Representing Your Business Is My Business
The Law Office of Keith C Thompson PC - Logo
This is a placeholder for the Yext Knolwedge Tags. This message will not appear on the live site, but only within the editor. The Yext Knowledge Tags are successfully installed and will be added to the website.
,
This is a placeholder for the Yext Knolwedge Tags. This message will not appear on the live site, but only within the editor. The Yext Knowledge Tags are successfully installed and will be added to the website.

Blog Layout

Privileges in your business’ cybersecurity

KCTlaw • Jul 17, 2019

Cybersecurity is an overall business risk because you will always have vulnerabilities and despite your greatest efforts, there is no such thing as being truly “secure”. Because you could devote all of your resources to cybersecurity and still remain insecure, you must treat the risk like you would any other and use your business judgment to determine what is reasonable for your unique circumstance. These risks open up a crucial role for an attorney in your business’ cybersecurity because Attorney’s privileges keep everything confidential.
 
While working on your business’ cybersecurity posture, there are several concepts that would incline any business owner to seek out and acquire legal counsel.
  •  Some risks are inevitable and must be accepted as a part of doing business.
  •  Businesses are hoping to avoid having to disclose information that is developed and used during the pre-incident cyber-risk management process.
  •  Once an incident occurs they want to protect the info they discover through the investigation.
 In cybersecurity related situations, Attorney-Client privilege protects only confidential communications between an attorney and their representatives and the client and their representatives that were not intended to be disclosed. In the same situations, the Work-Product Doctrine only protects communication, information, and materials made and developed in anticipation of litigation or trial.
 
Because of these limitations, one can see that while these privileges are powerful when they apply, they can also be quite fragile and uncertain. In order to ensure your Attorney-Client privilege and Work-Product Doctrine are applicable to your situation you must follow these practices in your cybersecurity for legitimacy.
  • Use two separate outside teams for investigating in the ordinary course of business and in anticipation of litigation.
  • Outside counsel’s role in an investigation should be active and substantive, not perfunctory.
  • Obtain outside counsel first, and then have counsel retain the investigators or consultants and limit the dissemination of information.
 Some things to remember in ensuring your safe practice with counsel on your cybersecurity are
  1. Remember Attorney-Client privilege applies to communication and does not shield facts. Work-Product doctrine only applies in anticipation of litigation.
  2. Due to the precarious nature of privileges, the best course of action is to prepare by doing everything possible to ensure applicability of privileges but carry out the work as though there will be no privileges. There may not be.
  3. Work with your counsel to understand this uncertainty and strategy. Discuss communication protocols with the appropriate members of the workforce so they understand what types of things should and should not be put into writing. Note that everything from memos, emails and texts could be considered “writing” in an investigation.
  4. You don’t have to produce what does not exist. If you do not have something in writing, do not put it in writing. 
  5. Create multiple drafts when things must be put in writing.
  6. The Attorney must truly direct the communication. Simply copying your counsel onto a communication will not be sufficient enough to establish protections.
  7.  Label documents and email subject lines to show the communication is Attorney-Client privileged and information is requested by counsel.
  8. For communication between clients and counsel, segregate those regarding legal advice from those that are not legal in nature but pertain to purely business issues.
  9. For pre-incident risk management engagements, some ways to help with the applicability of privilege is to hire the attorney first for the purpose of providing the client with legal advice on legal and regulatory implications of its cyber-risk posture.
  10. For incident response situations, clients should retain legal counsel first. Counsel then decides whether parallel investigative tracks are desirable and then retains consultants. Counsel should actively and substantially lead the investigation and use the consultants’ work to render legal advice that is only shared in a controlled manner.
 These practices can be applied to any scenario you may face in your cybersecurity.
  • Cyber breach
  • Critical employee termination
  • Discovery of illegal employee activity affecting customers
  • Phishing
  • Ransomware
  • Botnets
  • Distributed denial of service attacks

