TheCorporateCounsel.net

February 14, 2022

Cyber Breaches: Internal Communication “Dos” & “Don’ts”

When a company experiences a cybersecurity incident, a disciplined communication strategy is essential in order to protect attorney-client privilege and mitigate the legal and business risks associated with the unintended disclosure of internal communications about the incident.  This Bryan Cave blog lays out some “dos” and “don’ts” when it comes to communicating internally about a breach. Here are some of the don’ts:

– DO NOT include subjective conclusions/assessments (e.g., “this was a big mistake,” “our systems were not adequately protected”) in email communications.

– DO NOT circulate forensics or other reports via email, particularly in draft form. Reports should be reviewed using a screen sharing application or similar means, and any dissemination via email or otherwise should be done only when the report has been finalized and at the direction of counsel.

– DO NOT communicate about the incident via other unofficial means (e.g., texts, instant messaging, other non-company communication applications), unless the nature of the incident mandates use of an approved secondary communication method.

– DO NOT destroy or delete any written communications related to the incident until receiving specific instructions to do so.

While the tips provided by the blog are intended to address communications surrounding a cybersecurity incident, many of the dos & don’ts laid out in the blog apply generally to internal communications arising out of other crisis situations.

John Jenkins