Lawyers and InfoSec professionals –

Playing Nicely With Lawyers to Provide More Value in Your Engagements

David TS Fraser / @privacylawyer / david.fraser@mcinnescooper.com

HTCIA 2022

(Presentation will be available at blog.privacylawyer.ca)

© McInnes Cooper, 2021

© McInnes Cooper, 2021

Lawyers are seeing what you’re seeing

• Employee snooping
• Email inbox intrusions
• Funds diversions
• Ransomware
• Ransomware plus exfiltration
• Data theft
• Economic espionage

© McInnes Cooper, 2021

​

When lawyers look at an incident, we see a blizzard of legal issues and legal risks.

© McInnes Cooper, 2021

A multi-disciplinary approach

• Cyber-incidents don’t only call for a technical response – there are more stakeholders than you’d expect
• Incident response involves (or at least should):
• Senior management
• Risk managers, insurance people
• Communications staff
• Marketing people
• Lawyers
• Or, god forbid, politicians
• The more you understand about business, risk, insurance, communications and law, the more indispensable you’ll be for the team.
• And what the team needs is shifting …

© McInnes Cooper, 2021

Why lawyers sometimes are taking the lead

© McInnes Cooper, 2021

What lawyers need to do in a breach

• Advising the client on meeting legal obligations for reporting and notification
• Preparing to defend any lawsuits that follow
• Preparing to deal with any regulatory investigations
• Advising on remedial steps to take to manage legal risks
• Rely on security pros to provide them with much of the information necessary to do all of the above

© McInnes Cooper, 2021

Normal people questions can be legal questions

• What is the “standard of care” for safeguarding this data?
• What measures did the client take to protect the data?
• Were the measures adequate given the sensitivity of the data?
• Could the risk have been foreseen?
• Did the client have a robust and mature security posture? Were there gaps?
• Was the client reckless?
• Did the client put their data at undue risk?
• Did the client consistently treat the information as confidential/protected?

© McInnes Cooper, 2021

What lawyers bring to the party

© McInnes Cooper, 2021

What lawyers bring to the party

• Privilege, but stay tuned about its parameters …

© McInnes Cooper, 2021

Life Labs Order

© McInnes Cooper, 2021

© McInnes Cooper, 2021

Privilege

• There are two kinds of privilege:
• Legal advice privilege:
• Where the communication record, work product, etc. is created for the purpose of obtaining legal advice from a lawyer.
• Litigation privilege:
• Where the communication, record, work product, etc. is created for the purpose of preparing for actually anticipated litigation. (It disappears after the litigation.)

© McInnes Cooper, 2021

Privilege > Confidentiality

• Simple confidentiality is not privilege.

​

• All relevant confidential but not privileged records must be produced in a lawsuit or to regulators.

​

​

© McInnes Cooper, 2021

A few words about privilege

• Encourage your clients to involve legal counsel as soon as possible (and contact their insurer)
• The investigation should be framed in terms of seeking legal advice regarding legal risk and legal compliance, and to prepare for any subsequent litigation.
• Consultants cannot provide any privilege, but their work product can be privileged if its prepared on behalf of the client so the client can obtain legal advice or to prepare for litigation

© McInnes Cooper, 2021

A few more words about privilege

• There are no “magic words” - Marking a document as privileged does nothing.
• Just cc’ing lawyers does not create privilege.
• The communication must be for the purpose of seeking, obtaining or giving legal advice.
• In-house lawyers providing business advice does not create privilege.

​

© McInnes Cooper, 2021

It’s not just about playing well with others …

© McInnes Cooper, 2021

Try to get into the sweet spot

© McInnes Cooper, 2021

Trilingualism is a key skill

• Now a multi-disciplinary venture.
• Being able to speak business, legal and tech is a HUGE SKILL.
• Being able to translate between business, legal and tech folks is a HUGER SKILL.
• Actual understanding of all the stakeholders’ positions, roles and concerns is the HUGEST SKILL.
• Read all the legal and business (non-technical) publications about privacy and security you can get your hands on. Dig deep into their perspectives.
• Try to use plain language or plain language summaries in your reports.

© McInnes Cooper, 2021

Learn the language

• Lawyers use a different language, and the legal terms can vary from jurisdiction to jurisdiction.
• Ex: Personal information
• In Canada all “personal information” is regulated. It doesn't matter if it’s public or private.
• It’s personal information if it is about an individual who can be identified from the data, or there’s a real risk of identification.
• If fully encrypted, it may not be personal information any more.
• What law applies will likely correspond to where the individuals live.

© McInnes Cooper, 2021

Be prepared

• Get to know your client and their lawyers, if you can.
• Too often, a team is assembled as the breach is unfolding so little chance to meet and greet
• Or the insurer parachutes in their preferred teams, who may not know the business
• Recommend a tabletop exercise, run though some scenarios
• Get to know who does what, who calls the shots

© McInnes Cooper, 2021

The more you know ….

© McInnes Cooper, 2021

© McInnes Cooper, 2021

​

© McInnes Cooper, 2021