Crisis Communications and Legal Risk: When Messaging Becomes Evidence

It’s go time. This is not a drill. The data is exfiltrated. The ransom note has been left on the server. The security team is working to contain the threat. The tabletop exercises prepared you for some of this. They didn’t prepare you for the flurry of communications, stress, and adrenaline.  

In the heat of incident response, every message matters. Not just for operational success, but as potential evidence in future litigation and regulatory proceedings. Organizations face a delicate balance: respond quickly and transparently while protecting themselves from lawsuits and compliance violations. The instinct is to have attorneys direct everything, hoping to shield communications behind legal privilege. But courts increasingly reject these protections, and many critical incident communications fall outside legal boundaries anyway. 

Understanding these limitations isn’t just about legal theory, it’s about building incident response processes that work under pressure while standing up to scrutiny later. 

This blog explores how legal protections like attorney-client privilege and work-product doctrine apply to incident communications, why many crisis messages fall outside those protections, and what organizations can do to safeguard communications during a cyber incident. 

What is Attorney-Client Privilege? 

Attorney-client privilege maintains confidentiality for all communications made between an attorney and their client. While this might seem like a blanket protection across all discussions with a lawyer, courts significantly limit this by applying it only to disclosures necessary to obtain legal advice. It does not extend to the sharing of underlying facts, for example, ultimately protecting only a small subset of communications that organizations share with their lawyers. 

What is Work-Product Protection? 

Work-product protection expands the scope of protected communications beyond privilege. However, courts limit this by focusing on the phrase “in anticipation of litigation or for trial.” As the DOJ Journal of Federal Law and Practice noted in May 2021, this protection only applies to the conversations and reports created after an incident rather than as part of normal business practice, meaning simply adding outside or in-house counsel to emails and communications may not trigger protection.  

What are Crisis Communications? 

Crisis communications include internal discussions about an incident and external messaging provided to the media, government agencies, and people with compromised data.  

Even if a court is willing to extend protections across forensic information created with an attorney-directed security firm, plaintiff’s counsel or regulators may request the organization’s internal and external crisis communications as evidence during litigation or a post-incident audit.  

Data Breach Notifications 

Increasingly, data protection regulations mandate specific timelines and requirements around crisis communications, like: 

• General Data Protection Regulation (GDPR): Notify supervisory authority within 72 hours of becoming aware of the data breach. 

• Securities and Exchange Commission (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: Disclose incidents within 4 business days after determining that a cyber incident is material. 

• Federal Trade Commission (FTC) Health Breach Notification Rule: Notify news media about personal health record (PHR) data breaches impacting 500 or more people, place notice on the organization’s website within 60 calendar days of discovering the breach or notify the FTC about PHR data breaches impacting fewer than 500 people no later than 60 calendar days following the end of the calendar year.  

Workforce Communications 

During incidents, organizations typically coordinate messaging across multiple internal teams. These communications may include: 

• Marketing and public relations: Discussions between marketing, senior leadership, legal department, and internal or contracted public relations teams about how to discuss the incident.  

• Customer support: Discussions between senior leadership, legal department, and customer support to answer customer questions about the incident.  

• Sales team: Discussions between senior leadership, legal department, and sales to determine how to respond to potential buyers asking questions about the incident. 
• Security and IT: Discussions around detections and escalating incident response activities prior to initiating a forensic investigation.  

These discussions primarily focus on operational response and communications with external stakeholders rather than litigation preparation. While organizations may consider how these communications could create legal liability, these conversations often fall outside attorney-client privilege or work-product protections. 

Board of Directors Communications 

Senior leadership needs to ensure that the Board of Directors understands the data breach's potential financial, compliance, and reputational impacts. While board communication may not occur during the initial investigation phase, directors typically request additional information and may call special meetings as the incident's scope and impact become clearer. 

Why Secure Messaging Apps Fail to Provide Appropriate Evidentiary Documentation 

In a data breach’s aftermath, organizations often face civil lawsuits or regulatory investigations that can include discovery of all internal communications. While most organizations respond to incidents appropriately, their internal communications should demonstrate this fact. Simultaneously, organizations should secure these communications the same way they protect other incident data, such as event logs.  

As organizations work to balance securing internal communications with preparing for litigation or audits, consumer secure communications applications, like Signal or WhatsApp, often fall short of providing necessary protections:  

• Lack of verification: By its nature, end-to-end encryption (E2EE) protects confidentiality. However, it creates complications when organizations need communications as evidence. These applications often lack verifiable, tamper-evident export capabilities. Screenshots from messaging apps may not meet evidentiary standards as they can easily be falsified.  

• Ability to delete: Secure messaging applications commonly include features like disappearing messages or auto-deletion. Organizations that use these services may be unable to demonstrate they preserved all relevant communications, potentially violating legal hold requirements.  

• Failure to maintain chain of custody: Legal evidence requires clear chain of custody showing who created or accessed evidence, how they stored it, and any alterations. Most consumer secure messaging applications lack essential features including audit trails, metadata logs, and immutable archives  

• Inability to meet retention requirements: Organizations in regulated industries must retain communications for several years. However, consumer secure messaging applications fail to provide the necessary archiving features.  

Balancing Secure Communications with Evidentiary Needs 

An organization’s incident response plan must consider the different risks arising from data breaches. Normally, organizations focus on detections, investigations, and recovery processes. In today’s litigious world, organizations also need to consider which communications should receive attorney-client or work-product protection and which communications they may need to provide during discovery.  

Implement Cross-Functional Out-of-Band Communication Channels 

Communicating across various teams is a fundamental challenge all organizations face during security incidents. Even more challenging, traditional internal communications channels may be insecure or unavailable after threat actors compromise systems. Organizations should adopt a solution that maintains secure communications despite system compromise and allows them to safely share information.  

Limit User Access Appropriately 

Maintaining the principle of least privilege is critical to ensuring attorney-client and work-product protections. Organizations often engage third-party providers to help with the investigation, making role-based access controls essential. Communication channels should provide team members only the information necessary for their specific functions:  

• Access to forensic data: Limited to security, IT, incident response, third-party forensics firms, legal, and senior leadership teams.  

• Crisis communications: Coordinated between public relations, marketing, legal, and senior leadership teams for consistent media and public messaging.  

• Customer inquiries: Managed by customer support, legal, and senior leadership teams to ensure consistent responses.  

• Buyer inquiries: Coordinated between sales, legal, and senior leadership to address potential customer security concerns. 

• Board communications: Restricted to board members, senior leadership, and counsel for governance and financial impact discussions.  

Create Communications Playbooks 

Organizations should establish and implement well-defined communication processes, much like they do with incident playbooks. These communications plans should: 

• Address different incident types and breach scenarios 

• Assign tasks to relevant team members.  

• Include workflows so everyone knows what to do and when to do it.  

• Incorporate document management processes to ensure data integrity.  

Incorporate into Tabletop Exercises 

Organizations should practice incident communications with the same rigor applied to technical response processes. Tabletop exercises should include communications training to help teams understand: 

• Collaboration across IT, security, business teams, and external providers  

• Communication workflows within the broader incident response process  

• Effective use of communications tools for secure information sharing.  

Balancing Response Speed with Legal Protection 

Modern incident response requires purpose-built solutions that understand the balance between operational effectiveness and legal protection. Platforms like CYGNVS provide the audit trails, role-based access controls, and secure collaboration capabilities that organizations need to maintain defensible communication records while focusing on what matters most: containing the incident and resuming business operations. 

Ready to strengthen your incident communications? Speak with an expert.