Privacy law compliance and data breach response involve tasks of great complexity and scale that can quickly overwhelm an organization’s privacy team. Technologies have emerged to automate these tasks, but there are many decisions to make about which tasks to automate and which solutions to use.
I recently had a chance to chat with Andy Lunsford is CEO and Founder of BreachRx, a technology company that automates privacy incident and breach response. Prior to founding BreachRx, Andy spent 15 years working in privacy law and large-scale commercial litigation. Andy has a BA from Washington and Lee University, a JD from the University of Arkansas, and an MBA from the Wharton School of the University of Pennsylvania.
SOLOVE: Why should companies be thinking about protecting privilege before, during, and after a privacy incident or breach?
LUNSFORD: It is well-accepted at this point that all organizations will face privacy incidents and data breaches. From something as minor as a misdirected email or a lost laptop to a full breach of personal information, no organization is immune. Unfortunately, many of these events have the potential to lead to litigation and in a major breach it is virtually guaranteed that there will be litigation and regulatory investigations.
I have spent 15 years in privacy law and commercial litigation, and invariably smoking guns in data breach cases result from not being prepared, which includes thinking about how to protect privilege before, during, and after an incident. However, there are a number of proactive steps that companies can take to proactively prepare for these events, and by doing so reduce liability, shorten litigation, and keep privacy and security professionals off the witness stand.
SOLOVE: You’ve been working with the Sedona Conference on updating its commentary on the application of privilege in the cybersecurity context. What is the Sedona Conference and why is it updating the existing commentary?
The Sedona Conference is a non-partisan, non-profit research institute that is focused on moving the law forward through consensus commentaries on important issues of law. It prides itself on taking into account views from a diverse audience of plaintiffs’ attorneys, defendants attorneys, regulators, judges, and industry experts. These commentaries are often utilized for best practice approaches and cited by Courts. I am part of what’s called “Working Group 11” (WG11) that works on issues around the developing law in Privacy and Data Security. In 2020, Sedona published a commentary on applying attorney client privilege and attorney work product in the cybersecurity context. Since that time there have been a series of court opinions that have disrupted the traditional view that forensics investigation reports would generally be protected by privilege so long as the forensic firm was hired by outside counsel. WG11 decided that there had been enough substantive change in law that it was worth updating the commentary.
SOLOVE: Based on recent case law, many law firms recommend “dual-tracking forensic investigations.” Why are firms recommending this path? Do you agree with it?
Many law firms believe the way to address this issue is to hire two forensic firms, one to do a “business” investigation and another to do a “legal” investigation. While arguably this frees up counsel to have a more open dialogue with the “legal” forensic investigator–except in the limited circumstance when a PFI is required for a payment card breach–every general counsel, privacy officer, privacy counsel, and privacy professional I know is universally against dual-tracking. This begs the question: is this really a good policy result?
I don’t agree with this recommendation for two key reasons. First, I don’t think this is the result judges were looking to achieve by rejecting the privilege assertions in these cases. The case law points to a number of “form” mistakes—i.e. having a pre-existing contractual relationship or the specific language in the statement of work. However, if you read between the lines, ultimately the judges believe the plaintiffs are entitled and have a substantial need to know the facts of a data breach and the forensic reports are often seen as the easiest place to find those facts. Second, from a practical and logistical perspective, two forensic firms stomping around independently in an environment can cause all kinds of technical issues as well as potentially disturb or disrupt evidence gathering that is vitally important to building a case against the adversary and a full recovery.
SOLOVE: Given every company faces privacy incidents and data breaches, how can they build their incident response programs such that they maximize their ability to protect sensitive communications when it comes to litigation and investigations? How can technology help?
Companies need to be intentional with the approach to privilege, rather than assuming they can just “figure it out” in the heat of the moment or assume outside counsel will take care of it. We’ve seen time and again that flying by the seat of your pants not only can result in sensitive decision-making being unprotected and in a worst case some of the actions employees take during an incident can waive privilege on a large number of sensitive communications that could have otherwise been protected. Being intentional means setting up a plan and system beforehand that clearly separates factual information that will need to be disclosed from the advice and strategic discussion being led and overseen by counsel.
Fortunately, technology can be leveraged to reinforce your intentional choices, so there is less of a fight when it comes to litigation. Companies should use purpose built legal tools and processes that are designed to facilitate meeting regulatory and contractual obligations. As much as possible, the technology and processes should separate the factual evidence from the strategic and sensitive commentary. Companies should avoid tools built for other purposes like GRC systems used broadly for their operations, ticketing tools utilized for other business purposes, and collaboration tools used for broad use cases across the business.
While it is tempting to leverage these common tools, companies run the risk of the lines blurring between what was a “business use” of the tool versus “legal use” in anticipation of litigation. There are a number of features of a product that can help tilt the balance toward a judge seeing the work done within it as privileged rather than unprotected business processes. Here are some key questions worth considering:
- Does the product capture all of the organization’s obligations, including regulations, contracts, policies, and controls? Are those obligations regularly updated as the obligations evolve?
- Does the product provide escalation capabilities and tier access based on a need-to-know basis?
- Does it provide counsel the ability to oversee collaboration in real time and direct work done within it?
- Does the product facilitate counsel’s generation of legally required notifications to regulators, customers, credit reporting agencies, law enforcement, etc.?
- Does the product allow the flexibility for counsel to tailor playbooks and workflows to an organization and its legal obligations?
- How does the product separate legal and confidential communications from the facts of the incident?
In case it might be helpful to your readers, my company surveyed privacy experts from high-growth to Fortune 500 finance, technology, health care, and other regulated companies about how they buy the technology that they need in today’s evolving privacy landscape. They can see the results in this buyer’s guide we put together.
SOLOVE: Like everything else in privacy and cybersecurity, this is a fast-moving, rapidly-evolving space. Where do you see the law moving on this issue?
LUNSFORD: In my view proactive preparation has moved from a good idea to an expectation. Everyone expects privacy incidents and data breaches to happen to every company, big and small, no matter the industry. Regulatory demands and customer expectations have never been more intense and seeing all the new regulations coming down every year, this will only become more critical. Companies need to ask themselves, “What ‘story’ will they be able to tell?” The ‘story’ could be they prepared for these events ahead of time, put technology in place to help manage this complicated process, trained teams to know exactly what to do, and executed on those plans. Alternatively, the ‘story’ could be they never expected this to happen, scrambled to do the best they could at the time, in the eleventh hour called in outside counsel and consultants to “figure it out,” and eventually disclosed what happened. It is pretty easy to see that the former will give the company the best shot at minimizing regulatory fines, keeping a strong brand, and minimizing customer churn.
SOLOVE: Thanks, Andy, for your thoughtful answers. Andy’s BreachRx incident management platform involves a library of regulatory best practices, actionable, automatically tailored incident response plans, and streamlined incident and breach response processes that reinforce legal privilege. This is definitely a solution to check out!
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.