Prioritising privilege: the importance of legal privilege in cyber incidents
Financial Reporting Council Ltd v Sports Direct International Plc [18.02.20]
The Court of Appeal’s decision this week in the Financial Reporting Council Ltd v Sports Direct International Plc is a timely reminder of the importance of legal privilege, which particularly resonates in the data protection/cyber sector.
The Court of Appeal has clarified that legal privilege can be used to withhold documents in the context of a regulator’s statutory powers, unless an applicable statue overrides privilege.
Legal privilege and cyber incidents
The preservation of legal privilege is a crucial consideration when dealing with any cyber incident, as it allows organisations to obtain technical and legal advice with the comfort that any associated communications or documents are protected from disclosure to the regulator.
In the immediate aftermath of a cyber incident, companies are understandably focussed on ensuring that their systems are secure and that any vulnerabilities are closed down.
This means that a legal team is sometimes instructed only after a company has already obtained its own IT forensic report, which can contain unhelpful commentary about the wider security landscape and/or recommend various improvements. By this stage, the company may also have built up a catalogue of internal correspondence about the incident.
The Information Commissioner’s Office (ICO), along with other professional regulators and claimant’s solicitors, routinely request the disclosure of any investigation reports in the course of their investigations.
The ICO recognises the application of legal privilege in its policies and has made clear that it does not require access to any information which is subject to legal professional privilege.
However, without the banner of legal privilege, documents could be disclosable not only to the regulator, but in the context of any subsequent data-subject claims. This could have a significant impact on the exposures faced by organisations and could be commercially damaging to the brand if such documents are taken out of context. With this in mind, the outcome in Financial Reporting Council Ltd v Sports Direct International Plc is a welcome affirmation of the concept of legal privilege.
This decision is a timely reminder that companies should think about the following points early on in the breach response process:
- Prioritise getting a legal team on board at an early stage, to ensure that you can benefit from the protection of legal privilege.
- Ensure that third-party vendors, such as IT forensics and forensic accountants, are instructed via your legal team (with an appropriately worded engagement letter) to bring them under the umbrella of legal privilege.
- If documents are requested by a third party, consider how legal privilege may be impacted and whether disclosure ought to be withheld.
- If other jurisdictions are involved, seek advice on the operation of privilege in those territories. Some countries do not have the same concept of legal privilege as England and Wales.