Companies often hire professionals to help achieve compliance with various data protection laws in the US and around the world. Surprisingly, the professionals hired to assist with legal compliance are not always lawyers. Thus, leading to situations where companies are left without basic protections recognized exclusively in attorney-client relationships.
In April 2019, The Sedona Conference Working Group Series published an article * for comment about the importance of attorney-client privilege and work-product protection in cybersecurity and data protection planning. Without attorney-client privilege, communications prior to a cyber incident could be used to judge a company, in hindsight, after an incident occurs.
Attorney-client privilege does not apply in all situations. It is also possible to waive the privilege if not careful. However, most companies find it is important to protect information used to develop a data privacy program.
If applied correctly, attorney-client privilege might protect information gathered during technical inventories, data mapping, vulnerability scans, penetration testing, security risk assessments, outside audits, remediation efforts, drafting policies/procedures, internal monitoring reports, reports on cyber incidents that don’t rise to the level of a breach, table-top exercises, and reports on lessons-learned.
*The title of The Sedona Conference Working Group Series’s article referenced above is “Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context”.