The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Internal Investigations

  • From Vol. 4 No.41 (Dec. 5, 2018)

    Answers to Four Critical Questions on Privilege in Internal Investigations

    Many lawyers do not understand the concept of privilege fully, Stuart Altman, senior vice president and global CCO at Las Vegas Sands Corp., observed at a recent webinar hosted by Strafford. A privileged communication is one “between client and lawyer sent under confidential conditions for purposes of seeking or providing legal advice,” he explained. When it comes to internal investigations, it can be difficult to determine what constitutes a communication covered by the privilege, who counts as an attorney, who counts as a client and when privilege might be waived. Altman was joined by Michael Hayes, a partner at Montgomery McCracken Walker & Rhoads, in discussing the nuances of the answers to these four key questions. See our three-part series on protecting attorney-client privilege and attorney work product while cooperating with the government: “Establishing Privilege and Work Product in an Investigation” (Feb. 8, 2017); “Strategies to Minimize Risks During Cooperation” (Feb. 22, 2017); and “Implications for Collateral Litigation” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 4 No.38 (Nov. 14, 2018)

    A Roadmap to Preparing for and Managing a Cyber Investigation

    A successful cyber investigation starts before an incident with creating an effective incident response plan and fostering strong relationships between legal and information security teams to set the foundation for tackling the challenges that arise once an investigation has begun. In this guide, we provide a roadmap to help companies ensure they take a successful approach to preparing for and managing a cyber investigation. See “Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios” (Jun. 20, 2018) and “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

    Read Full Article …
  • From Vol. 4 No.17 (Jun. 20, 2018)

    Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios

    Lawyers are increasingly on the front lines of responding to significant cyber incidents. At a recent Georgetown Cybersecurity Law Institute conference, panelists from three global companies discussed best practices and practical tips for attorneys managing a cyber investigation. Moderator Kimberly Peretti, a partner at Alston & Bird, presented three real-life scenarios to Wyndham Worldwide’s chief compliance officer, chief counsel for cybersecurity and privacy at SAIC and the CISO at Cvent, a global meetings and events technology software company. Their recommendations included planning ahead, creating and practicing robust incident response plans and fostering a strong relationship between legal and information security teams. See our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 4 No.10 (May 2, 2018)

    Lessons on Litigation Privilege in Internal Investigations from the U.K.’s Bilta v. Royal Bank of Scotland Case

    Does the attorney-client privilege apply to documents created during an internal investigation? This question was answered in the affirmative in a recent High Court of England and Wales matter in which the Court determined that certain documents created by RBS during an internal investigation conducted to prepare for a potential dispute with the U.K. tax authority were protected by the privilege. The decision was a sharp contrast to the High Court’s prior holding in the ENRC case where it determined that privilege was unavailable for documents created during a similar investigation. In a guest article, Boies Schiller partner Matthew Getz and associate Prateek Swaika discuss the implications of the decision and offer practical tips for preserving privilege in the wake of the High Court precedents. See also our three-part series on protecting attorney-client privilege and attorney work product while cooperating with the government: “Establishing Privilege and Work Product in an Investigation” (Feb. 8, 2017); “Strategies to Minimize Risks During Cooperation” (Feb. 22, 2017); and “Implications for Collateral Litigation” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    How Will the GDPR Affect Due Diligence?

    Among the many provisions of the GDPR with which companies are grappling is Article 10, which affects the processing of personal data relating to criminal activity. This kind of data collection is a core part of many different types of diligence and investigations. Article 10 “will basically put companies subject to both the GDPR and non-E.U. laws between a rock and a hard place,” potentially subjecting them to “the wrath of the U.S. Department of Justice,” for example, Alja Poler De Zwart, counsel at Morrison Foerster in Brussels, told The Cybersecurity Law Report. This article discusses how companies can approach Article 10 and the patchwork of applicable member-state laws. See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    Gathering and Analyzing Compliance Data

    Many organizations generate and hold metrics about their compliance program. This vital information can be used to measure the effectiveness of these programs and ultimately improve them, but only if it is gathered and analyzed effectively – and those can be challenging tasks. This article provides a roadmap for gathering and analyzing compliance data as well as continually using it to improve compliance programs. See also “Tracking Data and Maximizing Its Potential” (May 17, 2017).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Effective and Compliant Employee Monitoring (Part One of Two) 

