Saw this article on the front page of the September 7-13 dead tree edition of the Denver Business Journal: “Rising laptop thefts push prevention initiatives“.
It’s not enough simply to call in the IT people or have an expert run a “penetration test” of your company’s network, say lawyers who specialize in data security.
They insist that executives need legal as well as technical advice up front. They say companies face new data-security laws as well as evolving legal notions of what precautions they need to take.
That sounds really good. It’s a difficult task and requires a team effort. But hold on there…
[Bryan Cunningham, a principal of the Denver law firm Morgan & Cunningham] cites a key advantage to bringing in lawyers up front: “If you hire a law firm to supervise the process, even if there are technical engineers involved, then the process will be covered by attorney-client privilege.”
He noted that in a lawsuit following a data theft, plaintiffs usually seek a company’s records of “all the [data-security] recommendations that were made [before the breach] and whether or not you followed them. And if you go and hire technical consultants only, all that information gets turned over in discovery. [But] if you have it through a law firm, it’s generally not.”
So there you have it. Park the problem behind a lawyer straight away. But why stop there? Why not implement a corporate-wide strategy to shield all manner of mistakes, mishaps and negligence behind attorney-client privilege. Have attorneys supervise your employees and “consult” on safety issues. Cover the whole supply chain and service path while your at it. No more embarrassing or expensive issues falling out of discovery related to bad employee behavior, OSHA violations, service incompetence or product problems.
In actuality, this article is poorly titled. This isn’t a “prevention initiative” for data security, it’s a preemptive initiative for corporate irresponsibility.
This approach is a disincentive for businesses to provide adequate data security. It’s much more cost effective to pay a team of attorneys to “supervise” the data center than it is to implement and maintain a data security strategy (as the article notes, the threats are constantly changing and so must the security strategy.) What does a corporation care about 100,000 customer credit card records they let loose into the wild if they’re shielded by attorney-client privilege and not likely to be held accountable or responsible? Rather than caring about prevention, they will care more about squashing any news of such a loss. And this, I grant you, is a brilliant strategy for accomplishing just that.