With cyber threats on the rise and regulators increasingly scrutinising incident responses, legal privilege offers a vital safeguard. It allows organisations to investigate and respond to an incident confidentially, without fear that sensitive communications will later be disclosed to third parties and/or publicly. Legal advice privilege protects confidential communications with lawyers, while litigation privilege may extend to third parties if litigation is in reasonable contemplation. It cannot be applied retrospectively, so early involvement of lawyers is essential.
Why Early Legal Engagement Matters
Involving lawyers from the outset ensures your incident response is conducted within a protected framework. This enables open, candid discussions and helps shape a controlled public response. Delaying legal involvement risks creating documents and emails that may later be disclosable, potentially weakening your legal position.
Key Steps to Preserve Privilege
- Appoint lawyers early: It is then easier to distinguish between legal and non-legal channels of communication, and this increases the likelihood of privilege attaching to any advice or work product. Communications with lawyers about the incident should be limited to a core incident response team, as wider circulation risks loss of confidentiality and privilege.
- Distinguish legal advice from routine correspondence: Routine internal correspondence generally does not attract privilege. For all correspondence with, and documents prepared by/for, lawyers relating to the incident, use headings or labels such as “Confidential: Legal Advice Privilege”. While simply marking something “privileged” doesn’t guarantee that the court will agree, it signals the intention and reminds recipients to treat the information cautiously. It is also important to consider separating privileged and non-privileged advice to avoid the creation of "dual purpose" documents which are not fully privileged.
- Instruct experts via lawyers: Often external experts (IT forensics firms, cybersecurity consultants, forensic accountants, etc.) are needed to investigate and contain a breach. To bring their work under privilege, engage these third-party vendors through your legal team. If advice needs to be shared with a third party, it is important to make it clear with the recipient that the confidential advice is only being shared for a specific, limited and defined purpose.
- Handle external requests carefully: Consult lawyers before responding to regulators or third parties. It is important to take legal advice on such communications, as privileged material may be withheld or shared in a limited way.
- Consider jurisdictional differences: If the cyber incident spans multiple countries or involves foreign authorities, be aware that the concept of legal privilege varies internationally. Some jurisdictions do not recognise legal professional privilege in the same way as England and Wales. Seeking local legal advice is crucial to avoid inadvertent waiver of privilege in jurisdictions where protections differ.
By following the above guidelines, data controllers (including companies, trustees and other organisations) who find themselves impacted by a cyber incident can maximise their ability to claim privilege, thereby managing a cyber crisis within a protected zone of confidentiality.
Common Privilege Traps
Even with good policies, it’s easy to accidentally waive or lose privilege. Here are some common privilege traps in the context of cyber incident responses (and how to avoid them):
- Board minutes: If you discuss the cyber incident in a board meeting, avoid referring to specific legal advice in the minutes. Ideally, have your lawyers attend important incident-related meetings. That way, any advice can be given directly by counsel (often keeping it privileged), and separate privileged notes can be taken by the lawyers.
- Forwarding advice: Avoid sharing privileged emails beyond the designated incident group unless strictly necessary for the incidence response. Sharing advice risks the advice no longer being confidential, and so no longer privileged.
- Emergency messaging: Ensure teams are told to avoid speculative or sensitive comments in informal channels; if you wouldn’t be happy for a court to see it, don’t say it. It’s important to note in this context that communications on PR strategies generally won’t be privileged unless they contain legal advice.
- Shared inboxes: Sending privileged details to a shared team inbox or a group email address may reach a wider audience than intended, meaning privilege may be lost.
- Regulator queries: Don’t rush to respond. Legal advice may be protected - it is sometimes possible to share insights without revealing the privileged documents, or to agree on a limited disclosure that preserves privilege against other third parties.
Conclusion
Legal privilege is a powerful tool in managing cyber incidents. It protects your ability to investigate, strategise and respond without exposing sensitive discussions. By planning ahead and following best practices, organisations can reduce legal risk and maintain confidentiality throughout a crisis.
This article was written by Amy Khodabandehloo and Will Cadbury. If you have any questions or would like tailored advice or training on legal privilege and cyber incident response, please contact the Burges Salmon team. We’re here to help you prepare, respond and protect your organisation effectively.