Vendor Interactions with Clients: Respecting Attorney-Client Privilege

​

It’s Not Just an Honor… It’s a Privilege

Vendors in the data privacy and security landscape are often approached directly by organizations to engage in service implementations both pre- and post-data breach. In today’s cyber litigation landscape, vendors would be well-advised to consider that responding directly to an organization’s pre- or post-incident service request, without first raising the issue of whether privacy counsel is aware and/or involved, may be opening up an unnecessary set of problems for the organization down the road.

The staggering volume of emerging cyber events and the means by which more traditional data privacy and security incidents are presenting themselves today make it more important than ever that trusted privacy counsel be part of an organization’s “pre” incident planning as well as “post” incident response efforts. First, it is becoming more and more frequent that litigation discovery requests after a data privacy or security incident or breach seek to learn as much information as possible about an organization’s (1) pre-incident preparedness, as well as (2) any risk mitigation or remediation steps taken before and after an incident or data breach – which could be potentially recharacterized through the lens of a plaintiff’s attorney. Apart from the clarity, efficiency and appropriateness of whatever pre-incident risk management and risk mitigation efforts are undertaken, privacy counsel can help ensure that an organization’s best efforts do not become unintended “missteps” after the fact by seeking to secure attorney-client privilege around such activities and discussions. This prevents an organization’s well-meaning efforts from potentially being discoverable in litigation and/or government inquiry down the road, and likely taken out of context or otherwise used against the organization.

Download Resource Incident Response Solutions for Privacy Attorneys

While no one wants to think about possibly being sued after a data privacy or security incident or evaluated in a rear-view mirror as to their pre- or post-incident response efforts, the reality today is that lawsuits and government audits/enforcement are becoming more or less a given in the wake of what is now accepted as “the inevitability” of data security and privacy incidents and breaches. At ID Experts, we understand that privacy counsel may be able to protect an organization (and its cyber insurance policy limits) by evaluating (sometimes in conjunction with the cyber insurance broker) pre-breach risk mitigation efforts that will best serve the organization’s risk profile and needs in addition to often coordinating and managing insurance carrier and breach response vendor relationships that impact the organization.

However, the privacy attorney can’t add value in this regard if they’re not timely made aware of these efforts. We not only value the privacy attorney’s role and expertise in the fast-evolving cyber landscape today, we appreciate their frequent calls to assist in protecting many client organizations with customized services and products before and after a data privacy or security incident occurs.