The Law Office of Keith C Thompson PC Blog

By KCTlaw 17 Jul, 2019
Cybersecurity is an overall business risk because you will always have vulnerabilities and despite your greatest efforts, there is no such thing as being truly “secure”. Because you could devote all of your resources to cybersecurity and still remain insecure, you must treat the risk like you would any other and use your business judgment to determine what is reasonable for your unique circumstance. These risks open up a crucial role for an attorney in your business’ cybersecurity because Attorney’s privileges keep everything confidential. While working on your business’ cybersecurity posture, there are several concepts that would incline any business owner to seek out and acquire legal counsel. Some risks are inevitable and must be accepted as a part of doing business. Businesses are hoping to avoid having to disclose information that is developed and used during the pre-incident cyber-risk management process. Once an incident occurs they want to protect the info they discover through the investigation. In cybersecurity related situations, Attorney-Client privilege protects only confidential communications between an attorney and their representatives and the client and their representatives that were not intended to be disclosed. In the same situations, the Work-Product Doctrine only protects communication, information, and materials made and developed in anticipation of litigation or trial. Because of these limitations, one can see that while these privileges are powerful when they apply, they can also be quite fragile and uncertain. In order to ensure your Attorney-Client privilege and Work-Product Doctrine are applicable to your situation you must follow these practices in your cybersecurity for legitimacy. Use two separate outside teams for investigating in the ordinary course of business and in anticipation of litigation. Outside counsel’s role in an investigation should be active and substantive, not perfunctory. Obtain outside counsel first, and then have counsel retain the investigators or consultants and limit the dissemination of information. Some things to remember in ensuring your safe practice with counsel on your cybersecurity are Remember Attorney-Client privilege applies to communication and does not shield facts. Work-Product doctrine only applies in anticipation of litigation. Due to the precarious nature of privileges, the best course of action is to prepare by doing everything possible to ensure applicability of privileges but carry out the work as though there will be no privileges. There may not be. Work with your counsel to understand this uncertainty and strategy. Discuss communication protocols with the appropriate members of the workforce so they understand what types of things should and should not be put into writing. Note that everything from memos, emails and texts could be considered “writing” in an investigation. You don’t have to produce what does not exist. If you do not have something in writing, do not put it in writing. Create multiple drafts when things must be put in writing. The Attorney must truly direct the communication. Simply copying your counsel onto a communication will not be sufficient enough to establish protections. Label documents and email subject lines to show the communication is Attorney-Client privileged and information is requested by counsel. For communication between clients and counsel, segregate those regarding legal advice from those that are not legal in nature but pertain to purely business issues. For pre-incident risk management engagements, some ways to help with the applicability of privilege is to hire the attorney first for the purpose of providing the client with legal advice on legal and regulatory implications of its cyber-risk posture. For incident response situations, clients should retain legal counsel first. Counsel then decides whether parallel investigative tracks are desirable and then retains consultants. Counsel should actively and substantially lead the investigation and use the consultants’ work to render legal advice that is only shared in a controlled manner. These practices can be applied to any scenario you may face in your cybersecurity. Cyber breach Critical employee termination Discovery of illegal employee activity affecting customers Phishing Ransomware Botnets Distributed denial of service attacks
By KCTlaw 16 Jul, 2019
If you can't bake a cake without all the ingredients, you can't run a successful business without having preventative measures in place. Chances are, your business is your livelihood. In that case, wouldn't you want to protect it as if your life depends on it? Simply making sure you have your ducks in a row can mean the difference between success and failure (aka lawsuits or no lawsuits). Prevention can be overwhelming, and although we can’t cover EVERYTHING, below we’ve broken down 5 ways you can protect your business, regardless of its size. 1. Keep Accurate Records and Put Everything in Writing Running a business means that “business” is being conducted day in and day out. With so many moving parts, (like employees and inventory) there’s a lot to keep track of. If you want to keep your head above water, the best way to do that is to remain organized. According to the IRS, keeping accurate and in depth records can aid in keeping tabs on many things. Monitoring the progress of your business Prepping your financial statements Identifying sources of income Keeping track of deductible expenses Keeping track of your basis in property Prepping your tax returns Supporting items reported on your tax returns Another major preventative for your business is ensuring that everything is put into writing. No deal or agreement is sufficient with only a handshake or verbal communication. Good intentions and trust is no substitution for a written agreement. Verbal Agreements are meaningless Verification doesn’t exist without documentation Your rights rely on documentation Misunderstandings and miscommunication happens all the time. Ensure your business’s safety and rely on written documentation, not a past conversation. 2. Follow Employment Laws and enforce policies and expectations clearly Businesses are typically subjected to many different employment such as wage and hour laws, safety regulations, and laws intended to extinguish workplace harassment and discrimination. Even if any of these laws or regulations are broken unintentionally, you may find yourself with a lawsuit in your lap. Know what laws apply to you so you can create and enforce policies to ensure your business is in compliance. 3. Provide Outstanding Customer Service Not only should you be clear and compliant with your employees, you need to communicate with your customers and clients as well. Whether an order will be delayed, or you learn a project will take longer than expected, you don't want an unhappy customer. You never know what type of person you're dealing with, and sadly there are people out waiting on the edge of their seat for anything they can use to place blame on you and your business. Apart from keeping communication open with your customers, you need to be able to provide a positive and appealing environment overall. If your store is filthy and your checkout girl has an attitude, chances are you’ll be losing some customers. 4. Get Insured When owning a business, risks come with the territory. Therefore, its pertinent that you have solid liability insurance. Say someone gets hurt in your business or your system is hacked, insurance is there to cover those risks and losses and in return, minimizes your chances of getting sued. Insurance companies can handle claims, and negotiate settlements should those situations present themselves. 5. Find a Great Business Lawyer If there’s one professional you want in your corner, it’s a business attorney. No matter what phase of business ownership you’re in, a good business attorney can provide you with advice and the vital assistance you’ll want to ensure your business is a well oiled machine. Some instances could include but are not limited to the following. Zoning Copyright and Trademark Corporation and LLC Domains Licenses and permits IRS paperwork Written agreements for contracts and consultants Contracts for the sale and rental of goods Buy-sell agreements for business partners
Share by: