A financial institution's cyber risk management activities may result in sensitive communications and documents that the institution's personnel expect will remain confidential. Nevertheless, in many circumstances a financial institution may be legally obligated to disclose those communications and documents unless the institution is able to assert a legal right – called "legal privilege" – to not make the disclosure.
There are two kinds of legal privilege under Canadian law that might be applicable – "legal advice" privilege and "litigation" privilege – each of which is different in purpose, scope and duration. The applicability of each kind of legal privilege to a communication or document will depend on the particular circumstances. Legal privilege presents a number of challenges with respect to communications and documents created as a result of cyber risk management activities. A legal privilege strategy is designed to enable an organization to establish legal privilege where appropriate.
For more information about legal privilege and cyber risk management, and practical recommendations for a legal privilege strategy for cyber risk management activities, see our recent bulletin here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.