Pensions Pod: Cyber and AI Bytes – Understanding legal privilege for trustees in a cyber context

Today, Amy and I will be discussing how to navigate the crucial protection that legal privilege offers during a cyber incident. We’ll explore why confidentiality is key and how organisations, including trustees, can maximise their legal protection during a cyber incident.

So, Amy, thank you so much for joining me today to talk about legal privilege and why it’s relevant to cybersecurity, both in the wider pensions context and for other clients.

Amy Khodabandehloo, Director, Burges Salmon (00:58)

Thanks Richard, I’m happy to be here.

Richard Pettit (01:02)

So, probably makes sense to kick off on exploring exactly what legal privilege is and why it’s so essential when responding to a cyber threat. So, perhaps if you can imagine that I know nothing about legal privilege, which might not be a huge stretch, and cover some of the basics for us.

Amy Khodabandehloo (01:17)

Sure, so there are two types of privilege that trustees need to be aware of in this context. So, the first is legal advice privilege, which protects confidential communications between a client and their legal advisors, if those communications are created for the purpose of giving or receiving legal advice. The second type of privilege is litigation privilege, which is a bit different, and that protects correspondence between and communications between a client and their lawyer or a third party, provided that those communications are created for the dominant purpose of actual or reasonably contemplated litigation. And for litigation to be reasonably contemplated, it needs to be more than a mere possibility that it’s going to happen, though the chance of it doesn’t need to be more than 50%. And privilege as a whole offers a really vital safeguard in the wake of a cyber incident because it allows organisations to investigate and respond to an incident confidentially and ensure that sensitive communications won’t later be disclosed to third parties or publicly, provided they meet the right requirements for privilege. In short, if a cyber incident is investigated and responded to under the umbrella of privilege, it makes sure that matters can be worked through openly and in a safe space and that the right or appropriate public response is put forward. So it’s a really powerful protection in this scenario.

Richard Pettit (02:56)

Thanks, Amy, it’s really important, it’s really easy to understand why that is so important because unless you say you have that safe space to work things through, if everyone’s always looking over their shoulder to what someone else might say or how they might be criticised, you can’t actually effectively respond to the incident. So, that’s clearly really important. I suppose perhaps an obvious question is when do you need to involve lawyers to do that? So, can you bring lawyers in when you’ve had some of the discussions and use a blanket to cover things or, I’m anticipating perhaps maybe it doesn’t work quite like that.

Amy Khodabandehloo (03:29)

Not quite. I mean, I would say this because I am a lawyer, but the early involvement of lawyers is absolutely essential. Whether an organisation has suffered a breach directly, or instead we’re looking at a third-party supplier incident, which is more likely to be the case for trustees. Really importantly, picking up on what you just said, Richard, legal advice privilege, or litigation privilege, whatever privilege it is, can’t be applied retrospectively.

So, it’s really crucial that lawyers are involved from the outset to make sure that the incident response is conducted within a protected framework. And that then does, as you suggested, enable open candid discussions and then helps to shape the controlled public response and also well-considered communications internally and within the supply chain.

Richard Pettit (04:19)

Yeah, that makes absolute sense, Amy, and I’m just reiterating what you said, but it’s obviously one of the reasons we’ve got this podcast and one of the reasons we recommend trustees do training and have a knowledge around privilege is so that trustees can understand that importance and make an informed decision about when to involve lawyers, because we’ll come to it later when an incident happens, and I was dealing with something that happened similar on Friday afternoon, externally, it’s quite pressurised and you need to be able to have planned out in advance what you’re going to do and make an informed decision about involving lawyers rather than rushing to a decision that you either do or don’t. If an incident occurs. I’m sort of falling into the trap then, saying if an incident occurs, obviously trustees in line with the Regulator’s guidance should be planning for when an incident occurs rather than if, so it’s really important to be lined up on all of this. So assuming you’re planning for when, as a trustee board, for when an incident happens, what, from your perspective, are the key practical steps that trustees can take to first  start establishing privilege, which as you said, you can’t do it respectively and then to make sure that privilege is maintained and not lost?

Amy Khodabandehloo (05:27)

Sure. So, without wishing to sound like a broken record, firstly, appoint lawyers early. That makes it easier to distinguish between legal and non-legal communication channels and opens up the umbrella of privilege that we’ve talked about. Secondly, it’s really important to establish the core team that’s going to be responsible for dealing with the incident and to limit communications to that core response team because the wider you circulate these communications, the greater the risk that confidentiality and therefore privilege is lost. And that’s really important in the context, for example, of shared inboxes or just the odd person that gets copied into a chain and there’s a huge chain of communications below it. It’s just really important to keep that communication as tight as possible to a very specific group that everyone understands to be part of that group. Thirdly, label the communications, so, using the heading ‘Confidential and legally privileged’ for correspondence and documents that are prepared in relation to the incident response is helpful. Simply marking something confidential and legally privileged doesn’t guarantee that the court will agree that that document is privileged, but it does signal the intention, and it does also focus people’s minds on the fact that the information needs to be treated carefully and with caution.

Fourthly, in the context of third parties, so in an instant response situation, you know, you will need to involve external experts, IT forensic firms, cybersecurity consultants.  It’s important that in order to bring their work under privilege that they are ideally engaged through the legal team. That way they fall under the umbrella of privilege in which the investigation is being conducted as a whole.

Richard Pettit (07:22)

Thank you. That’s, those are really good, useful practical tips, including things like labelling, which I think a lot of people know to be slightly cautious around labels because it doesn’t, it’s not a panacea. You can’t just put a label on something, but it’s really interesting that point around just concentrating people’s minds. And again, when people are acting really quickly responding to an incident, just thinking all those things through and having them planned out in advance. Obviously, incidents can be dynamic and so can the response and can sometimes involve elements all over the world. So there’s one question from my perspective is, if you’re protecting privilege using the mechanisms you’ve talked about, does that work everywhere? Or are there things to be aware of internationally?

Amy Khodabandehloo (08:08)

So, if the cyber incident spans multiple countries or involves foreign authorities, then it’s really important to be aware of the fact that legal privilege and the concept of legal privilege varies internationally. Some jurisdictions don’t recognise legal privilege in the same way as we do in England and Wales. So, seeking local legal advice is really crucial to avoid inadvertently waiving privilege in jurisdictions where the protections might differ.

Richard Pettit (08:39)

That makes sense and again, it’s useful to get that advice in all the relevant jurisdictions. Okay thank you Amy, that makes sense. I want to move on now, if it’s okay, just to think about how things can go wrong with privilege. So even for really well-run trustee boards, really hot on governance, that kind of client is unlikely to fall into some of the obvious traps which would be not following your advice, not appointing lawyers, involving too many people. But even if, assuming, you are really hot on governance and running things well, it’ll be really interesting to know what you’ve seen in practice where things can go wrong, what big pitfalls are important to avoid.

Amy Khodabandehloo (09:22)

Sure. So, even with good internal policies in place, like you say, there are several common privilege traps, if you like, in the context of cyber incident responses. And for trustees in particular, these include, firstly, meeting minutes. Obviously, meetings happen very frequently for trustee boards. And if you are discussing the cyber incident, then it’s really important to avoid referring to specific legal advice in minutes and be careful about what you say in minutes more generally relating to the incident. Ideally, you’d have lawyers attend important incident-related meetings and they can take separate privileged notes. And it’s also important to consider who else might be in that meeting. It should only be the core group of people that we talked about earlier. And, importantly, any third parties who are in attendance at the meeting should really be asked to leave before the incident and privileged communications are discussed.

Richard Pettit (10:23)

And I was just going say nowadays, I think a lot of our clients will be used to following that kind of protocol, either where there’s a conflict and the employer representatives might need to leave the room or also where there is sensitive legal advice, because maintaining legal privilege is not important just in relation to cyber security. We’re talking about it in relation to a cyber incident, but it holds true in relation to a lot of advice we give. And so, this kind of process, again, a lot of trustee boards will be familiar with.

