Claiming legal privilege before, during, and after a data breach

When a cyber‑incident occurs, organisations often rapidly investigate the cause, contain the damage, and communicate with regulators and stakeholders. At the same time they need to, but often overlook, protecting sensitive communications and forensic findings from discovery in litigation or regulatory proceedings. This should be done by claiming legal privilege.

Legal professional privilege (LPP)—called attorney–client privilege in the US—shields confidential communications for the purpose of obtaining legal advice and, under the work‑product doctrine or litigation privilege, documents prepared in anticipation of litigation. This article outlines practical steps to claiming and maintaining legal privilege before, during and after a data breach.

Understanding privilege foundations

Legal advice privilege versus litigation privilege

LPP has two parts:

1. Legal advice privilege protects confidential communications between lawyers and their clients for the dominant purpose of obtaining legal advice.
2. Litigation privilege (or the US work‑product doctrine) covers documents or communications made for ongoing or anticipated litigation.

Privilege, however, does not extend to underlying facts or data; placing facts inside a privileged document does not shield them.

Jurisdictional differences

Common‑law countries recognise both privileges, while civil‑law jurisdictions often codify confidentiality rather than broad privilege. Under EU law, only communications with external EU‑qualified lawyers are protected; in‑house counsel communications may be discoverable.

Waiver risks

Privilege can be waived if confidential materials are shared with third parties or used for non‑legal purposes. Courts scrutinise the dominant purpose of forensic reports and look at evidence such as engagement letters, payment sources and public statements to decide whether a report was prepared for legal advice or for business reasons.

Preparing before a breach

Strong privilege claims begin long before an incident. Organisations should embed privilege protocols into their cybersecurity readiness and incident‑response programmes.

1. Update the incident response plan (IRP) – Incorporate a privilege protocol into the IRP that:
   • identifies trigger events requiring immediate engagement of legal counsel; and
   • sets out procedures for transitioning into a privileged investigation.
2. Pre‑vet legal and forensic teams – Establish relationships with external breach counsel and a panel of independent forensic firms ahead of time. Master Services Agreements and Statements of Work should be prepared for privileged investigations so that counsel can quickly retain experts when needed.
3. Develop a two‑track investigation framework – Plan a dual‑track model separating non‑privileged operational response from the privileged legal investigation. Define roles, responsibilities and communication flows for each track to prevent cross‑contamination.
4. Conduct privilege training for stakeholders – Provide regular training to IT, security, executives and board members on privilege fundamentals, confidentiality and proper communication hygiene. Emphasise that speculative written records and casual emails may become discoverable.
5. Adopt a privilege policy and secure channels – Create clear policies on when to involve counsel, label communications as “privileged & confidential”. Also, use secure, segregated channels for legal communications. Pre‑incident discipline reduces the risk of inadvertent waiver.
6. Manage third‑party vendors and operators – Under POPIA, the responsible party remains liable for breaches by third‑party processors (“operators”). Section 21 requires that organisations and their operators enter into written contracts mandating appropriate security measures and that operators notify the responsible party of any suspected breach. Preparing these contractual protections and conducting privacy and cyber‑security assessments and periodic audits of vendor demonstrates due diligence and helps preserve privilege when incidents occur.

Actions during a data breach

Once a breach is suspected, the organisation must swiftly pivot from preparedness to execution. The steps below help ensure that investigations remain within the protective cloak of privilege.

