As investigations and consumer backlash continue to threaten Target's carefully crafted brand identity, there are a considerable number of lessons to be learned in this crisis – namely hiring a legal adviser.
"The main advantage to putting a lawyer in charge of a post-breach probe—and not someone from IT–is doing so can give the company cover behind attorney-client privilege," said White & Case Partner Daren Orzechowski, who focuses on information technology legal matters, including privacy. "That protection can make life easier for executives faced with pressure to disclose any reports prepared for internal use to figure out what happened and how to respond."
"Top company executives likely will be looking for information about the nature of the attack and the extent of the damage so they can start crafting a response to customers, shareholders and regulators. However, summary reports prepared by attorneys that may contain information highlighting the company's negligence in its systems or monitoring—issues that could prove consequential in court—are more likely to stay private due to the privilege protections," Orzechowski continued. "If the attorney does it, it can be protected by privilege and perhaps not discoverable if litigation ensues. If IT does it the company will have to produce it. It is not protected in connection with litigation."
"Along with the importance of having a plan in place before a breach occurs," Orzechowski said the first step in the process that follows a breach is to find the source and make sure it has been neutralized. Also, once the facts are assembled, attorneys need to check the company's insurance policies and agreements with credit card companies, and determine which breach-notification laws apply and how and when responses need to be made, he said. "Get the facts, preferably using attorneys, protect and mine those facts the best you can and start applying them to things."