Insights Header image
Insights Header image
Insights Header image

Navigating the Boundaries of Legal Privilege in the Wake of a Cyber Attack: Lessons Learned from the LifeLabs Breach

May 7, 2024 Privacy & Data Protection Bulletin 4 minute read

After experiencing a cyber attack, organizations tend to keep a tight grip on incident-related information. There are good reasons for this. First, information about a cyber attack could reveal vulnerabilities ripe for exploitation by other cyber criminals. Second, the availability of sensitive incident details may result in increased scrutiny of the organization’s decisions leading up to or following the incident, resulting in possible reputational harm or even civil and regulatory liability.

Organizations may therefore try to protect sensitive incident-related information by invoking some form of legal privilege. However, recent legal developments have highlighted the limited scope of legal privilege when it comes to records generated during the incident investigation and response process.

In LifeLabs LP v. Information and Privacy Commr. (Ontario),[1] a panel of the Divisional Court of Ontario’s Superior Court of Justice upheld a regulatory decision ruling that legal privileges asserted by LifeLabs did not apply to, among other things, internal analysis of affected data, communications with threat actors, and the forensic investigation report prepared by a third-party cybersecurity consultant.

This decision underscores the importance of raising awareness regarding the limitations of legal privilege among the incident response team and developing an effective strategy to manage confidentiality concerns over sensitive incident information.

Background

LifeLabs LP (“LifeLabs”) provides laboratory testing across Canada and, as part of this service, handles sensitive personal health information about its customers.[2] In 2019, LifeLabs was the target of a ransomware attack that resulted in unauthorized access to personal health information of millions of Canadians.[3] The Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC (collectively, the “Commissioners”) conducted a joint investigation into the incident.[4]

As part of their investigation, the Commissioners sought various documents pertaining to the cyber attack that LifeLabs had acquired from its consultants.[5] These included:

  1. an investigation report by a cybersecurity firm describing the cyber attack;
  2. email correspondence between a cyber intelligence firm and the cyber attackers after discovery of the attack;
  3. LifeLabs’ internal data analysis describing the individuals affected by the breach; and
  4. other communications between LifeLabs and the Commissioners.[6]

LifeLabs refused to provide the disputed documents, claiming that such information was protected by solicitor-client privilege and/or litigation privilege.[7] The Commissioners jointly held that the claims of privilege should fail, as Lifelabs did not provide the Commissioners with sufficient evidence to demonstrate that the materials were actually subject to the asserted legal privileges.[8]

Privilege Does Not Protect the Underlying Incident Facts

The Divisional Court upheld the Commissioner’s decision that neither solicitor-client privilege nor litigation privilege applied to the disputed documents.

Solicitor-client privilege protects confidential communications between a solicitor and client that is made in connection with seeking, giving, and receiving legal advice. Litigation privilege protects communications made and documents created for the dominant purpose of use in actual, anticipated or contemplated litigation. These two privileges are often invoked in the context of a cybersecurity incident.

While the Divisional Court acknowledged that legal privilege is sacrosanct, it found that a party cannot extend the protection to certain unfavourable facts about the cyber attack by providing a copy to its lawyer or by including them in a report prepared, in part, with potential litigation in mind.[9]

For example, the Court found that the lines of code used by the attackers were not privileged simply because they were copied and pasted into a forensic report, nor were the measures taken to protect against vulnerabilities merely because such information was collected by counsel.

Beware of the Limitations of Common-Interest Privilege

While not specifically addressed in the LifeLabs decision, there are important implications to keep in mind with respect to potential reliance on common interest privilege. Organizations facing cyber attacks often grapple with the need to share forensic reports or other incident-related information with insurance companies covering breach-response costs or with other third parties with a common interest in the matter. It is crucial that parties to such arrangements remain weary to the limitations described above.

Common interest privilege allows parties with a common legal interest to share privileged information without waiving privilege. Importantly, common interest privilege is not a separate class of privilege; it only applies where some other privilege already exists and operates only to protect the existing privilege from waiver.[10] For example, courts have declined to waive litigation privilege over a document shared between an organization and its insurer where the dominant purpose of the document is contemplated or pending litigation (i.e., where litigation privilege already applies).[11]

Parties with a common interest in a particular incident should carefully consider the strength of underlying privilege claims, assess the potential implications of information sharing between them, and then develop a strategy to facilitate necessary information sharing that is suitable to their common interest.

Takeaways

Managing privilege issues is a critical early step in the incident response process.

While legal privilege is undoubtedly a valuable tool to facilitate candid information flow in pursuit of legal advice or in preparation for litigation, the LifeLabs decision illustrates the importance of raising awareness among the incident response team of the limitations of privilege. Then, with eyes wide open, developing an effective investigation, remediation and communication strategy that acknowledges the prominent litigation and regulatory risks at play.

McMillan’s Privacy and Data Protection team is available to provide strategic advice to help organizations respond to cyber attacks and data breaches involving sensitive personal and confidential information, including by developing an effective approach to managing privilege issues.

[1] LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194 [LifeLabs].
[2] LifeLabs at para 2.
[3] LifeLabs at para 1.
[4] LifeLabs at para 5.
[5] LifeLabs at para 6.
[6] LifeLabs at paras 62.
[7] LifeLabs at para 6.
[8] LifeLabs at para 7; Life Labs LP (Re), 2020 CanLII 24923 (ON IPC), at para 56, 68.
[9] LifeLabs at paras 78 and 81.
[10] Trillium Motor World v. General Motors, 2014 ONSC 4894 at para 14.
[11] Panetta v. Retrocom, 2013 ONSC 2386, at paras 61-62.

by Mitch Koczerginski, Robbie Grant and Ada Ang (Articling Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

 

Insights (5 Posts)View More

Featured Insight

Unpacking Ontario’s Proposed Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

Unpacking Ontario's Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Key changes & compliance strategies detailed.

Read More
May 17, 2024
Featured Insight

Navigating International Student Worker Restrictions: Post-Expiry Guidelines for Employers

On April 30, 2024, Canada’s temporary waiver allowing international students to exceed 20 hours of work per week expired.

Read More
May 14, 2024
Featured Insight

Understanding the Consumer-Driven Banking Framework: Key Insights from the Budget Implementation Act, 2024, No.1

On April 30, the federal government introduced the Budget Implementation Act, 2024, No. 1, which provides the legislative framework for open banking in Canada.

Read More
May 13, 2024
Featured Insight

Legal Risk Assessments – An Essential Risk Management Tool

The best way to address the legal issues that arise in any business is to focus on their identification and resolution before they become legal problems.

Read More
May 9, 2024
Featured Insight

Jury’s Out: Bench Trials Are In

Ontario courts are leaning towards the elimination of civil jury trials, as evidenced in recent decisions out of the Ontario Superior Court of Justice.

Read More
May 8, 2024