Litigation is a real risk in the aftermath of a cyber-breach:
- customers might complain that their personal data has been disclosed;
- shareholders might say that you should have done more to protect the organisation from attack;
- financial institutions might allege that you did not take adequate steps to secure payment details;
- your business partners might claim breach of contract.
You may also face a regulatory investigation.
If litigation proceeds, you may be required to hand over documents to the other side, including expert reports/documents which might show your security practices were inadequate or that policies and procedures were not followed.
This is when legal professional privilege becomes crucial. Communications that are legally privileged are not disclosable.