Data Breach Response: Role of the Legal Team

06Jul2021

Lawyers play a critical role in the response to a data breach. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains the role of the legal team, why engaging external counsel is often essential, and the importance of preserving legal professional privilege in the conduct of a data breach response.

Role of the internal legal team

The basic role of the internal legal team is to advise and act on all legal issues and matters arising from the data breach.

The legal team will be directly involved in securing information to make an assessment of the legal position. They will seek to identify and secure information in respect of:

  • the type of data involved;
     
  • the location of the data;
     
  • the volume of the data;
     
  • the sensitivity of the data; and
     
  • other critical information in respect of the scale and extent of the data breach.

Once the facts have been established, then the legal team will consider and provide advice in respect of legal obligations and the management of legal risks. This will involve a regulatory analysis. It may be necessary to give notification of the data breach to regulatory or supervisory bodies, or to the data subjects. This will also involve a review of contractual obligations. Frequently, the commercial contracts of the business will contain notification obligations or other potential liability in respect of a data breach or a serious security incident.

Initially, the legal team will be primarily concerned with establishing the baseline for compliance with legal obligations. Once that has been assessed, the legal team will also consider strategic advice in which a range of possible actions are considered in the context of the legal consequences that might arise if that course of action is pursued.

The legal team will make sure that there are clear directions and steps taken to secure and preserve evidence gathered in the course of an investigation of a data breach. This will include establishing a chain of evidence and custody in respect of any internal enquiry into the cause and consequence of the data breach. This is essential, as the quality of evidence may become a substantive issue in any regulatory or legal proceedings arising from the data breach.

The legal team will also engage external legal counsel at the outset. This is important to ensure that legal professional privilege is maintained in respect of material documents and communications in the course of the investigation of the data breach.

Role of external counsel

The internal legal team and external counsel play complementary but contrasting roles in the data breach response.

The internal legal team knows the DNA of the organisation. The internal legal team will know how to get things done, and will have the internal executive mandate to direct particular actions. The internal legal team is the driving force for legal issues that need to be addressed within the company.

External counsel, on the other hand, are like the conductors of an orchestra. The role of external counsel is to make sure all incident response team members are aligned and working in harmony on matter of legal importance.

The selection of external legal counsel will be a key factor to the effective management of the data breach response. The key factors are:

  • Rapport: You will wish to engage legal counsel that is familiar with your business and industry. This may not necessarily be your “business as usual” counsel, as a data breach is not a “business as usual” event. However, it will be legal counsel whom you are familiar with, know can handle data breach matters and with whom you can work effectively.
     
  • Experience: You will wish to engage legal counsel who has direct relevant experience in handling data breach matters. This should be a core part of the credentials that are provided. A data breach is a crisis event, and not an occasion for learning on the job. Also, prior experience in dealing with regulators will be relevant.
     
  • Capability: You will wish to engage legal counsel that knows how to navigate and manage the international aspects of a data breach. Notifications and remedial measures may be needed in a number of jurisdictions. You will want legal counsel that has relationships with lawyers in multiple locations – whether through its network of contacts at other law firms or other offices of the same law firm – to respond rapidly to those international dimensions.

Legal professional privilege

There are two forms of legal professional privilege.

Legal advice privilege applies to all communications between a solicitor or a lawyer and his client for which the giving of legal advice is the dominant purpose of the communication in question. In appropriate circumstances, privilege can apply to a chain of communication even if legal advice was not necessarily given in each communication in that chain.

Litigation privilege applies to advice or support that is given in contemplation of or for the dominant purpose of defending or bringing legal proceedings.

Legal professional privilege preserves the confidentiality of communications and documents that are obtained in the course, or created in the course, of an investigation into a data breach incident. This allows a complete assessment, and candid advice to be given. This candour is essential for a business so that it can receive clear advice on necessary action, and strategic advice on possible options. None of this would be possible if the confidentiality of those communications was in doubt.

Rapid legal response

The selection of external legal counsel should occur before a data breach occurs. It is part of incident response planning. The pre-engagement formalities should be cleared before an incident occurs. In modern legal work, it can take days (or longer if complications arise) for client onboarding to be completed. There are conflict checks, anti-money laundering checks, and administrative formalities to be attended to. This should be done in advance.

The external legal counsel that has been engaged in principle, should conduct a similar exercise in which the law firm has engaged other external professionals in principle and arranged for its onboarding processes to be completed. This is critical in respect of the engagement of technical experts, but also necessary for other professionals such as public relations advisers.

This allows a rapid response when a data breach occurs. The external response team should be primed for the engagement. The external legal counsel should be able to confirm its ability to act swiftly, and directly engage the technical experts almost simultaneously. This will allow for immediate sharing of information and preliminary advice to be given in closed communications governed by external legal counsel, all protected by legal professional privilege. An added benefit is that prior planning of this nature will provide an opportunity to benefit from training, including simulating a data breach and the team’s response.

Closing comments

The role of the legal team is critical in an effective data breach response. The internal legal team will drive many of the actions needed to gather, secure and analyse the data breach, and giving ongoing legal advice to issues as they arise. Experienced external legal counsel will quarterback the overall legal work involved, and co-ordinate, manage and advise other external parties involved in the incident response team. The engagement of external legal counsel before an incident occurs allows the external legal counsel to respond quickly, and mobilise the rest of the external team, under the protection of legal professional privilege. This is the secret sauce of managing legal risks in the data breach response.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh
Partner | E-mail

Nigel Stamp
Foreign Legal Consultant | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.