Why wouldn't they stay silent? That is the norm unfortunately and congress is more concerned about being able to enact more anti-privacy and anti-encryption laws than they are of actually holding companies liable for poor cybersecurity. I definitely encourage everyone to watch the hearing with Colonial Pipeline to see what I'm talking about.
Booking.com is required to follow Dutch law and originates from the Netherlands, which at that time required informing customers if the hack could have negative consequences for them. They ignored it and did nothing.
In narrow circumstances, I can see how receiving legal advice may be a factor. For instance, theft in England and Wales must be dishonestly done, and s.2(1)(a) of the Theft Act[1] states that:
> A person's appropriation of property belonging to another is not to be regarded as dishonest if he appropriates the property in the belief that he has in law the right to deprive the other of it, on behalf of himself or of a third person
Pure ignorance of the law doesn't provide you such a belief (IIRC), but seeking legal advice may do so. I'm can't think of any other examples, but I wouldn't be surprised if they exist (for example, if your conduct must be reasonable, following legal advice may lend weight to the argument that it was).
It would also be relevant to explaining the conduct, even if it does not provide a legal defence.
It’s not about ignorance of the law but about demonstrating you made a “good faith” effort to comply and oops, it turns out you landed on the wrong decision. You got some bad advice, but now you know! Won’t happen again, sorry about that!
Depending on how much of a grey area you’re operating in the law firm may or may not issue an opinion letter. So if you’re really pushing the boundary of what is reasonable to the point outside counsel won’t put it in writing you know you’re taking a pretty aggressive legal position. Some of the big law firms/practice groups have a reputation for being willing to be more aggressive in their written opinions than others. Large multinational companies often have several big law firms on retainer and their in house legal team will know who to go to for more conservative legal advice and who to go to for cover on a risky legal position. So I’ve heard, at least, I definitely would never participate in such ethically dubious behavior.
Even if they have internal counsel (I haven't checked but I'm sure a company as large as Booking.com does), for decisions which have for reputational harm, it's useful to lean on advice from X prestigious third party.
The same goes for using consultants. It's not just about deferring blame for a backlash but lending an air of objectivity and professionalism to the decision(s) made by management.
From a legal perspective, internal counsel may not be able to shield certain things as attorney work product. If an outside counsel is representing the firm the attorney work product privilege is almost impenetrable (in US law). And the privilege can be asserted across all dealings around the investigation and the results. Any firm relying solely on internal counsel needs new counsel. Retainers are a thing.
This took place just before the EU-wide GDPR was introduced, but under the Dutch national laws applicable at the time Booking.com was obliged to notify its affected users. Because the impact of a foreign state actor spying on your hotel bookings can be quite high (something Booking.com cannot reasonably determine for their users themselves) disclosure should have happened then in 2016, and the Dutch Data Protection Authority should have been informed as well.
Because Booking.com is a Dutch company, and the EU has GDPR, the incident cannot legally repeat itself. This was 2016 incident and GDPR become effective 2018.
Of course it can repeat itself. Dutch laws already mandated disclosure of a breach like this before the GDPR. The company simply didn’t give a fuck and found a legal firm that gave it license not to.
As the article noted the company operates on a “if we don’t see it and it doesn’t hurt us we don’t care” principle. Even with the GDPR, the company can still chose to not give a fuck. It just becomes a more risky gamble assuming anyone ever finds out.
GDPR isn't a be-all and end-all, Dutch laws already incorporated a lot of aspects of it such as having to notify their customers prior to GDPR becoming effective.
