An interesting trend is developing. Some corporate clients are hiring law firms when they experience a data breach, as noted in a Wall Street Journal article on March 31st. The link is only available to subscribers. I'm not particularly thrilled because one obvious driver is using the attorney-client privilege to keep bad news secret. As I've said many times, businesses tend NOT to report breaches, the data breach laws of 47 states notwithstanding.
Obviously, the law firm can help with understanding and complying with the patchwork of data breach notification laws should that be necessary. But to my cynical mind, the primary impetus is to sign with a law firm first and then let the law firm hire the digital forensics experts in an attempt to keep the reports privileged.
The SEC instituted its voluntary corporate-disclosure plan for data breaches in October of 2011 and sent dozens of letters to companies last year asking about cybersecurity disclosures. I personally hope the SCC really turns up the heat so we truly learn what those of us information security believe - that virtually all businesses of any size have suffered one or more breaches.
Hat tip to Alan Goldberg.
E-mail: firstname.lastname@example.org Phone: 703-359-0700