July 7, 2016
What is the first thing you should do if you discover that your business suffered a data loss or that your customer’s data had been accessed or stolen during a cybersecurity breach? Should you call the head of your IT department? Or your Chief Information Security Officer? Or the CEO or President of your company? Not so fast!!!
Ideally, you shouldn’t call anyone other than the attorney who regularly represents your business. If you do call anyone else, you might unintentionally make matters worse for your business and easier for attorneys who pursue lawsuits on behalf of your customers whose information was compromised. However, if your first call is to the attorney who regularly represents your business, then the substance of that communication will be protected as an attorney-client privileged communication.
For example, let’s take Johnny Appleseed, star salesman for Apples R Us. One fine day, while visiting customers, Johnny decided to drop the top on his convertible on his way to his first customer visit of the day. Leaving his laptop on the front seat of his car, Johnny made a quick stop for a cup of coffee. When Johnny returned to his car, he discovered that someone reached into his convertible and stole his laptop. What did Johnny do? Johnny immediately called his boss. Unable to reach his boss, Johnny left him a voicemail and followed that up with an email sent from his mobile phone. “Boss – I screwed up. My company-issued laptop was stolen from the front seat of my convertible while I was getting coffee.”
The thief got away with credit card information of 25 of Apples R Us’ best customers. After hearing through the grapevine that Johnny Appleseed was negligent in protecting their credit card information, the customers filed a class action lawsuit against Apples R Us, claiming millions of dollars in damages. Their lawyer issued a subpoena for all communications that day between Johnny and his employer. Sure enough, the recorded voicemail and the email were discovered and became the smoking guns that eventually put Apples R Us out of business. It wasn’t hard for the court to conclude that Apples R Us (by and through its star salesman, Johnny Appleseed) was negligent in protecting its customers’ information since Johnny admitted it to his boss.
Could the fate of Apples R Us have been any different? Yes. If Apples R Us had a company policy in place that required any and every employee who discovers a data loss or cyber breach to call the company’s outside counsel first, Apples R Us would not have been required to turn over those incriminating communications. They would have been deemed to be attorney-client privileged communications, subject to the highest level of confidentiality. And, Apples R Us would possibly still be in business. Granted, it may not be feasible or appropriate for your employees to have direct access to your outside counsel. If that is the case, we recommend setting up a hotline or a new email address (such as PotentialBreach@mybusiness.com) in which the IT department head, the CEO/President AND your outside counsel would be the recipients) for reporting a data breach – likely still preserving the attorney-client privileged communication.
Also, whether your company has 5 employees, 50 employees or 500 employees, be sure you have a written information security plan (WISP) that spells out the protocols and procedures employees should undertake immediately after discovering a data loss or cyber breach. And certainly make sure that those protocols and procedures specifically include a “first responder” call (or email) as described above.
The Data Use, Privacy and Protection practice at Shulman Rogers assists businesses of all types and sizes in preparing a WISP that is best suited for them. It also helps businesses (i) engage those who can best assess and manage cybersecurity and data loss risks from a technological perspective, (ii) review and update business contracts and agreements to properly allocate and mitigate such risks, (iii) navigate through best suited insurance coverages for costs and expenses of cybersecurity and data loss incident response, and (iv) respond to cybersecurity hacks and data breaches. Please reach out to your principal contact at Shulman Rogers for more information. If you don’t have one, please contact us.
 For reasons we can expand upon if engaged, an employee direction to refrain from admitting any wrongdoing relating to a cyber breach or data loss to anyone other than the company’s outside counsel should not be contained in an employee handbook.