Legal privilege in cyber incident response: Insights from the LifeLabs data breach

( Disponible en anglais seulement )

21 mai 2024 | David Krebs, Kathryn M. Frelick, Kristen Ward

When organizations fall victim to cyber-attacks or other incidents involving data security, they must respond in a way that allows for swift action, while still looking around corners to what additional risks might be lurking after the incident has been contained.  Having details of the incident, internal systems or response disclosed externally could expose vulnerabilities that other cyber criminals might exploit. Additionally, confidential information about the incident response and what decisions were made during the course of managing it, including individual breach notifications, could be used in law suits against the organization.

Legal counsel is typically engaged to oversee cybersecurity incidents (sometimes referred to as “breach coaches”). There is an array of potential legal issues, including contractual and compliance-related, that require ongoing legal advice during the course of the incident response. Third-party forensic experts are often engaged by legal counsel to conduct an investigation for the purposes of providing legal advice. This means that correspondence, internal reports, and expert evaluations of cyber incidents are regularly classified as privileged since they are either requested by counsel or created to help manage the company’s legal position.   The limits and guardrails of client-solicitor and litigation privilege over these materials in the context of a regulatory investigation were recently considered by the Divisional Court of the Ontario Superior Court of Justice in LifeLabs LP v Information and Privacy Commr. (Ontario).[1]

BACKGROUND

In 2019, LifeLabs LP (“LifeLabs”) was the target of a ransomware attack that resulted in cyber criminals obtaining the personal health information of millions of Canadians and then demanding payment in return for the information.[2] The Information and Privacy Commissioner of Ontario (“IPC”) and the Office of the Information and Privacy Commissioner of British Columbia (collectively, the “Commissioners”) undertook a joint investigation into the incident.

The Commissioners have broad statutory authority to conduct investigations to determine if an organization has contravened or is about to contravene their governing statutes.[3]  As part of its formal review process under the Personal Health Information Protection Act, 2004, the IPC demanded the production of multiple documents about the cyber-attack from LifeLabs, as a health information custodian, including:

  1. The investigation report from a third-party cybersecurity firm hired by LifeLabs;
  2. Emails between the hired cybersecurity firm and the cyber-attackers after the attack;
  3. The internal data analysis describing the health information that had been affected by the breach prepared by LifeLabs;
  4. Information submitted from LifeLabs to the Commissioners through legal counsel;
  5. A third-party report prepared as part of the representations by LifeLabs to the Commissioners; [4]

LifeLabs refused to provide the above documents, asserting that the information found within was protected by solicitor-client and litigation privilege.[5] Solicitor-client privilege protects confidential communications between a lawyer and client for the purpose of obtaining legal advice or representation. Litigation privilege protects documents and communications where the dominant purpose is preparation for litigation.  It applies to a party’s litigation strategy.

The Commissioners jointly decided that Lifelabs’ claims of privilege were not substantiated based on the evidence.  Lifelabs brought a judicial review application to the Divisional Court of the Ontario Superior Court of Justice, seeking to quash the privilege decision and prevent the publication of the joint investigation report prepared by the Commissioners.

The Divisional Court dismissed LifeLabs’ application for judicial review, and held that certain documents requested by the Commissioners as part of the regulatory investigation were not subject to privilege.  Although the decision is fact-specific, this case is instructive for organizations to consider when seeking to assert and preserve legal privilege in the wake of a cybersecurity incident.  It highlights some of the limitations and underscores the importance of developing comprehensive incident response plans that effectively safeguard sensitive information.

FINDINGS FROM LIFELABS

The court found that privilege did not shield relevant underlying facts about the LifeLabs data breach from disclosure. Litigation privilege does not extend to facts or base information that may be useful to counsel in preparing for litigation.[6] The Commissioners found that the forensic report would address the key questions of the cause of the breach, the scope of the breach, and what was done to contain and then remediate the breach. There was no evidence that disclosure of these facts would undermine the legal strategy of LifeLabs.[7]

The court also found that privilege did not protect facts that were required to be produced by statute. [8] Litigation privilege does not protect information that would otherwise have to be disclosed pursuant to statutory duty, even where those facts play a role in defending against civil litigation.[9] Simply depositing a document or providing counsel with a copy of a document does not make it privileged. The Commissioners had a statutory duty to investigate the breach, and inquire into the facts about the data breach within the control and knowledge of LifeLabs, and LifeLabs could not claim privilege over this information by simply placing facts inside “privileged” documents.[10] Further, the Court found that the lines of code used by the attackers and measures taken to protect vulnerabilities were not privileged simply because they were copied and pasted into a forensic report or collected by counsel. [11]

Lastly, the court found that privilege did not extend to facts that existed independently of the documents LifeLabs tried to claim privilege over. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged.[12] LifeLabs did not provide any examples of legal advice or solicitor-client communication that would be made public by the disclosure of the disputed documents that were also found to be facts with an independent life of their own. [13]

