After publication of my article "Why Your Lawyer Should Be the First Point of Contact after a Data Breach," I had the honour of receiving an email from someone whom I had never met. That person was David Loukidelis, QC, who has taught privacy law and was formerly BC's Information and Privacy Commissioner and then Deputy Attorney General.
David raised a point in response to my article. Specifically, he noted that it may not be in the public interest, or indeed the organization's self-interest, to claim solicitor-client privilege to insulate information about breaches of personal information from privacy regulators who are mandated to investigate such data breaches.
This raises the crucial issue of reporting to and co-operating with regulators, an issue I had not addressed head-on in "Why Your Lawyer Should Be the First Point of Contact after a Data Breach." Never one to give up an opportunity for dialogue on a data-related legal issue, I asked David to share his views with me.
Kelly Friedman: In your experience as a privacy commissioner, were there data breach investigations of the kind that required IT or forensic assistance?
David Loukidelis: Those days were in some senses early days—many of the breaches we faced were rudimentary from a technological perspective. Think of personal injury files full of medical records blowing in the wind on a Vancouver street, or medical records turning up as props on a film set, that kind of thing. But we did have a few breaches where we had to go outside for specialist IT advice. One case involved a public body's claim that, because the backup tapes it had lost could not be read unless you had software that was not generally available, it didn't matter that it had failed to encrypt the information it lost. Our technical expert determined that this was true: the chance protection of technical obscurity was a valid argument (in light of the fact that the information involved was not at all sensitive).
KF: How did your office's involvement begin, given that there was no mandatory breach notification legislation in place?
DL: A lot of the breaches came to light through media exposure, where someone would go to the media and report files blowing in the wind or whatever. That's shifted over the years, and witnesses started to come directly to us. Then organizations started self-reporting. The thinking—rightly so, in my view—seems to have been that it's better to get expert support from the commissioner's office than to have them taken by surprise by a media report and thus be caught off guard. A privacy commissioner can properly only go so far in supporting breach mitigation or reporting, of course, but voluntary self-reporting can be a valuable and practical approach.
KF: Can you give me a sense of the approach taken by the BC Information & Privacy Commissioner's Office to data breach investigations, and the goals the Office attempted to achieve?
DL: During my time, whether we were lucky or not, we expected and got co-operation. We had full disclosure of relevant records and information, access to facilities and to representatives, and so on. This dovetailed with our perspective that an educational and remedial outcome was the preferred goal. I can't speak for Commissioner Denham, of course, but her approach quite clearly has been along the same lines and she's issued some excellent investigation reports in the process.
KF: During investigations, did you feel there was sufficient co-operation from the entity under examination, or was the relationship antagonistic?
DL: Perhaps it was sheer good luck again, but I can't think of a single case where there was anything approaching antagonism or obstruction. Sure, there were cases where we agreed to disagree on the findings and recommendations, but we noted those in our reports, so that the public and media could judge the situation for themselves. I can't speak to what's happening now in BC or elsewhere, but it would appear from Commissioner Denham's reports that her investigations are receiving co-operation from those being investigated.
KF: Do you feel that the involvement of external legal counsel assisted or hindered your investigations, and in what way?
DL: Many of the cases in which I was involved didn't involve counsel at all, though that was true more of private sector cases. Government lawyers showed up on more files than in the private sector. There's a risk, in my view, in engaging counsel unless necessary to deal with legal issues that cannot be addressed without their involvement. This is because a lawyer's zeal in protecting a client can force a regulator to lawyer-up as well, leading to a more drawn-out, costly and litigious approach. There's a fine line in many cases, I know, between the understandable need for someone who's being investigated to protect their interests legally, on the one hand, and taking a co-operative approach, on the other. The latter doesn't always work, to be sure, and—noting class actions, fines under privacy laws and so on—counsel may be needed if the legal consequences look serious from the outset or the investigation develops in a way that warrants legal support.
KF: In my previous article, I was making the point that the lawyer must be involved in the investigation from the outset, so as to protect findings from disclosure in subsequent litigation. In my view, in order to ensure that a company will make a fulsome investigation and take proper remedial steps, the company needs to know that it can engage freely with its lawyers and other specialists. Do you think that such a role for lawyers can be reconciled with co-operation with a privacy commissioner's office and its mandate to act in the public interest?
DL: Your perspective clearly has validity: if a company has investigated itself and wishes to protect the findings from later disclosure in litigation, it's eminently sensible to try to protect that process and the findings. As far as co-operating with a privacy commissioner, I bet that in many cases the commissioner's office won't be interested in the outcome of the internal investigation. They may ask for underlying material or the findings themselves, but in many cases I expect they'll want to do their own investigation, to gather their own facts and make their own findings and recommendations. That's the stage at which co-operation can play an appropriate part.
The only other thing I'll say is that, if a privacy commissioner asks to see material you think is privileged, remember that the commissioner may be able to compel you to produce it despite the privilege. Much depends on the statutory language used to express the commissioner's power of compulsion. If a company believes that claiming privilege as against a commissioner is truly necessary, by all means do so. But in many cases it'll be more practical to co-operate by respecting the demand (and if the information is compelled, the case law suggests—and some statutes expressly state—that the privilege over compelled material is preserved as against others).
KF: David, thank you for sharing your experiences and valuable insights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.