Does the Attorney-Client Privilege Shield Data Breach Investigations?

Whenever a privacy breach occurs at a company, time is of the essence. The theft could involve stolen sensitive financial data, credit card information, health data, Social Security information or other personal identifying information relating to customers and/or employees of the company.

Remember the attorney-client privilege is important when engaging with investigatory service providers that will create documentation such as “incident” reports or “computer forensics” reports. Since hiring outside counsel can help ensure that the investigation of the breach is protected by the attorney-client privilege, it also is important to know the limits of this protection.

The attorney-client privilege protects communications concerning the breach investigation; the privilege does not protect the fact that the breach occurred.  Furthermore, the attorney-client privilege cannot be used as a shield to void any applicable notification requirements under state and federal law.  Utilize your company’s outside counsel as a part of your data breach team to analyze the type of data breach at issue.  If required, the notification itself should be sent to all parties affected and should be issued in a clear, succinct, and precise manner.

Finally, if you hire a forensics examiner, have outside counsel engage the forensics team so that such investigation can also be protected by the attorney-client privilege.  Bear in mind that the forensics team should ideally have your top information technology team members, your in-house counsel, if any, your outside counsel and any key members of your public relations team.  Being prepared before a data breach will minimize the level of business disruption and your potential damages.