Download This PaperLegal Professional Privilege and Cybersecurity Breach in Context: A Comparative Law Analysis
14 Pages Posted: 28 Jan 2021 Last revised: 14 May 2021
Date Written: January 27, 2021
Abstract
Every company is undoubtedly under attack from hackers. Many companies have suffered data breaches resulting from cybersecurity. In Britain and the United States, the legal privilege strategy has been developed to shield companies after a cyber-attack from tortious liability. However, unlike in the United States, businesses in the British consumer market do not have to notify data subjects that cybercriminals have breached cybersecurity measures. Furthermore, compared to work product doctrine in American law, litigation privilege in British law is broad. It extends to prospective witnesses. On the other hand, work product privilege in American law is limited to documents. Hence, when a legal privilege strategy gets used against British plaintiffs, they are unfairly deprived of using pre-trial discovery procedures to access evidence essential to proving a data controller's tortious liability. Lawyers play a significant role in protecting against and responding to a data breach. In case a company finds itself amongst businesses that are suffering a breach, lawyers invariably become the critical members of the team to address the issues relating to the extent and nature of confidential information, contract implications with third parties, insurance coverage, regulatory enforcement actions, consumer and employee actions and shareholder litigation. These are issues that need a consultation with external counsel that have appropriate expertise in data security. The presence of in-house counsel will play a vital role in the general aftermath of a data breach. Parliament is supreme in the British constitutional law system. The issues identified by the current paper on the use of litigation privilege strategy by British companies as a cyber-risk management strategy can only get conclusively addressed by legislators. The study first recommends that the British Data Protection Act of 2018 gets amended to create a legal duty on businesses in the British consumer market to notify their clients when a cyber-attack leads to unlawful disclosure of stored private information. Second, the study recommends that the scope of litigation privilege in British law gets limited to documents using a statute.
Keywords: Legal Professional Privilege, Data Breach, Litigation, Cybersecurity, Corporate Responsibility
JEL Classification: K13,K14,K33
Suggested Citation: Suggested Citation
Queen Mary University of London - School of Law ( email )
67-69 Lincoln's Inn Fields,
London, London WC2A 3JB
United Kingdom