After a Data Breach, Do You Need an Investigator or a Lawyer?
Before becoming a computer forensics investigator who specializes in data breach response, Jason Straight was a practicing attorney. And even though hes been in the investigative business for longer than he was a lawyer, he has to pause every once in a while when a client asks him a question in the course of an investigation.
I have to stop and think, Am I providing legal advice by answering this? says Straight, now a managing director with Kroll Advisory Solutions.
As Straight made clear in a recent article, Its a Legal Matter: The Fine Line Between Expert Data Breach Guidance and Legal Advice [PDF], providing legal counsel isnt the job of a forensic investigator like himself (nor is he insured to do so). But having to tell a client that there are some queries only an experienced data breach lawyer can answer is a common enough scenario that he felt compelled to put it down on paper.
From questions about privilege to the details of 46 different state laws on data breach notification, The earlier you can get counsel engaged in the process, the better it is for everybodyincluding for Kroll, Straight tells CorpCounsel.com.
For starters, Straight and his colleagues are more comfortable operating at the direction of counsel from the outset of an investigation into a data breach incident. Number one, it gives the client the ability to assert attorney work product privilege protection over the work that we do, which has a number of advantages down the line, he says.
Experienced counsel also help define the scope of an investigationthat is, how far does the company need to go to be able to make a determination about a potential incident? A forensic investigator can tell a client what is technically possible to probe. But really, it is a legal judgment to some extent to say, Do we feel weve done our due diligence here? Straight says.
The ticking clock is another factor. Every hour not spent preserving and gathering information, information may be lost that could help us prove that there was no breach, Straight says. But a client who has just experienced a breach is often (understandably) panicked about doing the right thingnot to mention thinking about costs and liability. The result? Well put forth a proposal and then the client will sit on it, says Straight.
A data breach lawyer, then, can help get the ball rolling more quickly. Its really the confidence that they bring, says Straight, and its the attorney who can say, Calm down, here are the statutes we need to be concerned about, heres the timeline.
Perhaps the most pressing question counsel will eventually have to answer is whether or not the company has an obligation to notify potential victims of a breach.
At the end of the day, it requires counsel to make that determination as to, Yes, this is [personally identifiable information] under the state statute that requires the following actions, Straight says. Ideally we are working hand in hand with counsel to develop the data analytics processes to identify personally identifiable information in an exposed data set.
As tempting as it may be for in-house counsel to keep matters contained in the law department, Straight places a lot of emphasis on the need for experienced outside counsel. Ask your outside counsel how many data breach responses have they handled in the last year? And if its not a double-digit number, you may want to keep looking, he says.