1. Engage legal counsel immediately – The IRP should direct the team to notify external breach counsel as soon as a significant incident is suspected. Early engagement allows counsel to direct the investigation and demonstrates that the dominant purpose is to obtain legal advice.
2. Document the anticipation of litigation – Counsel should contemporaneously record why litigation or regulatory action is reasonably anticipated. This evidentiary record supports claims of work‑product or litigation privilege later.
3. Formalise forensic engagement through counsel – Retain forensic investigators under a new, incident‑specific Statement of Work that states the purpose is to assist counsel in providing legal advice and preparing for litigation. Payment should be made through the legal budget.
4. Implement the two‑track model – Activate the dual‑track structure: the operational track (internal IT or regular vendors) focuses on containment and remediation, while the legal track (forensic firm reporting exclusively to counsel) is fire-walled from operational work. Assume all communications in the operational track are discoverable; channel legal analysis through counsel.
5. Secure communications and label documents – Use a secure, segregated communication channel for the privileged investigation and restrict access on a “need‑to‑know” basis. Consistently mark documents as “Privileged & Confidential – Attorney‑Client Communication / Attorney Work Product”.
6. Control written reports – Consider whether a written forensic report is necessary for the legal track. If produced, it should focus narrowly on factual analysis for legal purposes and avoid operational recommendations. Reports for broader business, board or regulatory purposes should be separate and sanitised, derived from the non‑privileged operational track.
7. Limit communications with forensic firms – Courts often find that communications with forensic firms are not privileged if the firm had a pre‑existing business retainer or if the report would have been produced regardless of litigation. Provide substantive updates via controlled calls, minimise email distribution and avoid mixing technical or PR messaging with legal advice.
8. Manage public statements carefully – Public announcements promising to publish a forensic report or sharing extensive details may signal that the report serves non‑legal purposes. In cases like Optus and Medibank, courts denied privilege because reports were used to update the stock exchange and reassure customers. Coordinate with legal and PR teams to avoid inadvertent waiver.

Managing the aftermath

After containment, organisations must continue to protect privilege while fulfilling legal obligations and managing stakeholders.

1. Separate legal and non‑legal work products – Provide factual summaries to regulators and affected individuals to meet notification requirements; do not embed legal analysis in those documents. Privilege cannot excuse compliance with statutory duties, as the LifeLabs case showed. Courts emphasise that privilege does not protect underlying facts.
2. Prepare privileged legal analyses – Counsel should prepare confidential memoranda discussing legal risks, defences and strategy. These analyses remain privileged if they are confined to the legal track and are not widely circulated.
3. Manage third‑party disclosures through counsel – All communications with regulators, insurers, auditors and law enforcement regarding the substance of the investigation should be handled by legal counsel. Whenever possible, use confidentiality and non‑waiver agreements before sharing sensitive information.
4. Comply with South Africa’s POPIA – Section 22 of POPIA requires a responsible party to inform the Information Regulator and the data subject of a data breach as soon as reasonably possible after discovery, taking into account law‑enforcement needs. The notification must contain prescribed information and may only be delayed if regulators determine that notification would impede a criminal investigation. Privilege does not excuse these statutory duties, so organisations should prepare non‑privileged factual notifications while keeping legal analysis separate.
5. Update documentation and training – Following the incident, revise IRPs, privilege policies and training programmes based on lessons learned. Document what worked and what did not to improve future privilege claims.
6. Prepare for cross‑border litigation – If the breach affects multiple jurisdictions, engage counsel in each relevant country. EU investigations require external EU‑qualified lawyers because communications with in‑house counsel are not privileged. Consider local disclosure obligations and privilege rules when crafting post‑incident strategies.

How ITLawCo can help

When a data breach occurs, ITLawCo ensures that your legal privilege is protected while you respond fast and comply with the law.

• Privilege-first response: ITLawCo leads investigations under a legally privileged framework—engaging forensic experts, drafting engagement letters, and controlling communications to meet the “dominant purpose” test for privilege.
• POPIA and global compliance: ITLawCo helps South African organisations meet POPIA sections 21 and 22 obligations (breach notification and operator agreements) while keeping legal advice confidential. For cross-border clients, it aligns privilege strategy with GDPR, CCPA, and other regimes.
• Forensic and regulator management: Acting as breach coach, ITLawCo coordinates forensic investigations, regulator communications, and insurer notifications—balancing transparency with legal protection.
• Governance and training: ITLawCo embeds privilege discipline into your incident-response plans, contracts, and executive training so your teams act confidently before, during, and after a breach.