When these situations arise in your organization, there is typically the need for legal advice and consultation. None of us can accurately predict whether or not a security incident or breach investigation will end up as a lawsuit or regulatory fine. But all of us need to understand the implications of our communications with others and how these communications can impact an investigation.
I’m not an attorney but I have worked closely with legal advisors on numerous security incident and breach investigations. As a result, I have witnessed firsthand the value of asserting the attorney/client privilege. Unfortunately, there seems to be a lack of awareness and understanding in leveraging this valuable tool which explains why I rarely see it invoked in healthcare.
The attorney client privilege can protect confidential communications between a lawyer and an incident response and investigative team. When the privilege is asserted, it can prevent the disclosure of these privileged communications. The purpose of the attorney/client privilege is to encourage open communication while minimizing the risk of disclosing these communications to opposing parties.
Communications, both written and oral, may have to be disclosed in a breach or regulatory investigation if the communications do not maintain the attorney/client privilege. Communications, including inaccurate ones, can then be used as evidence against your organization if they are not protected by the attorney/client privilege.
There are four basic elements which should exist for the attorney client/privilege to apply:
- A COMMUNICATION – This could be a written, oral or electronic communication. It is recommended that written or electronic communications be marked “Attorney Client Communication – Privileged and Confidential.” This provides the intent of the communication.
- MADE BETWEEN PRIVILEGED PERSONS – This can be the incident response and investigative team members and the attorney designated and responsible for working on the issue. This can also include a paralegal or assistant working on the issue on behalf of the attorney.
- IN CONFIDENCE – This means it should be made with the intent that the communications remain confidential. There should be no communication regarding the issue except with persons who have a need to know. Any communication should be stored in a separate, secure location with limited access to assure it remains confidential.
- FOR THE PURPOSE OF SEEKING, OBTAINING OR PROVIDING LEGAL ASSISTANCE – The communications should be for the purpose of obtaining or providing legal advice and counsel which is imperative whenever a breach or regulatory investigation is involved.
Failure to follow these narrow guidelines may result in a waiver of the privilege itself. This means the communications may well have to be revealed in a lawsuit or regulatory investigation. If a court concludes the privilege has been waived, then all confidential attorney client communications in the matter may have to be revealed as well.
How and with whom you communicate can make an enormous difference in the outcome of a lawsuit or regulatory investigation. The attorney client privilege is well established as a legal doctrine that protects confidential communications between attorneys and their clients. However, its application is not a 100% guarantee that communications won’t be revealed. But by taking the time to get a basic understanding of the attorney/client privilege, your organization can potentially obtain legal advice while protecting your communications instead of inadvertently creating evidence for the opposing party.