Amy Khodabandehloo (10:49)

Yeah, absolutely.  Another common privilege trap area is forwarding advice. So, it’s really important to avoid sharing privileged emails beyond the designated incident group, unless strictly necessarily. And again, as you say, I think clients are kind of more and more aware of this now.  But the more people you forward advice to, particularly those outside of the core incident response group, the greater the risk that confidentiality and therefore privilege is lost. Thinking about then emergency messaging, that’s another area, particularly in a very fast paced, highly stressful situation.  Emergency messaging is quite a key one to keep at the forefront of your mind, particularly in terms of what you’re saying. It’s really important to avoid speculative comments or sensitive comments, particularly through informal channels.

The rule of thumb that we like to use is if you wouldn’t be happy for a court to see it, then don’t say it. And that’s really important to keep in mind. Actually thinking about communications on PR strategies, which often come up in this cyber incident response process, they won’t necessarily always be privileged unless they contain legal advice. So, when you’re thinking about how you are presenting this to the wider world, just remember that what you’re saying might not necessarily be privileged if it’s to do with a PR strategy.

Shared inboxes is another trap, potentially, we see these set up all the time so that, a large group of people can receive an email, in one go.  If an email is reaching a wider audience than intended because it’s been sent to a shared inbox, again, you might risk losing confidentiality and therefore privilege. That’s an important one to keep in mind. And finally, Regulator queries can be a trap that some come up against. The key message there is don’t rush to respond. It’s important, obviously, that we comply and are as helpful as we can be with Regulator queries, but we do also need to remember that it doesn’t need to be rushed and that legal advice may still be protected. And sometimes it’s possible to share insights with a Regulator without revealing privileged documents or to agree a sort of limited disclosure basis that preserves privilege against other parties.

Richard Pettit (13:09)

Yeah, it’s a really important point is generally in relation to the Regulator is to be prepared to be robust, even though you should all have your interests aligned. It’s not always the case. You’re thinking as trustees about your members, whereas the Regulator is thinking, rightly, more widely. And as you say, there is a parallel regime to privilege under the Pensions Act to protect information from disclosure and you can, we’ve got, as you say, those alternative approaches we have used in cases where you’re wanting to cooperate with the regulator but protect the legal advice privilege or protected item status under the Act. That’s all really useful. That is, good news or bad news, that’s taken us towards the end of this episode of the podcast. So, given that we’ve talked about needing short, snappy points for trustees to work to, would you be able to give us maybe three dos and three don’ts for incident response teams when addressing privilege?

Amy Khodabandehloo (14:10)

Yeah, sure. So, my three dos would be – Do involve lawyers early and throughout the process.  Do limit access to privileged information to a clearly defined group. And do ask lawyers to handle note taking and reports where practicable.  On the don’t side – don’t annotate or summarise legal advice in unprivileged documents. Don’t forward legal advice outside the core team unless it’s strictly necessary. And don’t assume that copying a lawyer makes a message privileged because it doesn’t.  They would be my top tips.

Richard Pettit (14:44)

No, those are good. That’s very clear top tips. Thank you, Amy. So, thank you very much for joining us today. It’s really useful. I think key takeaways for me as well as those three tops of dos and don’ts are legal privilege is a really valuable tool in managing and responding to cyber incidents, given that safe space we talked about earlier so that you can investigate and deal with things without looking over your shoulder. The key element really I took away from today is it’s about planning ahead.

So, as you said before, cyber incidents are going to be urgent. They’re going to be incredibly stressful for everyone involved. So, having a plan in place, thinking about the dos and don’ts and the structures you’ve mentioned, having a good cyber incident response plan that addresses privilege as part of that is really, really important.

So, thank you very much. That was another episode, as I said, of our Cyber and AI Bytes podcast, which is part of the overall Pensions Pod series.

If you’d like to know more about the Pensions and Lifetime Saving Department at Burges Salmon or our cyber specialists across the firm, how we can work to help you, then please contact me or any of our team via our website. As we say on every episode, all the previous episodes are available on Apple, Spotify, our website, or wherever you listen to your podcasts, if that hasn’t covered everything. Don’t forget to subscribe. And thank you very much from both of us for listening. Thank you.