber crimes reported to them. This includes pursuing international leads in relation to a ransomware attack using bitcoin payments.
On the other hand, criminal investigations in pursuit of possible prosecutions can open up an organisation to disruption and, potentially, a disclosure risk since criminal proceedings are necessarily public matters. Relationships with investigatory authorities need to be considered carefully from the outset. An organisation should be aware that once the matter is reported to criminal investigators they may not have much (if any) control over the process that follows.
This is also where legal professional privilege can help victims of cyber attacks address the disclosure risks.
Ian Birdsey and Kristina Holt are cyber risk experts at Pinsent Masons, the law firm behind Out-Law.com.