A data breach is a destructive incident for a company both during and after the intrusion occurs. As the risk of legal and regulatory claims arising from data breaches grow, protecting and claiming privilege over these sensitive reports and findings will be critical in protecting the company’s interests. Messrs Ben DiMarco, John Gallagher and Matthew Pokarier of Clyde & Co analyse the right to privilege after a data breach in Australia.
In response to the increased legal and regulatory focus on data security, and the emerging legal obligations for companies that suffer cyber intrusions, organisations and their insurers are becoming increasingly focused on how they manage and react to data breaches.
A high level analysis of the right to privilege after a data breach in Australia is considered below. Due to the complexity of privilege laws, it is not possible to provide definitive advice in this article, as each case will turn on its own circumstances and the individual challenges faced. Where privilege is a significant concern, specific legal advice should be sought as soon as possible. Privilege issues must also be considered in the context of an organisation’s ethical and reporting obligations.
Summary of privilege considerations
In Australia, privilege is governed by a complex framework of common law and statutory provisions. To effectively assert privilege, a company should retain external counsel immediately after it becomes aware of a breach and prior to briefing any expert third party.
Following a data breach, organisations will confront a variety of internal and external risks given they face potential liabilities to affected individuals, third parties and regulators. The relevant test to establish privilege is that a document must have been created for the dominant purpose of obtaining legal advice, or for use in current or anticipated litigation (Dominant Purpose Test).
Where an organisation retains third parties (such as any forensic or technology expert) their work will only be privileged if the Dominant Purpose Test is satisfied and the work they perform can be tied to the organisation’s legal needs and risks.
Privilege and the Australian context
Under Australian common law, legal privilege has two distinct limbs: “advice privilege” and “litigation privilege”. These limbs are narrower than the scope of privilege available in other jurisdictions such as the US and so while US law may serve as guidance for the Australian Court, it is not binding precedent.
In addition to the common law, the right to claim privilege in Australia is also influenced by the Evidence Acts and the Court Procedure Rules adopted across the various jurisdictions.
Before advice privilege or litigation privilege can exist, a client must retain a solicitor to act for him. Once a solicitor is retained, a privilege strategy should be implemented quickly as privilege issues turn on the circumstances existing at the time each individual document was produced. If a document was created before solicitors were retained, then privilege is less likely to exist.
Advice privilege and litigation privilege
In Australia, advice privilege is confined to communications between a lawyer and a client, or a communication made by a third party adviser to a lawyer for the “dominant purpose” of the client obtaining legal advice. Advice privilege has been narrowly construed, and will not exist if a court considers a document would have been brought into existence for other commercial purposes, irrespective of the need for legal advice.
Litigation privilege protects documents brought into existence for the “dominant purpose” of anticipated use in legal proceedings. This is often found to have wider application than advice privilege.
The Dominant Purpose Test must be satisfied for both limbs and the test turns on the reasons why a document was created. This includes the intentions of the parties, the potential threat of litigation, the nature of any previous dealings between the parties, and whether a document was driven by internal or collateral motivators. Where a document is created for multiple purposes, the Dominant Purpose Test is more difficult to satisfy.
Two prominent US cases
There are currently no Australian authorities that consider privilege in the context of data breach investigations. Legal challenges have however been instituted by plaintiffs in two prominent US cases, namely Genesco Inc v Visa USA Inc (Genesco) and Re: Target Corporation Customer Data Security Breach Litigation (Target), a short summary of each is set out below.
In Genesco, the plaintiff demanded documents produced by an independent forensic investigation conducted following a data breach. The court refused production and found privilege existed in communications between solicitors and technology experts, where those experts had been retained to assist the solicitor’s investigations.
In Target, following a catastrophic breach, the company claimed privilege over investigation and expert documents that were used to assist and educate Target’s solicitors so they could provide legal advice and manage anticipated claims.
Privilege over these documents was challenged on the basis that Target would have investigated the breach regardless of any legal risks in order to appease customers, ensure continued sales, discover vulnerabilities, and prevent future breaches. The Distract Court of Minnesota mostly upheld Target’s privilege claim on the basis that expert investigations were necessary for Target’s lawyers to prepare to defend the company in litigation that was reasonably anticipated to
follow.
Legal risks and the purposes of data breach investigations
Whether documents created as part of an investigation after a data breach will be subject to privilege depends on the reasons for their creation.
What form an investigation will take, and what documentation and reports are necessary will ultimately depend on the specific risks to the business arising from the breach, and the purpose behind the investigation. This can create challenges in asserting privilege because during the investigation there will be competing priorities, demanding different reactions and responses as an organisation’s management of a breach must:
• assess the extent of damage to IT systems and its impact on the ongoing business;
• consider the potential for liability under the Privacy Act 1988 and other relevant legislation and whether reasonable steps were taken to protect personal information;
• direct response strategies and determine steps to mitigate damage;
• remedy weaknesses in internal controls to prevent further intrusion;
• consider the risk of future legal claims by third parties whose information has been compromised, or who will suffer consequential loss from the breach;
• prepare for regulatory investigations that may be instituted by the Office of the Privacy Commissioner, the Australian and Securities and Investment Commission or other industry regulators;
• consider liability under the Payment Card Industry (PCI) scheme, if applicable;
• manage damage to the company’s reputation and relationships with key stakeholders;
• comply with the mandatory disclosure regime Australia will shortly adopt; and
• consider potential insurance claims.
Some of these drivers will respond to the legal risks arising from the breach and these will support a right to privilege over documents generated by an investigation. Other motivators however will have their origin in internal or commercial factors that will not support the ability to claim privilege.
Strategies to maximise privilege
It is not possible to guarantee records will be privileged following an intrusion, however the following steps will improve the prospects of a privilege claim.
The starting point a court will often use when considering privilege is the nature of any instructions given to an investigating third party. To help satisfy the criteria of the Dominant Purpose Test, an expert’s instructions should:
• be prepared and issued by the organisation’s solicitors, and letters of instructions should be marked as privileged communications;
• demonstrate that the organisation has considered its long term risks and the legal implications that may arise from the data breach, including liability to third parties;
• identify that the organisation has retained solicitors, and include the solicitors as party to any expert retainer;
• specify how the expert’s work is tied to the organisation’s legal obligations and exposures;
• focus the expert’s work on identifying the cause and extent of the breach and only as a subsidiary issue consider matters such as system improvement and any internal management issues; and
• highlight that the expert’s role is to work closely with and provide assistance to the organisations
solicitors.
A privilege strategy should also be developed with solicitors and implemented consistently to manage both third parties and internal documents that are generated. As part of this strategy, consideration should be given to the entire scope of documents that will be produced, and the potential for common interest privilege to be claimed, where documents will be relied by both insurers and their insureds.
A privilege strategy should also distinguish between the tasks that are undertaken for commercial and non-legal purposes as the documents created for these purposes are unlikely to satisfy the Dominant Purpose Test. In some instances parts of the investigation work may need to be isolated and kept separate so it will not weaken the right to assert privileged over other documents.
Finally, it is also necessary to manage the circulation of privileged documents and to avoid the document being misused or disclosed in a manner that could waive privilege. For example, where parts of documents are copied or used in different contexts, a right to privilege could be lost.
Mr Ben DiMarco and Mr John Gallagher are Senior Associates at Clyde & Co Sydney. Mr Matthew Pokarier is a Partner at Clyde & Co Brisbane.