Establishing and maintaining legal privilege is a crucial part of cybersecurity incident response and risk management. Whenever an organization experiences a cybersecurity incident, its leaders need to protect the organization against legal and regulatory proceedings. They may be required to disclose information about both the attack and their response efforts. The question becomes, where does privilege fit into these disclosures?
The importance of identifying and protecting privileged information
among such document sets is reflected in both industry practice and
official guidelines. For instance, the Office of the Superintendent
of Financial Institutions (OSFI) issued a guideline earlier this
year for federally regulated financial institutions (FRFIs)
regarding managing technology and cyber risks, wherein they
recommended FRFIs take steps to establish legal privilege over
communications and documents relating to cybersecurity compliance
and incident response.
Last year, Torys outlined the way in which courts in the United States and Canada are testing the strength and breadth of claims of privilege in the context of cybersecurity incident response. There have since been new developments in the area, particularly with respect to legal privilege and law enforcement, that businesses should be aware of when developing and managing their cybersecurity incident response procedures.
Cooperation with law enforcement does not waive privilege
A recent Québec Court of Appeal decision confirmed that it is possible for organizations to disclose privileged documents in efforts to cooperate with law enforcement investigations without necessarily waiving privilege against all other parties1. In this case, the document in question was a forensic accounting report produced by an accounting firm at the request of McGill University Health Centre. That report was protected by solicitor-client privilege because it was prepared at the request of legal counsel for the purposes of legal consultation. The report was always treated as privileged internally, with a clear intention towards preserving its confidentiality. However, McGill disclosed the report to an anti-corruption law enforcement authority in cooperation with a criminal investigation. Given this factual context, the Court held that there was no intention to waive privilege with respect to other third parties in disclosing the document to law enforcement authorities.
This follows older jurisprudence in other provinces, including Ontario, that allow for the disclosure of documents to limited parties for necessary functions without said disclosure constituting a waiver of privilege. For instance, the Ontario Superior Court of Justice has found that solicitor-client privilege was not waived when otherwise privileged documents were provided to external auditors of the Ontario Securities Commission in cooperation with an investigation. The provision of these documents did not waive privilege for all purposes, but only to the extent necessary to enable the audit to be completed2.
The state of U.S. law
The Capital One case referenced in our related article last year remains the most recent significant development in the area of cybersecurity and legal privilege in the United States, and it has been affirmed in subsequent case law3.
In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed into federal law in the United States, which requires select entities operating in critical infrastructure sectors to report cybersecurity incidents. Though it does not apply to all organizations, it is relevant to note that CIRCIA explicitly provides that reporting cyber incidents through CIRCIA does not constitute a waiver of attorney-client privilege or other legal protection.
Key takeaways
As outlined above, maintaining legal privilege over legal advice, anticipated litigation and other confidential documents is critical when dealing with the fallout of a cybersecurity incident. At the same time, law enforcement agencies across Canada and the United States consistently urge organizations to report cyber attacks and cooperate with their investigations in the broader effort to curtail this criminal activity. The state of the law in both countries provides some assurance to organizations who seek to both assist law enforcement in fighting cyber criminals and protect their privileged information from broad disclosure.
These cases, however, highlight the importance of treating documents consistently from the early stages of a cybersecurity incident. Organizations should ensure that privileged documents are labelled as such, and they keep records of the basis of the privilege, how their confidentiality was protected, how their distribution was controlled, and what the justification is for any limited disclosures of the information for law enforcement, audit or other legal purposes. Insufficient records to support the intention to strictly limit any partial waivers of privilege may prevent a business from protecting such information from further disclosure in regulatory and litigation proceedings.
Footnotes
1. Centre universitaire de sante? McGill c. Lemay, 2022 QCCA 1394.
2. [2005] O.J. No. 4418.
3. See e.g., Wengui v. Clark Hill, PLC, 338 F.R.D. 7, 2021 U.S. Dist. LEXIS 5395, 2021 WL 106417 (D.D.C. January 12, 2021), in which a forensic report was required to be produced in the context of a cybersecurity incident after the district court found that the report was distributed widely both internally and externally and would have been produced regardless of whether litigation was filed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.