Cybercrime is one of the most significant threats to a company’s financial well-being today.
When a company faces a data breach, it needs to determine whether to share that information with law enforcement. The benefits of sharing the information are that they may benefit from law enforcement’s previous experience with similar incidents which may help mitigate the situation. One of the traditional concerns of sharing data breach information has been the fear of inadvertently waving Attorney-Client privilege thus allowing that shared information to be discoverable in subsequent civil and regulatory investigations.
The Cybersecurity Information Sharing Act of 2015 (“CISA“) provides legal protections when companies share anonymized “cyber threat indicators“ or “defensive measures“ with the US government. This law has the potential to create powerful protections provided you take the proper steps to maintain privilege.
For instance, when hiring a cyber forensic investigation company after a data breach, it is important to retain that company through your outside law firm. Privilege protections can remain intact if your outside counsel provides over-arching supervision of the vendor and its investigation so that findings and reports are created in anticipation of future litigation.
The burden of proof is on the party asserting the privilege, so it is critical to think through how CISA’s legal protections interact with your other strategies to protect privileged information.
It is also possible to separate a data breach investigation into two parts. An internal investigation which addresses business concerns created by the breach could be discoverable in future actions. Simultaneously, a third-party investigation, supervised by outside counsel, would be protected.
CISA has created potentially powerful non-waiver protections for participating companies. However, it is critical to bifurcate cyber investigation and remediation functions carefully. Work done in support of legal investigations must be under the direction of counsel.