LEGAL LANDSCAPE IN THE UNITED STATES

The LifeLabs decision continues a recent trend of American courts finding that forensic cybersecurity reports are not protected by privilege when they are prepared for business purposes rather than the dominant purpose of litigation.  The Divisional Court upheld the IPC’s reliance on a U.S. decision in Capital One to produce a computer forensics report they had prepared after a data breach. In that case, the Court found that if a company has a prior retainer with a cybersecurity firm that provides essentially the same services before and after a breach, simply inserting counsel’s name into the contract and stating that the deliverables would be made to counsel does not make the report subject to privilege. [14]

Further, another U.S. court in the Guo Wengui case determined that a forensics report prepared after a cyberattack was not privileged information since it would have been completed even if the company was not anticipating litigation. This is similar to the Pennsylvania Federal Court’s decision in the Rutter’s case, which required disclosure of a forensic report related to a data breach.  The court found that the report focused on whether there had been a breach and the scope of it and therefore the report constituted factual information that would be relevant to the business whether or not litigation was contemplated.

Legal developments in the United States and Canada suggest that the mere involvement of legal counsel may not always suffice for the safeguarding of cybersecurity reports.  Nevertheless, organizations can adopt strategic measures to potentially enhance their chances of preserving legal privilege in such instances.

WHAT STEPS CAN YOU TAKE TO RETAIN PRIVILEGE IN THE WAKE OF A CYBER SECURITY INCIDENT?

Many cybersecurity incidents require that the organization share information related to the breach. The LifeLabs decision emphasizes that managing privilege issues is a critical early step when responding to cybersecurity incidents. In the wake of this decision, organizations and incident response team members can implement some of the following best practices to maximize privilege over sensitive and confidential information:

Determine your incident response counsel and cybersecurity experts in advance:

If your organization already uses a third-party cybersecurity firm, consider using a different, independent cybersecurity forensic provider specifically for incident response purposes. If your organization wishes to use the same cybersecurity firm for incident response, ensure that the service agreement does not expressly provide for incident response services.  Incident response counsel should enter into a separate agreement with the cybersecurity firm that is specific to the incident response.

Engage outside counsel immediately to manage the investigation:

Outside counsel should be the ones to retain your preferred cybersecurity team and expressly state that the engagement is in anticipation of litigation or is to assist in the provision of legal advice. If counsel is engaging your existing cybersecurity firm, ensure that a new service agreement specific to the forensic investigation is used. Communication should occur directly between the cybersecurity firm and legal counsel. Consider paying for the investigation from your legal budget or through your cyber breach counsel.

Keep detailed records and evidence to support assertions of privilege:

Solicitor-client privilege encompasses communications exchanged between a lawyer and client that directly pertain to seeking, formulating, or providing legal advice.  Copying legal counsel on communications as a matter of routine is not sufficient to establish privilege and care must be taken not to waive privilege.  On the other hand, litigation privilege applies to documents crafted with the dominant purpose of preparing for ongoing or anticipated litigation. The burden of proof rests with the party claiming solicitor-client privilege or litigation privilege to establish a prima facie case supporting the privilege. Courts have held that once evidence supporting a privilege claim has been presented, absent contradictory evidence, the privilege claim should be upheld.

Develop a separate, non-privileged report or reports that can be shared:

Many cybersecurity incidents will require sharing information related to the breach, whether that is with regulators, shareholders, customers or in the case of personal health information, patients. Therefore, forensic findings relevant to litigation strategy and defense should be in one report, while a separate non-privileged report containing only facts to share with third-party entities can also be created. Organizations should maintain confidentiality of the privileged report by limiting distribution to those who need to know, or only disclosing redacted portions or summaries.

Minimize the risk of reputational damage by drafting reports with the understanding that privilege claims may not succeed:

As discussed in this article, the law surrounding privilege and cyber forensic reports is evolving.  Any written report should be prepared with the understanding that it may eventually be produced as part of a statutory or legal process.  Contacting legal counsel at the outset of the breach, before any investigative steps are taken, is critical to ensuring that processes are in place to establish and maintain privilege.  Legal counsel can also advise on any limitations to privilege and minimize the risks associated with the disclosure of information.

Should you have any questions, please do not hesitate to reach out to a member of Miller Thomson’s Privacy, Data Governance and Cybersecurity group.


[1] 2024 ONSC 2194 [LifeLabs].

[2] LifeLabs at para 1.

[3] Section 60(2) of the Personal Health Information Protection Act, 2004 (PHIPA) provides that in conducting a review, the Commissioner may: (b) inquire into all information, records, information practices of a health information custodian and other matters that are relevant to the subject-matter of the review; (c) demand the production for inspection of anything described in clause (b), among other authority.

[4] LifeLabs at para 62.

[5] LifeLabs at para 6.

[6] LifeLabs at para 78.

[7] LifeLabs at para 86.

[8] LifeLabs at para 80.

[9] LifeLabs at para 79.

[10] LifeLabs at para 81.

[11] LifeLabs at para 82.

[12] LifeLabs at para 80.

[13] LifeLabs at para 83.

[14] LifeLabs at para 90.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d’autres sources et nous ne garantissons pas son exactitude. Cette publication n’est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d’information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à privacy@millerthomson.com.

© Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu’aucune modification n’y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à newsletters@millerthomson.com.