    When can companies “spy” on their employees? Monitoring data systems and employee digital activity is critical to reducing the significant cybersecurity risks that employees pose (either inadvertently or maliciously), but companies do need to make sure they comply with consent and other legal requirements when implementing surveillance programs. This first part of a two-part series on the topic addresses the role of data monitoring, effective notice, legal considerations, and specific policies regarding BYOD, termination and remote employees – including stories from the trenches. Part two will provide operational guidance on implementing effective and compliant monitoring programs, and discuss privacy concerns in different types of employee surveillance, including the contrasting rules and approaches in Europe. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Protecting Attorney-Client Privilege and Attorney Work Product While Cooperating With the Government: Establishing Privilege and Work Product in an Investigation (Part One of Three)

    Protecting sensitive communications and investigation documents under the attorney-client privilege or work product doctrine is crucial when companies cooperate with the government during breach investigations. Challenges often arise because the privilege and, to a lesser extent, the work product doctrine generally require confidentiality and cooperating with law enforcement often necessitates disclosure. In a three-part guest article series, Eric J. Gorman and Brooke A. Winterhalter, Skadden partner and associate, respectively, seek to unwind the conundrum by closely examining the interplay between the attorney-client privilege and work product protection on the one hand, and cooperation with the government on the other. This first part in the series addresses how and when these protections are created during internal investigations, and steps that can be taken to establish and maintain them. See also “Attorney-Consultant Privilege? Key Considerations for Invoking the Kovel Doctrine (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Managing Data Privacy Challenges While Conducting Due Diligence and Investigations in China (Part Two of Two)

    For companies doing business in China, understanding data privacy and cybersecurity legal requirements under Chinese law is critical. But once a company is familiar with these basic legal contours, more practical concerns dominate the ability to successfully conduct internal operations and external transactions. In this article, the second in a two-part series on China’s data privacy and cybersecurity laws, we share insights from practitioners working in China on how companies can manage the actual challenges of running their businesses while staying on the right side of the law. The first article in the series explained the basic structure of the data compliance regime in China, including criminal law, civil law, industry regulations and the draft Cybersecurity Law. See also Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016).  

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Six State Secrets and Data Privacy Considerations in Chinese Internal Investigations 

    China’s state secrets law is the source of much angst for lawyers. While the concept of protecting state secrets is straightforward – and common to most countries – the breadth and ambiguity of China’s law, and the inconsistent way it is enforced, create unique data privacy challenges for companies operating in the PRC, especially when they are conducting internal investigations that require data to be transferred out of the country. This article, drawing on interviews with a number of attorneys practicing law on the ground in Asia, details six key considerations related to the state secrets laws for companies formulating sensible investigation strategies in China. For our companion article, see “Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016). 

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow 

    China’s far-reaching restrictions on reviewing and transmitting certain types of data present unique complications for companies. In particular, China’s state secrets law is a significant source of complexity for foreign companies and their counselors. How state secrets in China are defined, identified and must be handled create operational challenges for many; the broad definition of implicated information as well as the types of companies that may possess it means that these data flow restrictions impact not only government entities but also many private companies, limiting their ability to move data, even internally. Through advice from several attorneys working in Asia, this article explains the law’s framework, what types of information and entities are covered, as well as the risks at stake. See also “Foreign Business Chambers Sign Open Letter Against Chinese Cybersecurity Regulatory Changes” (Jun. 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach

    Companies must make a myriad of decisions in the first 48 hours after a breach that will impact the rest of the breach investigation. At the recent Georgetown Cybersecurity Law Institute, a panel of outside and in-house counsel and a forensic investigator shared their advice about breach response, including a “quick start” guide, the common mistakes they see companies make during the initial response, what outside counsel will ask when they are contacted about a breach, what to look for (and what to beware of) when choosing a forensic team, how to preserve privilege throughout the investigation, and how to know when to stop looking for the hacker. See also “A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation”: Part One (Apr. 27, 2016), Part Two (May 11, 2016), Part Three (May 26, 2016).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Avoiding Privacy Pitfalls While Using Social Media for Internal Investigations

    Social media can offer valuable information to companies conducting internal investigations.  However, companies must be vigilant about employees’ privacy rights as well as the laws and restrictions in place to protect those rights.  Lily Chinn, a partner at Katten Muchin Rosenman, spoke with The Cybersecurity Law Report about these privacy challenges and the proactive steps companies should take to avoid liability and complications, including how departments should coordinate and specific points that should be addressed in company policies.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two, Vol. 1, No. 12 (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part Two of Two)

    There are several steps companies can take before and after a data breach to best position themselves for the litigation likely to follow.  In this second installment of our coverage of a recent Mintz Levin webinar, partners Kevin McGinty and Mark Robinson explore best practices for internal investigations and common defenses in data breach class actions.  The first article featured insight from partner Meredith Leary on how companies can put themselves in the best position now to defend their actions post-breach and Robinson’s list of threshold questions that companies can ask themselves at the outset of a data breach internal investigation.

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …