After experiencing a cyber attack, organizations tend to keep a tight grip on incident-related information. There are good reasons for this. First, information about a cyber attack could reveal vulnerabilities ripe for exploitation by other cyber criminals. Second, the availability of sensitive incident details may result in increased scrutiny of the organization's decisions leading up to or following the incident, resulting in possible reputational harm or even civil and regulatory liability.
Organizations may therefore try to protect sensitive incident-related information by invoking some form of legal privilege. However, recent legal developments have highlighted the limited scope of legal privilege when it comes to records generated during the incident investigation and response process.
In LifeLabs LP v. Information and Privacy Commr. (Ontario),1 a panel of the Divisional Court of Ontario's Superior Court of Justice upheld a regulatory decision ruling that legal privileges asserted by LifeLabs did not apply to, among other things, internal analysis of affected data, communications with threat actors, and the forensic investigation report prepared by a third-party cybersecurity consultant.
This decision underscores the importance of raising awareness regarding the limitations of legal privilege among the incident response team and developing an effective strategy to manage confidentiality concerns over sensitive incident information.
Background
LifeLabs LP ("LifeLabs") provides laboratory testing across Canada and, as part of this service, handles sensitive personal health information about its customers.2 In 2019, LifeLabs was the target of a ransomware attack that resulted in unauthorized access to personal health information of millions of Canadians.3 The Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC (collectively, the "Commissioners") conducted a joint investigation into the incident.4
As part of their investigation, the Commissioners sought various documents pertaining to the cyber attack that LifeLabs had acquired from its consultants.5 These included:
- an investigation report by a cybersecurity firm describing the cyber attack;
- email correspondence between a cyber intelligence firm and the cyber attackers after discovery of the attack;
- LifeLabs' internal data analysis describing the individuals affected by the breach; and
- other communications between LifeLabs and the Commissioners.6
LifeLabs refused to provide the disputed documents, claiming that such information was protected by solicitor-client privilege and/or litigation privilege.7 The Commissioners jointly held that the claims of privilege should fail, as Lifelabs did not provide the Commissioners with sufficient evidence to demonstrate that the materials were actually subject to the asserted legal privileges.8
Privilege Does Not Protect the Underlying Incident Facts
The Divisional Court upheld the Commissioner's decision that neither solicitor-client privilege nor litigation privilege applied to the disputed documents.
Solicitor-client privilege protects confidential communications between a solicitor and client that is made in connection with seeking, giving, and receiving legal advice. Litigation privilege protects communications made and documents created for the dominant purpose of use in actual, anticipated or contemplated litigation. These two privileges are often invoked in the context of a cybersecurity incident.
While the Divisional Court acknowledged that legal privilege is sacrosanct, it found that a party cannot extend the protection to certain unfavourable facts about the cyber attack by providing a copy to its lawyer or by including them in a report prepared, in part, with potential litigation in mind.9
For example, the Court found that the lines of code used by the attackers were not privileged simply because they were copied and pasted into a forensic report, nor were the measures taken to protect against vulnerabilities merely because such information was collected by counsel.
Beware of the Limitations of Common-Interest Privilege
While not specifically addressed in the LifeLabs decision, there are important implications to keep in mind with respect to potential reliance on common interest privilege. Organizations facing cyber attacks often grapple with the need to share forensic reports or other incident-related information with insurance companies covering breach-response costs or with other third parties with a common interest in the matter. It is crucial that parties to such arrangements remain weary to the limitations described above.
Common interest privilege allows parties with a common legal interest to share privileged information without waiving privilege. Importantly, common interest privilege is not a separate class of privilege; it only applies where some other privilege already exists and operates only to protect the existing privilege from waiver.10 For example, courts have declined to waive litigation privilege over a document shared between an organization and its insurer where the dominant purpose of the document is contemplated or pending litigation (i.e., where litigation privilege already applies).11
Parties with a common interest in a particular incident should carefully consider the strength of underlying privilege claims, assess the potential implications of information sharing between them, and then develop a strategy to facilitate necessary information sharing that is suitable to their common interest.
Takeaways
Managing privilege issues is a critical early step in the incident response process.
While legal privilege is undoubtedly a valuable tool to facilitate candid information flow in pursuit of legal advice or in preparation for litigation, the LifeLabs decision illustrates the importance of raising awareness among the incident response team of the limitations of privilege. Then, with eyes wide open, developing an effective investigation, remediation and communication strategy that acknowledges the prominent litigation and regulatory risks at play.
McMillan's Privacy and Data Protection team is available to provide strategic advice to help organizations respond to cyber attacks and data breaches involving sensitive personal and confidential information, including by developing an effective approach to managing privilege issues.
Footnotes
1 LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194 LifeLabs.
2 LifeLabs at para 2.
3 LifeLabs at para 1.
4 LifeLabs at para 5.
5 LifeLabs at para 6.
6 LifeLabs at paras 62.
7 LifeLabs at para 6.
8 LifeLabs at para 7; Life Labs LP (Re), 2020 CanLII 24923 (ON IPC), at para 56, 68.
9 LifeLabs at paras 78 and 81.
10 Trillium Motor World v. General Motors, 2014 ONSC 4894 at para 14.
11 Panetta v. Retrocom, 2013 ONSC 2386, at paras 61-62.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024