Switching things up, this post isn’t penned by Will Newman, but by Charles Nerko, a partner and leader of the data security team at Barclay Damon LLP in New York City and Albany. Charles advises businesses on responding to data breaches, defends cybersecurity litigation, and represents businesses in litigation against third parties who cause data breaches. Charles can be reached at cnerko@barclaydamon.com and 212.784.5807.

Imagine this less-than-ideal day at the office: your company has been hacked. The list of people suddenly unhappy with you could fill a theatre: customers, business partners, government agencies, and even your own employees. The first call to make in this high-stakes drama isn’t to your IT department, but to your outside cybersecurity counsel.

Why should you continue reading this post about why outside cybersecurity counsel is your best ally when responding to a data breach?

• You’re excited to learn why when there’s a data breach, lawyers, not IT experts, spearhead the response.

• You’re interested in responding to a data breach like a seasoned gardener, pruning legal liabilities before they grow wild like an untended hedge.

• Your computer has been hacked and now this is the only page your browser can access.

The Attorney’s Crucial Role in a Data Breach Investigation

The notion that lawyers should direct data breach investigations may seem unconventional or even conjure up lawyer jokes. Yet, involving outside legal counsel in your data breach response is a strategic move to fortify your company’s defenses.

The aftermath of a data breach can resemble a Netflix thriller full of too many plot twists—chaotic and unpredictable. Appointing outside counsel as the director brings coherence and crucial legal safeguards to this convoluted plot.

If your company gets sued for a data breach, your emails and other communications typically must be provided to adversaries as part of discovery in litigation. By involving an attorney, you can help prevent communications about a data breach from escalating into public spectacles or fodder for a courtroom battle.

Take, for example, the New York State Department of Financial Services’ inaugural cybersecurity enforcement action. The case centered around a company fraught with employee disagreements over the seriousness of a data breach and how to respond to it, leading to their internal emails becoming “Exhibit A” in the state’s case.

Don’t let your company star in the sequel. With your breach response orchestrated by outside counsel, you can enjoy a cohesive strategy, safeguarded by the attorney-client privilege and shielded from prying eyes in discovery.

The Importance of Protecting the Attorney-Client Privilege

Why is attorney involvement so critical when responding to a data breach? An attorney can create an attorney-client privileged communication channel. Imagine it as an exclusive VIP lounge where you can speak frankly without fearing eavesdropping enemies.

Outside counsel establishes this protected space, where breach response communications are shielded from opponents in litigation. This protection becomes invaluable, particularly when data breaches can result in your business partners, government regulators, and even your own employees all vying to bring legal claims against your company.

For the VIP lounge door to stay firmly shut, and to keep that privilege intact, an attorney must be actively providing legal advice on the breach response. You can’t merely slap on an “Attorney-Client Privileged” label, or even merely cc an attorney to an email, and call it a day. Instead, you must use your attorney as your data breach response team’s quarterback, advising on strategies to minimize your company’s legal liabilities.

Your Attorney Is Your Incident Response Plan

Every organization should have a formal data incident response plan, but most can be simplified to one overarching element: call your cybersecurity counsel immediately.

This puts your best player on the field in the first minute of the game. In doing so, you can establish an attorney-client privileged communication channel at the outset. Your outside counsel will serve as your advisor and concierge, coordinating the incident response.

Even if your business operates in one location, a data breach could impact individuals who live elsewhere. Those jurisdictions can come with their own rules for a breach response. Skilled cybersecurity counsel can guide you through this intricate legal labyrinth, helping you identify all the laws that apply and how to follow them.

Attorney Involvement Can Extend the Attorney-Client Privilege to the Cyber Forensic Investigation

Seasoned breach response counsel don’t just bring a legal pad and a fountain pen—they bring in outside cyber forensics firms, complete with digital magnifying glasses, to crack the case.

When a company hires a cyber forensic investigator directly, the company’s communications with the investigator are not privileged. But that can change when the company’s attorney does the hiring and “quarterbacks” the communications. This enables everyone to play their position while affording the maximum confidentiality protections available for communications among the team. This helps prevent the forensic investigator’s work—including unflattering information they may unearth about your company’s security posture—from being seen by your future litigation adversaries.

In sum, from directing the response to creating an attorney-client privileged communication channel, outside counsel’s involvement in a data breach is critical. In a world where data breaches could unravel your company’s reputation and finances, securing adept legal help is like a gripping finale—resolving all loose ends and leaving no room for unwanted sequels.