Saturday, September 22, 2018

The value of legal privilege: Your diligent privacy consultant may become your worst enemy

A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.

The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.

I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.

Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.

In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.

In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.

With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.

If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.

No comments: