June 20, 2024
On April 30, 2024, the Ontario Divisional Court decided the victim of a serious cyber security incident was required to produce to privacy regulators numerous records created by its cyber security and cyber intelligence consultants in the course of a cyber security incident investigation and response – despite the victim’s vigorous claims of privilege. The Court’s decision in LifeLabs LP v. Information and Privacy Commr. (Ontario) doesn’t create new law about privilege. Nor does it put a dizzying spin on current privilege law. It does serve as a reminder: you can’t throw a blanket of privilege over everything associated with incident response by merely involving lawyers. It also doesn’t entirely do away with legal privilege in connection with cyber security incident response: lawyers’ communications with their clients in the context of seeking legal advice should be untouched by this decision. But it does raise some interesting questions about how organizations should arrange their cyber security incident response. Here’s a primer on privilege, a look at the decision and three questions the decision raises.
Privilege Primer
A quick summary of the two bases of LifeLabs’s privilege claims is helpful. They are related and similar – but not the same.
Solicitor Client Privilege. This privilege protects communications made in confidence between a lawyer and their client (or third party acting on behalf of their client). To be privileged, the communication must be made for the purpose of seeking or giving legal advice, and the parties must have intended the communication to be confidential. Just because there’s a lawyer in the mix doesn’t automatically make communications privileged. But similarly, a third party’s involvement, like a consultant retained by the client or the lawyer, doesn’t automatically waive any privilege.
Litigation Privilege. This privilege is intended to create a “zone of privacy” within which legal counsel can prepare draft questions, arguments, strategies or legal theories in anticipation of litigation and for the purpose of preparing for that litigation. Documents created by others to assist counsel in preparing for litigation can also fit into this category. But notably, the privilege exists only while the litigation is anticipated or ongoing. Once the litigation has concluded, litigation privilege ceases.
The Case
LifeLabs had engaged a well-known cyber security firm to proactively assess the company’s security. The cyber security firm discovered a significant ransomware incident in progress. LifeLabs subsequently engaged the cyber security firm and additional well-known forensic consultants to assist it in its investigation, remediation and negotiation with the ransomware “bad guys”. Not surprisingly, the ransomware incident was followed by a number of class action lawsuits that were still pending.
The Demand. As the applicable privacy laws of Ontario and British Columbia require, LifeLabs notified the Privacy Commissioners of the respective provinces, who started a joint investigation. In connection with that investigation, the Commissioners demanded LifeLabs produce the cybersecurity consultants’ reports related to the incident, its causes and the company’s remediation. LifeLabs refused on the basis they were either / or subject to solicitor-client privilege or litigation privilege.
The Privacy Commissioners’ Decision. In June 2020, the Commissioners issued a joint decision finding LifeLabs had provided insufficient evidence to back up its privilege claim and ordered LifeLabs to hand over the consultants’ reports. According to the decision, there were five categories of records at issue:
With the sole exception of the internal LifeLabs assessments, LifeLabs’s consultants created the records and LifeLabs’s lawyers kept them in their files. LifeLabs had already engaged the cyber security firm to assess the company’s security at the time of the incident and it was that firm that discovered the incident. LifeLabs instructed it to provide its reports on the incident to LifeLabs’s legal counsel.
In large measure, the Commissioners decided LifeLabs was obligated to investigate the incident and was obligated to provide factual information to them. The Commissioners didn’t appear to be looking for legal counsel’s actual advice or anything related to LifeLabs’s trial strategy for their ongoing litigation. Interestingly, the Commissioner’s decision left the door open for LifeLabs to prove that portions of the records sought could include information subject to solicitor client or litigation privilege.
The Court’s Decision. LifeLabs applied to the Court for judicial review of the Privacy Commissioners’ order. The Court decided the Privacy Commissioners’ decision was correct. Ultimately, the Court’s decision turned on LifeLabs’s failure to provide evidence to the Commissioner’s satisfaction to back up its privilege claims. The Court found:
LifeLabs’ motion for leave to appeal to the Ontario Court of Appeal was denied, and the Privacy Commissioners subsequently released their joint investigation report on November 25, 2024.
The Ontario Divisional Court’s decision is consistent with the full court judgment of the Australian Federal Court of Appeal the following month, arising from a very similar scenario, in Singtel Optus Pty Ltd v. Robertson.
3 Interesting Questions
Beyond the question of whether this case is really over or not, the decision in LifeLabs LP v. Information and Privacy Commr. (Ontario) raises some interesting questions about how organizations arrange their cyber security incident responses; here are three.
Litigation Privilege Parameters. Neither the Commissioners nor the Court commented on the terms of the engagement of LifeLabs’ consultants and their relationship to the provision of legal advice to LifeLabs. And they contain little analysis of reasonably contemplated and dominant purpose in the context of the discussion of litigation privilege. The reality is that litigation is almost certain to follow a major cyber security incident. And practically, much of a victim organization’s response or even approach to that response is informed by that litigation likelihood. Many records are created in anticipation of defending litigation – but those same records are also useful (or maybe even necessary) for dealing with privacy regulators’ investigation. If the records are necessary for responding to the Privacy Commissioner’s investigation and useful for defending anticipated litigation, one cannot say the litigation purpose is “dominant.” Should organizations create different tracks in incident response, assigning certain investigators to the litigation track and others to the regulator reporting track? Perhaps.
Privilege Waiver. The victim of a cybersecurity incident is often concerned that when it provides information to the privacy regulator, it’s waiving any privilege that could be attached to some or all that information. In such situations, careful thought should be given to the caselaw around “limited waiver” and steps the organization can take to protect the privilege vis-à-vis third parties. Should Canada or the provinces consider amending privacy laws specifically, or evidence laws more generally, to clarify that the provision of information to a regulator pursuant to a statutory duty does not amount to a waiver of privilege as far as third parties are concerned? Such a statutory intervention would alleviate concerns about waiving legal privilege and leave the question of privilege to the court rather than making it as much of an issue with a regulatory investigation.
Compliance Consulting. It’s also interesting to consider how this decision will affect certain activities outside the context of dealing with an active cyber security incident. For example, an organization might retain a lawyer to provide their assessment of whether the organization is complying with their safeguarding obligations under privacy laws. Typically, such a retention involves working with expert consultants that examine the business’s network security, do penetration testing and benchmark against best practices. These often uncover new facts the lawyer will include in their opinion and advice to the business about its legal compliance. Expert reports are generally not privileged outside of the litigation context but there is caselaw that extends privilege where the expert is effectively “translating” the client’s data for the benefit of the lawyer. Of course, it has to be so that the lawyer can provide legal advice to the client. At that stage, there’s no obligation to assist any privacy regulator: the new facts were “uncovered” or discovered only for the purpose of providing legal advice. Are those new facts privileged – or not?
Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss organizing your cyber security investigation and response to protect legal privilege.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2024. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.
Nov 13, 2024
Social host liability for injury to a third party – and coverage of social host liability claims – isn’t straightforward. Social host…
Oct 30, 2024
Disputes between shareholders of a corporation, and shareholders and their corporation, are stressful and complicated, and often attract…
Oct 29, 2024
On September 9, 2024, a unanimous Federal Court of Appeal decided consent is to be determined on an objective standard. In an unusual move, in…
Aug 15, 2024
On June 21, 2024, the Supreme Court of Canada concluded – decisively - that the Canadian Charter of Rights and Freedoms applies to protect the…
Jul 16, 2024
The Canadian Security Intelligence Service (CSIS) has been looking for a new production order power; it’s on its way. The role of CSIS is to…
Jun 26, 2024
An increasing number of municipalities in Canada are using public video camera surveillance to promote public safety and help deter crimes like…
Apr 30, 2024
Bill C-63, if passed, will create the hotly anticipated Online Harms Act to regulate certain online platforms, create new Criminal Code of…
Mar 14, 2024
On March 1, 2024, the Supreme Court of Canada decided a police request for disclosure of an IP address is a “search” under section 8 of the…
Dec 15, 2023
Over four years after it began, the federal government still hasn’t finalized its overhaul of the private sector privacy law regime that both…
Sep 25, 2023
There’s a new scam on the web: Electronic Fund Transfer (EFT) scams. Most are familiar with established scams like phishing and ransomware and…
Jun 9, 2023
You arrive at the legendary Madison Square Garden to catch the Mariah Carey concert. It’s the big event of the trip – the reason you came to…
Apr 27, 2023
The benefits to employees, and often to employers, of remote work has made it a staple of today’s workplace. But the move to remote work…
Feb 1, 2023
On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings requiring companies using targeted…
Jan 26, 2023
In November 2022, the Ontario Court of Appeal definitively decided an organization whose information systems are breached by a malicious third…
Nov 21, 2022
On November 10, 2022, the Supreme Court of Canada examined the interaction of arbitration and bankruptcy and insolvency proceedings, deciding a…
Jul 20, 2022
There’s a new privacy law coming to Canada. In June, the federal government introduced a complete overhaul of the privacy law regime that both…
Jul 18, 2022
The Supreme Court of Canada’s “Jordan” framework, introducing strict timelines for determining unreasonable delay in the context of…
Jun 30, 2022
On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects…
Mar 31, 2022
On March 18, 2022, the Supreme Court of Canada confirmed that an Indigenous government can still satisfy the impecuniosity requirement for an…
Feb 8, 2022
Updated June 17, 2024. On May 17, 2022, the P.E.I. Non-disclosure Agreements Act took effect, significantly restricting the use of…
Feb 3, 2022
On January 26, 2022, the British Columbia Court of Appeal extended an injunction preventing protesters from interfering with a logging…
Dec 16, 2021
Updated October 7, 2024. The name of the game is to have a plan to mitigate the risk that a data breach will happen – but be ready when it…
Nov 12, 2021
On November 4, 2021, the Supreme Court of Canada clarified the law regarding when a judgment debtor “carries on business” for the purpose of…
Aug 3, 2021
On July 29, 2021, the Supreme Court of Canada refined the test for determining when a plaintiff has discovered a claim for the purpose of a…
Mar 1, 2021
The Supreme Court of Canada continues to develop and clarify the organizing principle of good faith performance in contract law. In its 2014…
Jan 26, 2021
Updated March 4, 2022. Privacy is critical to every business in every sector, including startups and growing businesses: to comply with the…
Jan 18, 2021
The Supreme Court of Canada, in the 2014 case of Bhasin v. Hrynew, recognized a general organizing principle of good faith performance in…
Nov 19, 2020
We updated this publication on June 30, 2022. NOTE: On June 16, 2022, the Government of Canada introduced Bill C-27: Digital Charter…
Jul 6, 2020
On June 26, 2020, the Supreme Court of Canada released Uber Technologies Inc. v. Heller, a much-awaited decision regarding the enforceability of…
May 11, 2020
The Supreme Court of Canada recently released a much-awaited decision regarding the Companies’ Creditors Arrangement Act (CCAA). The CCAA is…
Mar 10, 2020
The global COVID-19 (a.k.a. Coronavirus or SARS-CoV-2) outbreak has implications for many commercial relationships, its evolving nature and…
Feb 14, 2020
NOTE: On July 23, 2021, the Supreme Court of Canada agreed with the Newfoundland & Labrador Court of Appeal’s decision respecting the law,…
Jan 14, 2020
On December 23, 2019, the Newfoundland and Labrador Court of Appeal effectively eliminated the category of “knowledgeable fact witness” in…
Nov 18, 2019
Effective December 1, 2019, the New Brunswick government will finally finalize the reform of N.B.’s money judgment enforcement regime with the…
Mar 28, 2019
Organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – those that collect, use or…
Feb 20, 2019
On February 14, 2019, the Supreme Court of Canada decided yet another criminal law decision that will likely have broader ramifications for…
Dec 19, 2018
On December 13, 2018, the Supreme Court of Canada confirmed that a third party can’t waive a person’s right to privacy or their rights under…
Aug 20, 2018
Updated July 8, 2024. Every organization subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA, soon to…
Aug 3, 2018
Updated June 28, 2024. As of November 1, 2018, organizations in Canada subject to the Personal Information Protection and Electronic…
Jun 13, 2018
Updated September 26, 2024. Businesspeople (and their legal counsel) are on the road more than ever before: according to Statistics Canada,…
Jan 12, 2018
Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to…
Jun 28, 2017
On June 28, 2017, the Supreme Court of Canada confirmed a Canadian court can issue an interlocutory injunction (an order requiring an entity or…
Jun 23, 2017
On June 23, 2017, the Supreme Court of Canada decided that in a contest between the choice of forum clause in Facebook’s online terms of use…
Jun 7, 2017
On June 7, 2017, the federal government repealed the regulations that would have brought into effect the sections of Canada’s Anti Spam…
Jun 5, 2017
On June 2, 2017, the Supreme Court of Canada decided that where a plaintiff advances a claim for negligently caused psychological or psychiatric…
Feb 24, 2017
Updated January 29, 2024. Most organizations (72%) store the personal information of customers. employees, suppliers, vendors or partners,…
Jan 25, 2017
Doing business with the public sector creates an often overlooked – but very real – risk that the confidential information a business…
Nov 22, 2016
On November 17, 2016 the Supreme Court of Canada decided a mortgagee has the mortgagor’s implied consent to disclose its discharge statement…
Aug 17, 2016
The Newfoundland and Labrador Court of Appeal recently affirmed the test for confirming a cause of action and thus resetting a limitation period…
Mar 24, 2016
When a business responds to a public sector Request for Proposal or Expression of Interest (both of which we’ll refer to as an RFP for these…
Jan 27, 2016
On January 21, 2016, the Ontario Superior Court of Justice dramatically expanded the scope of legal privacy protection – and the liability…
Mar 25, 2015
On March 3, 2015 Canada’s Privacy Commissioner determined that Health Canada breached privacy laws by mailing letters to over 40,000 Marihuana…
Mar 6, 2015
On March 5, 2015, the Canadian Radio and Television Commission (the CRTC, the main agency charged with administering and enforcing most of CASL)…
Dec 11, 2014
On December 11, 2014 the Supreme Court of Canada continued its trend to recognize privacy rights – and develop the law to protect them –…
Dec 11, 2014
On January 15, 2015, the software provisions of Canada’s Anti-Spam Legislation (CASL) will take effect. CASL’s anti-spam sections, touted…
Dec 1, 2014
The construction industry - project owners, contractors, subcontractors and trades - might be relaxing, ignoring the hype around Canada’s…
Nov 14, 2014
On November 13, 2014, the Supreme Court of Canada (SCC) effected a significant development in Canadian contract law by recognizing the…
Oct 14, 2014
CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their…
Aug 1, 2014
Most Canadians have heard about Canada’s Anti-Spam Legislation (CASL): we’ve been bombarded with “CASL Compliant” emails asking us to…
Jun 16, 2014
On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and…
Jun 12, 2014
The countdown to CASL is almost over: there are only 13 business days until the anti-spam provisions of CASL – and most of the penalties for…
May 8, 2014
On July 1, 2014 – less than two months from now - the anti-spam sections of Canada’s Anti-Spam Legislation (CASL) take effect. Individuals…
Apr 15, 2014
The countdown to CASL is on: on July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (“CASL”) take effect. Individuals…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) will take effect. CASL is: Broad. It applies…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) take effect. CASL will apply to just about every…
Nov 8, 2013
On November 7, 2013, the Supreme Court of Canda decided police require specific authorization in a search warrant to search the data in a…
Nov 28, 2012
On October 19, 2012 the Supreme Court of Canada (SCC) decided a teacher criminally charged with possession of child pornography and unauthorized…
Subscribe to McInnes Cooper to stay current with our leading insights on legal updates, trends, news, events, and services.