LEGAL
Cyber-attacks have become a matter of everyday reality for all businesses; regardless of industry or size, it is no longer whether a data breach will happen, but when. And waiting for a breach to occur before designing and implementing a cyber-incidence response plan is generally a recipe for disaster. Often overlooked, however, is the need to include a carefully crafted crisis communication or public relations strategy and to do so in a way that extends the attorney-client privilege to the crisis communication firm.
Today, data breaches are headline news events that require a swift and nimble response, often in the public eye. In light of the potentially severe reputational damage that can arise from a data breach, a thoughtful crisis communications strategy is an essential component of an incident response plan. As the steady drumbeat of recent high-profile data breaches have taught us, the chaos and flurry of activity that surrounds a major hacking isn’t a traditional “crisis” event. Data breaches generally are not detected until long after the fact, and hackers may have gained access to sensitive records and personally identifiable information weeks or even months before the breach is detected.
Complicating matters further, a host of communications may need to be made quickly including potential notifications to regulators and law enforcement, correspondence with customers and media, and statements to the general public. Managing the flow and timing of public statements and information will be critical especially if the victimized company is public and subject to U.S. Securities and Exchange Commission disclosure requirements. Hastily informing (or, worse yet, misinforming) customers and the public or having to retract statements can only serve to inflame an already tense situation. Failure to develop appropriate messaging and handle these communications promptly may also bring a loss of trust, damage to brand, and reputational harm far beyond direct monetary damages.
When a data breach hits, a crisis communication team prepped and at the ready can, among other things, help a company field incoming press inquiries, establish a hotline for customer questions, manage a dedicated microsite as a clearing house for affected persons, prepare FAQs, and distribute up-to-date news and information about the breach.
But simply working with an outside firm and designing a crisis communication strategy is not enough. Strong consideration must be given to the manner in which these non-lawyers are engaged and what and how information is provided to them. In engaging and working with a public relations firm in the wake of a breach, attorneys must be mindful that their relationship does not compromise the attorney-client privilege or work product doctrine. Under United States v. Kovel, 296 F.2d 918 (2d Cir. 1961), non-legal professionals may receive attorney-client privileged materials within the scope of the attorney-client privilege, and communications with counsel may be protected where those professionals are retained by counsel to provide advice and expertise that assists counsel in providing legal advice and/or services to his or her client. However, this safe harbor is tightly construed, and may not be recognized by certain courts when it comes to a public relations firm. In retaining and working with a public relations firm, attorneys must exercise caution and ensure that communications are made solely for the purpose of providing legal advice. Even so, a court may not ultimately extend the attorney-client privilege to such communications, and care should be taken in sharing information throughout the crisis communications planning and response process.
Indeed, the law is highly fact-specific, with cases going either way depending on the precise role of the PR firm. For example, courts have upheld the extension of the attorney-client privilege to an outside PR firm when the impact of media coverage might influence whether criminal charges are brought and would therefore influence counsel’s strategy, such as in In re Grand Jury Subpoenas, 219 F.3d 175 (2d Cir. 2000). In other instances, the outcome went the other way, for example, McNamee v. Clemens, 2014 WL 6572899 (E.D.N.Y. 2013).
While there are no guarantees that a court will uphold a claim of privilege, here are some steps that a company can take to improve its odds of maintaining a privilege assertion over communications with a PR firm:
Discover more ethical and data security insights from Patterson Belknap Webb & Tyler LLP on the Data Security Law Blog.