This article is part of our 2025 Privacy Breach Insights series, designed to help companies navigate the evolving privacy breach landscape. As privacy threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To stay ahead of these challenges, each part of this series provides actionable insights on privacy breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.
Responding to a privacy breach can be complex and fast moving, involving multiple parties and stakeholders related to the company. The information shared among these parties and stakeholders is often sensitive, and companies would prefer for to have it kept confidential. Legal privilege may offer valuable protections to sensitive information as companies and their counsel navigate a breach and should be a part of every company's breach response plan.
Legal Privileges
Legal privilege is a fundamental principle of our justice system which allows for a company to communicate candidly with its counsel without fear of the disclosure of those communications. It also exists to facilitate and protect the adversarial process. This allows, amongst other things, organizations to disclose everything necessary to equip its counsel to pursue its legal objectives and is especially important in the context of litigation.
There are two types of legal privilege that typically apply in the context of a breach:
(a) Solicitor-client privilege protects communications between a client and their counsel that involve seeking and giving legal advice and are intended to be kept confidential. Once applied this privilege is permanent unless and until the client waives it.
(b) Litigation privilege protects documents and communications made or collected for the dominant purpose of litigation and applies where litigation is ongoing or reasonably anticipated at the time of communication or collection. This privilege ends once the litigation that gives rise to it ends.
In the context of a breach, solicitor-client privilege can offer protection to the request for, and subsequent legal advice provided by counsel, while litigation privilege can provide protections for forensic reports or other investigations conducted for the dominant purpose of litigation. However, as the following decisions suggest, simply involving legal counsel after a breach may not be sufficient to protect breach investigations and reports.
Privacy and Breach Privilege Lessons Learned from Cases in Canada and the United States
(a) LifeLabs LP v. Information and Privacy Commissioner (Ontario), 2024 ONSC 2194
The Divisional Court of the Ontario Superior Court of Justice found that privilege did not extend to information containing underlying facts that would otherwise be disclosed under the legislative regime and simply including counsel in communications or passing along reports does not immediately engage privilege.
(b) Kaplan v Casino Rama Services Inc., 2018 ONSC 3545
The Ontario Superior Court of Justice found that any privilege was implicitly waived once the Casino Rama relied on the reports in its submitted affidavits and ruled that a party cannot disclose and rely on information from a privileged source and then seek to prevent its disclosure.
(c) Coopers Park Real Estate Development Corporation v. The King, 2024 TCC 122
While this case is not in the context of a data breach, its exploration of the application of privilege between counsel and third party advisors is highly relevant. The parties had signed an engagement letter between the company, its external counsel, and third-party accountants which the Court ruled did not clearly set out each parties roles and relationships. As a result, privilege could not be claimed to protect certain communications between the parties.
(d) In re Capital One Consumer Data Security Breach Litigation, E.D. Va May 26, 2020
In this case, cited as a persuasive authority in the LifeLabs decision, the Virginia Court found that, where a company has a retainer for cybersecurity services in the ordinary course of business prior to a breach, it cannot retroactively invoke privilege over reports provided by the retained firm simply by having counsel sign an agreement for essentially the same services after the breach. For privilege to apply, the report must be created because of litigation.
(e) In re Rutter's Inc. Data Security Breach Litigation, Case No. 1:20-CV-382 (N.D. Penn. July 22, 2021)
The Pennsylvania Court rejected the argument that investigative reports are protected by litigation privilege because they are necessarily prepared in anticipation of potential litigation. Instead, for litigation privilege to apply, courts must assess whether the "primary motivating purpose" for the creation of the report was litigation. Here, the report was prepared in the company's ordinary course of business and provided directly to the defendant's IT team for them to identify and remediate any issues, rather than for litigation purposes.
Mitigation Strategies
The following are some best practices that can help guide companies as they endeavour to safeguard privileged communications during a breach response.
(a) Having a cyber breach response strategy is critical and any such plan should address the preservation of privilege when retaining competent and expert legal counsel as well as third party cybersecurity companies. The evidentiary burden falls to the party making the claim, so considerations for privilege should be top of mind including the flow, and proper labelling, of communications. Such a plan must be regularly revisited and updated.
(b) Consider use of external counsel. While in-house counsel can, in certain circumstances, claim privilege, engaging external counsel may increase the probability that any communications or documents are deemed to be not part of an organization's ordinary course of business.
(c) Engage legal counsel as early as possible in order to receive necessary legal advice to immediately respond to the breach and to support any claims of privilege.
(d) Consider having legal counsel retain third party companies on the company's behalf and have clearly defined roles and structure communications, retainers and investigations to prevent loss of privilege. Clearly defining the relationship is essential and all previous aspects culminate in this suggestion.
(e) Carefully consider the potential impact on privilege before sharing materials with any third parties including privacy commissioners. Act carefully when disclosing privileged information and ensure that any disclosures do not pose a risk to its privilege and be alert to inadvertent disclosures or waivers.
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.