Information Risk — Time for “Data Breach Privilege”?

Back with more to blog about. Today it’s an interesting article from Karen Rubin and Tom Zych at Thompson Hine: “Do we need a new ‘data-breach privilege’? Thoughts on the Sedona Conference proposal

  • “The outlines of the attorney-client privilege and work-product doctrine are well-established. But how should they apply when an organizational client suffers a cybersecurity event or other intrusion that results in a data breach? Should information about the company’s security policies pre-breach and its post-breach response be given any enhanced protection? Under what circumstances?”
  • “The questions are burning ones, given recent data-security catastrophes that have exposed financial, health and other data of millions of people. After each event, claimants quickly line up to file suit, and discovery demands for information inevitably follow.”
  • “The Sedona Conference, a non-profit, non-partisan institute whose working groups have been influential in e-discovery and other cutting-edge issues, recently published draft commentary recommending adoption of a qualified stand-alone protection for information prepared in a cybersecurity context, even when not involving communication with an organization’s lawyer.”
  • “Based on evaluating and balancing the competing interests, the Working Group proposed what it calls a ‘stand-alone cybersecurity privilege modeled on the work-product doctrine’ that would extend to all documents and tangible things reflecting “mental impressions, conclusions, opinions, assessments, evaluations or theories’ regarding a cyberattack, as well as ‘actual or potential actions in anticipation or response to a cyberattack.'”
  • “Caution can be called for here, because creating a new privilege might come back and bite in unintended ways.”

Read on for their analysis and thoughts.

If you liked this post, please share it: