Tag Archives: breach coaching

Experts, privilege and security incident response

26 Sep

I’d encourage you to read David Fraser’s blog post from last weekend – The value of legal privilege: Your diligent privacy consultant may become your worst enemy.

David’s basic point is sound: structuring a security or privacy expert retainer to support a privilege claim can prevent your own expert’s advice from being used against you. Most often this is done by having legal counsel retain an expert in anticipation of litigation and for the dominant purpose of litigation, with instructions and conclusions going strictly between counsel and expert.

David explains a scenario in which an organization retained an expert to advise on some form of due diligence connected to a subsequent security incident. The expert was apparently quite candid in its written advice, outlining a security problem that amounted to what David compares to a “dumpster fire.” The organization responded partly but not wholly to the expert’s recommendations. That expert’s report will therefore become, as David says, the plaintiff’s Exhibit A.

Being faced with your own expert’s advice is very bad, hence the soundness of David’s point. My additional point: legal privilege is no solution to a bad client-counsel-expert relationship.

The views on what is a reasonable investigation or remediation in the data security context can vary widely between equally qualified experts. Too often, perhaps driven by conflicting interests, security experts recommend what’s possible and rather than what is “due.” A breach coach can help address this problem, identifying trusted experts and working with them to reach a shared and acceptable understanding of the due diligence required in responding to a security incident. With such a relationship, departing from an expert’s recommendations (even though they are privileged) represents a real and meaningful risk. The facts – i.e., the things done based on an expert’s recommendations – are never privileged. If litigation ensues those facts will be picked apart by other experts, and you want the good ones to view the facts the same way as you and your trusted advisor.

Experts that are prone to floating long lists of options need to be retained under privilege because they are dangerous, but even under privilege their advice is worth little. The prescription: do everything you can to build a great client-counsel-expert relationship. Use a breach coach. Keep a roster of trusted experts on retainer. Don’t use experts retained for due diligence advice to do the very remedial work they recommend.

Advertisements

Alberta CA demands greater scrutiny of privilege claim re internal investigation

8 Jul

On July 4th the Court of Appeal of Alberta held that a chambers judge erred by accepting a claim that all documents created or collected in the course of an internal investigation were privilege without conducting a record-by-record analysis.

Legal counsel for the company initiated the investigation after a workplace fatality and directed the investigation team to segregate the investigation documents and to endorse all material as privileged and confidential. Legal counsel later swore that the dominant purpose of the investigation was the contemplation of litigation, which the chambers judge said, “invariably and logically leads to the collateral finding that, within the context of Suncor’s internal investigation that was carried out in anticipation of litigation, the information and documents created and/or collected during the internal investigation with the dominant purpose that they would assist in the contemplated litigation, are integrally covered by litigation privilege.”

The Court of Appeal held that the chambers judge erred by not conducting an analysis about the reason for the creation of each record (or bundle of records). It explained that statements may have been taken, for example, under a standing workplace protocol or that surveillance video or business records may have been collected – and that neither kind of record would be the subject of a proper privilege claim.

Alberta v Suncor Inc, 2017 ABCA 221 (CanLII).