All Posts

    Noam Morginstin Noam Morginstin
    Jan 03 5 min read

    5 key strategies for protecting legal privilege during security incidents


    When a cyber incident hits, there are certain questions that are asked right away almost every time:

    • When do I call my cyber insurance carrier, and do I just inform them or open a claim?
    • When do I engage with internal communications and external PR, and what do I communicate?
    • When do I inform my customers, and what do I say to them?
    • When do I reach out to my breach counsel?

    The important role of the breach counsel

    When you answer that last question first, the rest of the answers will shortly, and surely, fall into place.

    This is because the role of the cyber attorney – the breach counsel – is not only to advise about compliance with domestic and international policies, privacy laws, security requirements, and corporate governance.

    In fact, these attorneys also play a critical role in assuring that all incident related internal and external communications and documentation are created and distributed in a way that minimizes legal exposure. 

    The risk of exposure

    Throughout the incident the organization, or the MSP or IR firm that are handling the incident on its behalf, will be communicating with many different internal and external parties, including the CEO, CIO, the insurance carrier, PR firm, and many more.

    And within these communications, too often different people may share misinterpreted information or assumptions that are not grounded in the log files.

    Needless to say, this can put the organization and the MSP/IR firm at risk. Because if those communications and documents are not protected under attorney-client privilege and will eventually be disclosed to the courts, the legal and financial ramifications can be dire.




    The privilege protection mandate

    As we can see, the importance of assuring privilege during incident response (IR) cannot be understated.

    Privilege is so important because it frees up the incident team to communicate candidly with its lawyers about issues and concerns. It also frees up the breach counsel to provide legal advice without fear of disclosure.

    And with the rate of incidents continually on the rise, it is paramount to make sure that privilege is protected when communicating about and documenting their handling.


    The two types of IR-related privileges

    When it comes to incident response, there are two types of legal privileges – solicitor-client privilege and litigation privilege.

    Solicitor-client privilege protects communications between a client and their lawyer, where these communications are intended to be confidential and are sent by the client who is seeking to receive legal advice or by the lawyer in the aim to provide such advice.

    Litigation privilege aims to protect documents, such as cyber forensic reports and communications that are created or collected for a litigation case. This type of privilege is not restricted to communication between clients and their lawyer, and ends once the litigation ends.

    Note that the aforesaid may not be equally accurate in all jurisdictions.


    Virtual War Room


    The 5 strategies

    For organizations to minimize the risk of losing legal privilege and having their confidential IR-related communications and documents disclosed, there are five key strategies that should be implemented. 

    Assuring preparation

    Protecting privilege, whether solicitor-client or for litigation, first and foremost requires preparation.

    A comprehensive response strategy and a formalized and documented incident response plan serves as the critical playbook that enables responders to understand the actions required for quickly and effectively containing an attack.

    And an important part of this plan are guidelines about when to reach out to counsel and how to protect legal privilege. 

    Engaging immediately

    Putting into the plan the “when,” that is – when to engage with counsel is critical. And always, this should be – immediately.

    Notifying counsel as soon as it is determined that a security incident has occurred will help the organization assure that it is:

    • Receiving the requisite legal advice about its decisions
    • Complying with all the relevant regulations and legal obligations
    • Communicating in a way that protects privilege

    Protecting external communications

    Another key step to protecting privilege is to assure that not only internal communications adhere to the guidelines provided by counsel, but also communications with external parties, such as forensics investigators.

    Limiting distribution

    Moreover, the actual distribution of communications and documents must be controlled and limited, to be shared on a need-to-know basis only.

    Legal privilege may be lost upon disclosure to third parties. Accordingly, distribution must always be aligned with breach counsel in advance.

    Communicating in a closed system

    Finally, with emails, chats, and other collaboration platforms being highly accessible to many users and parties, it is critical to avoid sharing incident related communications and document over these channels.

    Rather, a closed system that has accessibility that is limited to the incident team should be leveraged for engaging with breach counsel and incident stakeholders, both within and outside the organization.


    In conclusion

    While navigating the legal implications of fundamental incident handling activities such as communication and documentation may be complex and wrought with risk – for organizations and the MSP/IR firm handling incidents, it doesn’t have to be.

    By following strategic best practices and having the right system in place that is closed for enabling candid and secure communication about incidents, the risk of legal exposure will be greatly reduced. 

    To learn about how Exigence can help with a platform that provides a closed environment for incident management, including communications and documentations, we invite you to reach out to us at


    The content herein is provided for informational purposes only, is general in nature, and does not constitute a legal opinion or legal advice and should not be construed as a legal opinion or legal advice.

    New call-to-action

    Critical Incident Management major incident management CyberSecurity Incident Response Automating Critical Incident Management

    Critical Incident Management major incident management CyberSecurity Incident Response Automating Critical Incident Management