Why Legal Privilege Matters in the Wake of a Cyber Incident

Burges Salmon has written about "Why Legal Privilege Matters in the Wake of a Cyber Incident." Burges Salmon says:-

• With cyber threats on the rise and regulators increasingly scrutinising incident responses, legal privilege offers a vital safeguard.
• It allows organisations to investigate and respond to an incident confidentially, without fear that sensitive communications will be disclosed to third parties or the public later.
• Legal advice privilege protects confidential communications with lawyers, while litigation privilege may extend to third parties if litigation is in reasonable contemplation.
• Legal advice privilege cannot be applied retrospectively, so early involvement of lawyers is essential.

MANAGE A CYBER CRISIS WITHIN A PROTECTED ZONE OF CONFIDENTIALITY

By following the guidelines listed below, data controllers (including companies, trustees and other organisations) who find themselves impacted by a cyber incident can maximise their ability to claim privilege, thereby managing a cyber crisis within a protected zone of confidentiality.

• Why Early Legal Engagement Matters
• Involving lawyers from the outset ensures your incident response is conducted within a protected framework.
• This enables open, candid discussions and helps shape a controlled public response.
• Delaying legal involvement risks creating documents and emails that may later be disclosable, potentially weakening your legal position.
• Key Steps to Preserve Privilege
• Appoint lawyers early:
• It is then easier to distinguish between legal and non-legal channels of communication, and this increases the likelihood of privilege attaching to any advice or work product.
• Communications with lawyers about the incident should be limited to a core incident response team, as wider circulation risks loss of confidentiality and privilege. 
• Distinguish legal advice from routine correspondence:
• Routine internal correspondence generally does not attract privilege.
• For all correspondence with, and documents prepared by/for, lawyers relating to the incident, use headings or labels such as “Confidential: Legal Advice Privilege”.
• While simply marking something “privileged” doesn’t guarantee that the court will agree, it signals the intention and reminds recipients to treat the information cautiously.
• It is also essential to consider separating privileged and non-privileged advice to avoid the creation of "dual purpose" documents, which are not fully privileged.
• Instruct experts via lawyers: 
• Often, external experts (IT forensics firms, cybersecurity consultants, forensic accountants, etc.) are needed to investigate and contain a breach.
• To bring their work under privilege, engage these third-party vendors through your legal team.
• If advice needs to be shared with a third party, it is essential to make it clear with the recipient that the confidential advice is only being shared for a specific, limited and defined purpose.
• Handle external requests carefully:
• Consult lawyers before responding to regulators or third parties. It is essential to take legal advice on such communications, as privileged material may be withheld or shared in a limited way.
• Consider jurisdictional differences: 
• If the cyber incident spans multiple countries or involves foreign authorities, be aware that the concept of legal privilege varies internationally. 
• Some jurisdictions do not recognise legal professional privilege in the same way as England and Wales.
• Seeking local legal advice is crucial to avoid inadvertently waiving privilege in jurisdictions where protections differ.

By following the above guidelines, data controllers (including companies, trustees and other organisations) who find themselves impacted by a cyber incident can maximise their ability to claim privilege, thereby managing a cyber crisis within a protected zone of confidentiality.

COMMON CYBER PRIVILEGE TRAPS AND HOW TO AVOID THEM

Even with good policies, it’s easy to accidentally waive or lose privilege. Here are some common privilege traps in the context of cyber incident responses (and how to avoid them):

• Common Privilege Traps -
• Board minutes:
• If you discuss the cyber incident in a board meeting, avoid referring to specific legal advice in the minutes.
• Ideally, have your lawyers attend essential meetings related to the incident. That way, any advice can be given directly by counsel (often keeping it privileged), and separate privileged notes can be taken by the lawyers.
• Forwarding advice:
• Avoid sharing privileged emails beyond the designated incident group unless strictly necessary for the incident response.
• Sharing advice risks the advice no longer being confidential and, therefore, losing its privileged status.
• Emergency messaging:
• Ensure teams are told to avoid speculative or sensitive comments in informal channels; if you wouldn’t be happy for a court to see it, don’t say it.
• It’s essential to note in this context that communications regarding PR strategies are generally not privileged unless they contain legal advice. 
• Shared inboxes:
• Sending privileged details to a shared team inbox or a group email address may reach a wider audience than intended, meaning privilege may be lost. 
• Regulator queries:
• Don’t rush to respond. Legal advice may be protected - it is sometimes possible to share insights without revealing the privileged documents, or to agree on a limited disclosure that preserves privilege against other third parties.  

CONCLUSION

• Legal privilege is a powerful tool in managing cyber incidents. It protects your ability to investigate, strategise, and respond without exposing sensitive discussions.
• By planning and following the above guidance and best practices, organisations can reduce legal risk and maintain confidentiality throughout a crisis.

SOURCES

• https://www.burges-salmon.com/articles/102lp53/shielding-your-cyber-response-why-legal-privilege-matters-in-the-wake-of-a-cyber/