The Privilege of PR: Application of the Attorney-Client Privilege to Crisis Communications and Public Relations in Breach Response Planning

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/the-privilege-of-pr-application-of-the-11978/

Cyber-attacks have become a matter of everyday reality for all businesses:
regardless of industry or size, it is no longer if a data breach will
happen, but when.  And waiting for a breach to occur before designing and
implementing a cyber incidence response plan is generally a recipe for
disaster.  Often overlooked, however, is the need to include a
carefully-crafted crisis communication or public relations strategy and to
do so in a way that extends the attorney-client privilege to the crisis
communication firm.

Today, data breaches are headline news events that require a swift and
nimble response, often in the public eye.  In light of the potentially
severe reputational damage that can arise from a data breach, a thoughtful
crisis communications strategy is an essential component of an incident
response plan.  As the steady drumbeat of recent high-profile data breaches
have taught us, the chaos and flurry of activity that surrounds a major
hacking isn’t a traditional “crisis” event.  Data breaches generally are
not detected until long after-the-fact and hackers may have gained access
to sensitive records and personally identifiable information weeks or even
months before the breach is detected.

Complicating matters further, a host of communications may need to be made
quickly including potential notifications to regulators and law
enforcement, correspondence with customers and media, and statements to the
general public.  Managing the flow and timing of public statements and
information will be critical especially if the victimized company is public
and subject to U.S. Securities and Exchange Commission disclosure
requirements.  Hastily informing (or, worse yet, misinforming) customers
and the public or having to retract statements can only serve to inflame an
already tense situation.  Failure to develop appropriate messaging and
handle these communications promptly may also bring a loss of trust, damage
to brand and reputational harm far beyond direct monetary damages.

When a data breach hits, a crisis communication team prepped and at the
ready can, among other things, help a company field incoming press
inquiries, establish a hotline for customer questions, manage a dedicated
microsite as a clearing house for affected persons, prepare FAQs and
distribute up-to-date news and information about the breach.

But simply working with an outside firm and designing a crisis
communication strategy is not enough.  Strong consideration must be given
to the manner in which these non-lawyers are engaged and what and how
information is provided to them.   In engaging and working with a public
relations firm in the wake of a breach, attorneys must be mindful that
their relationship does not compromise the attorney-client privilege or
work product doctrine.  Under United States v. Kovel, 296 F.2d 918 (2d Cir.
1961), non-legal professionals may receive attorney-client privileged
materials within the scope of the attorney-client privilege and
communications with counsel may be protected, where those professionals are
retained by counsel to provide advice and expertise that assists counsel in
providing legal advice and/or services to his or her client.  However, this
safe harbor is tightly construed, and may not be recognized by certain
courts when it comes to a public relations firm.  In retaining and working
with a public relations firm, attorneys must exercise caution and ensure
that communications are made solely for the purpose of providing legal
advice.  Even so, a court may not ultimately extend the attorney-client
privilege to such communications, and care should be taken in sharing
information throughout the crisis communications planning and response
process.

Indeed, the law is highly fact specific, with cases going either way
depending on the precise role of the PR firm.  For example, courts have
upheld the extension of the attorney-client privilege to an outside PR firm
when the impact of media coverage might influence whether criminal charges
are brought and would therefore influence counsel’s strategy.  In re Grand
Jury Subpoenas, 219 F.3d 175 (2d Cir. 2000).  In other instances, the
outcome went the other way.  McNamee v. Clemens, 2014 WL 6572899 (E.D.N.Y.
2013).

While there are no guarantees that a court will uphold a claim of
privilege, here are some steps that a company can take to improve its odds
of maintaining a privilege assertion over communications with a PR firm:

1.   The public relations or crisis management firm should be engaged
directly by outside counsel, not the client.

2.   The engagement letter should be carefully written by outside counsel
to make clear that:

a.    the PR firm is working under the direction of outside counsel and
reporting directly to the law firm;
b.    all communications between the PR firm and outside counsel and/or the
client’s representatives shall be confidential and made solely for the
purpose of assisting counsel in rendering legal services to the client;
c.     all documents and work product prepared by the PR firm are
confidential and should be treated as such; and
d.     the PR firm has an obligation to protect the confidentiality of the
information exchanged with counsel and all documents it prepares.

3.   To the extent practicable, communications between the client and the
PR firm should be through outside counsel or in the presence of outside
counsel.

4.   PR firms should label documents (including email traffic) as
“Attorney-Client Privilege/Work Product Communications.”

5.   Because it is essential that the services provided by the PR firm
facilitate legal advice and services, great caution should be taken to
define what services the PR firm is being asked to perform.

6.   Careful consideration should be given to the nature of each service
the PR firm is undertaking when contemplating a disclosure to it. If, in
connection with a particular assignment, the PR firm is not engaged in
helping outside counsel formulate legal strategy, sharing privileged
information should be avoided.

7.   The PR firm should invoice the law firm for its services whenever
possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.