Cyber Security Incident Response: The Question of Legal Privilege
Published:
June 20, 2024
Author(s):
On April 30, 2024, the Ontario Divisional Court decided the victim of a serious cyber security incident was required to produce to privacy regulators numerous records created by its cyber security and cyber intelligence consultants in the course of a cyber security incident investigation and response – despite the victim’s vigorous claims of privilege. The Court’s decision in LifeLabs LP v. Information and Privacy Commr. (Ontario) doesn’t create new law about privilege. Nor does it put a dizzying spin on current privilege law. It does serve as a reminder: you can’t throw a blanket of privilege over everything associated with incident response by merely involving lawyers. It also doesn’t entirely do away with legal privilege in connection with cyber security incident response: lawyers’ communications with their clients in the context of seeking legal advice should be untouched by this decision. But it does raise some interesting questions about how organizations should arrange their cyber security incident response. Here’s a primer on privilege, a look at the decision and three questions the decision raises.
Privilege Primer
A quick summary of the two bases of LifeLabs’s privilege claims is helpful. They are related and similar – but not the same.
Solicitor Client Privilege. This privilege protects communications made in confidence between a lawyer and their client (or third party acting on behalf of their client). To be privileged, the communication must be made for the purpose of seeking or giving legal advice, and the parties must have intended the communication to be confidential. Just because there’s a lawyer in the mix doesn’t automatically make communications privileged. But similarly, a third party’s involvement, like a consultant retained by the client or the lawyer, doesn’t automatically waive any privilege.
Litigation Privilege. This privilege is intended to create a “zone of privacy” within which legal counsel can prepare draft questions, arguments, strategies or legal theories in anticipation of litigation and for the purpose of preparing for that litigation. Documents created by others to assist counsel in preparing for litigation can also fit into this category. But notably, the privilege exists only while the litigation is anticipated or ongoing. Once the litigation has concluded, litigation privilege ceases.
The Case
LifeLabs had engaged a well-known cyber security firm to proactively assess the company’s security. The cyber security firm discovered a significant ransomware incident in progress. LifeLabs subsequently engaged the cyber security firm and additional well-known forensic consultants to assist it in its investigation, remediation and negotiation with the ransomware “bad guys”. Not surprisingly, the ransomware incident was followed by a number of class action lawsuits that were still pending.
The Demand. As the applicable privacy laws of Ontario and British Columbia require, LifeLabs notified the Privacy Commissioners of the respective provinces, who started a joint investigation. In connection with that investigation, the Commissioners demanded LifeLabs produce the cybersecurity consultants’ reports related to the incident, its causes and the company’s remediation. LifeLabs refused on the basis they were either / or subject to solicitor-client privilege or litigation privilege.
The Privacy Commissioners’ Decision. In June 2020, the Commissioners issued a joint decision finding LifeLabs had provided insufficient evidence to back up its privilege claim and ordered LifeLabs to hand over the consultants’ reports. According to the decision, there were five categories of records at issue:
- LifeLabs’s cyber security firm’s investigation report which described how the cyberattack occurred.
- The email correspondence between the firm engaged for the ransomware negotiations and the cyber-attackers after the discovery of the attack by LifeLabs.
- An internal data analysis LifeLabs prepared on April 28, 2020, to describe which individual health information the breach had affected and to notify those affected pursuant to the applicable privacy legislation.
- LifeLabs’s submission to the Commissioners dated May 15, 2020, communicated through legal counsel, in response to certain specific questions from the Commissioners.
- The report of a third consultant dated June 9, 2020 prepared as part of the LifeLabs representations and submitted to the Commissioners for that purpose.
With the sole exception of the internal LifeLabs assessments, LifeLabs’s consultants created the records and LifeLabs’s lawyers kept them in their files. LifeLabs had already engaged the cyber security firm to assess the company’s security at the time of the incident and it was that firm that discovered the incident. LifeLabs instructed it to provide its reports on the incident to LifeLabs’s legal counsel.
In large measure, the Commissioners decided LifeLabs was obligated to investigate the incident and was obligated to provide factual information to them. The Commissioners didn’t appear to be looking for legal counsel’s actual advice or anything related to LifeLabs’s trial strategy for their ongoing litigation. Interestingly, the Commissioner’s decision left the door open for LifeLabs to prove that portions of the records sought could include information subject to solicitor client or litigation privilege.
The Court’s Decision. LifeLabs applied to the Court for judicial review of the Privacy Commissioners’ order. The Court decided the Privacy Commissioners’ decision was correct. Ultimately, the Court’s decision turned on LifeLabs’s failure to provide evidence to the Commissioner’s satisfaction to back up its privilege claims. The Court found:
- Facts aren’t privileged – even if a lawyer collected or compiled them. The Court emphasized that even if certain communications or documents are privileged, the facts referred to or reflected in those communications might not be privileged if they exist independently, outside of the privileged context. Facts that have an independent existence outside of solicitor-client privileged communications aren’t automatically privileged. The Court agreed with the Commissioners’ decision, including that, “[w]hile privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.” The Court further clarified that simply depositing a document or providing counsel with a copy of a document doesn’t automatically extend privilege to the original document. The protection of privilege is intended to safeguard the communication between lawyer and client and the adversarial preparation for litigation, not the underlying facts themselves. The Court concluded that facts concerning the investigation or remediation – even if communicated within a privileged context – might not be privileged if they have an independent existence outside of privileged documents.
- If you have a statutory obligation to investigate and provide information to the regulator, the facts discovered in that investigation aren’t privileged. If an organization has a legal obligation to investigate, remediate and report to a privacy commissioner, interjecting lawyers into the process doesn’t relieve the organization of its obligation to report to the commissioner. This obligation includes cooperating with the commissioner’s inquiries and providing information necessary for investigations. And you can neither “defeat [your] responsibilities” nor the privacy commissioner’s duty to inquire “by placing facts about privacy breaches inside privileged documents.” Furthermore, solicitor-client privilege doesn’t protect facts required to be produced pursuant to statutory duty. The Court emphasized that organizations can’t use privilege claims to shield facts about privacy breaches from the commissioner. Even if privilege is claimed over certain documents or information, it doesn’t absolve the organization from its duty to cooperate with the commissioner’s investigation and provide relevant facts. The Court noted that placing unpalatable facts within privileged documents to avoid investigative orders would undermine the purpose of regulatory oversight and accountability.
- Litigation privilege only protects communications and records created for the dominant purpose of preparing for litigation. The Court found LifeLabs didn’t identify any litigation strategy that would be disclosed in the Investigation Report because of the Commissioners’ decision. The Commissioner and the Court noted that the cybersecurity consulting firm had a prior retainer with LifeLabs related to what it was doing before the incident, during the incident and afterwards. Simply having the incident report addressed to legal counsel didn’t make it privileged. The Court agreed with the Commissioners about the applicability of a U.S. decision, In re Capital One, and reached the same conclusion as the IPC: it offers “persuasive authority” for the Commissioners’ and the Court’s decision.
It has been reported that LifeLabs will be appealing this decision.
The Ontario Divisional Court’s decision is consistent with the full court judgment of the Australian Federal Court of Appeal the following month, arising from a very similar scenario, in Singtel Optus Pty Ltd v. Robertson.
3 Interesting Questions
Beyond the question of whether this case is really over or not, the decision in LifeLabs LP v. Information and Privacy Commr. (Ontario) raises some interesting questions about how organizations arrange their cyber security incident responses; here are three.
Litigation Privilege Parameters. Neither the Commissioners nor the Court commented on the terms of the engagement of LifeLabs’ consultants and their relationship to the provision of legal advice to LifeLabs. And they contain little analysis of reasonably contemplated and dominant purpose in the context of the discussion of litigation privilege. The reality is that litigation is almost certain to follow a major cyber security incident. And practically, much of a victim organization’s response or even approach to that response is informed by that litigation likelihood. Many records are created in anticipation of defending litigation – but those same records are also useful (or maybe even necessary) for dealing with privacy regulators’ investigation. If the records are necessary for responding to the Privacy Commissioner’s investigation and useful for defending anticipated litigation, one cannot say the litigation purpose is “dominant.” Should organizations create different tracks in incident response, assigning certain investigators to the litigation track and others to the regulator reporting track? Perhaps.
Privilege Waiver. The victim of a cybersecurity incident is often concerned that when it provides information to the privacy regulator, it’s waiving any privilege that could be attached to some or all that information. In such situations, careful thought should be given to the caselaw around “limited waiver” and steps the organization can take to protect the privilege vis-à-vis third parties. Should Canada or the provinces consider amending privacy laws specifically, or evidence laws more generally, to clarify that the provision of information to a regulator pursuant to a statutory duty does not amount to a waiver of privilege as far as third parties are concerned? Such a statutory intervention would alleviate concerns about waiving legal privilege and leave the question of privilege to the court rather than making it as much of an issue with a regulatory investigation.
Compliance Consulting. It’s also interesting to consider how this decision will affect certain activities outside the context of dealing with an active cyber security incident. For example, an organization might retain a lawyer to provide their assessment of whether the organization is complying with their safeguarding obligations under privacy laws. Typically, such a retention involves working with expert consultants that examine the business’s network security, do penetration testing and benchmark against best practices. These often uncover new facts the lawyer will include in their opinion and advice to the business about its legal compliance. Expert reports are generally not privileged outside of the litigation context but there is caselaw that extends privilege where the expert is effectively “translating” the client’s data for the benefit of the lawyer. Of course, it has to be so that the lawyer can provide legal advice to the client. At that stage, there’s no obligation to assist any privacy regulator: the new facts were “uncovered” or discovered only for the purpose of providing legal advice. Are those new facts privileged – or not?
Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss organizing your cyber security investigation and response to protect legal privilege.
Related Lawyers
Related Services
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2024. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.
