www.blg.com
Open in
urlscan Pro
2606:4700:3035::6815:30d7
Public Scan
Submitted URL: https://1a22c8baa8e848a2b19bfb8efd2234a8.svc.dynamics.com/t/t/DZvaAfLX1PH7i7dqz3qGrn3v1eIp92aKzBgwVgwSMigx/5woE3PG4wxjEQ1ndHbE1PboS5jgQHPTEC1TdQyVv1r8x
Effective URL: https://www.blg.com/en/insights/2024/05/lifelabs-court-considers-privilege-claims-over-cybersecurity-investigation-m...
Submission: On June 20 via api from CA — Scanned from CA
Effective URL: https://www.blg.com/en/insights/2024/05/lifelabs-court-considers-privilege-claims-over-cybersecurity-investigation-m...
Submission: On June 20 via api from CA — Scanned from CA
Form analysis 0 forms found in the DOM
Text Content
Skip Links
*
* People
* Services
Services
* Industries
Back Industries
* Agribusiness
* Education
* Energy - Oil & Gas
* Energy - Power
* Financial Services
* Forestry
* Government & Public Sector
* Health Care & Life Sciences
* Infrastructure
* Mining
* Private Equity & Venture Capital
* Retail & Hospitality
* Sports & Gaming Law
* Technology
* Transportation
* Practice Areas
Back Practice Areas
* Banking & Financial Services
* Capital Markets
* Commercial Real Estate
* Competition & Foreign Investment Review
* Construction
* Corporate Commercial
* Cybersecurity, Privacy & Data Security
* Disputes
* Environmental
* Environmental, Social and Governance (ESG)
* Health Care
* Indigenous Law
* Information Technology
* Insolvency & Restructuring
* Intellectual Property
* International Trade & Investment
* Investment Management
* Labour & Employment
* Mergers & Acquisitions
* Municipal & Land Use Planning
* Private Client
* Tax
* International
Back International
* China
* India
* Japan
* Korea
* Latin America & Caribbean
* United Kingdom
* United States
View International Services
* BLG Beyond
Back BLG Beyond
* Beyond AUM Law
* Beyond Business Immigration
* Beyond Consulting
* Beyond eDiscovery
* Beyond IP Strategy
* Beyond Leasing
* Beyond Legal Talent
* Beyond Lending
* Legal Translation Services
BLG Beyond
* Insights
* Careers
Careers
* Legal Professionals
Find out why BLG is the perfect place for experienced lawyers and new
graduates to build a career.
* Professional Development
* Freelance With Us
* Current Opportunities
Learn More
* Paraprofessionals
Our paralegals, law clerks and other paraprofessionals are integral to our
success. Find out more.
* Professional Development
* Professional Stories
* Current Opportunities
Learn More
* Business Professionals
We offer a range of opportunities for legal support and business services
functions. Find your perfect fit.
* Career Development
* Professional Stories
* Current Opportunities
Learn More
* Students
Students
* Student Programs
* Meet our Students
* Student Stories
* BLG Experience
* Training & Development
Learn More
* How to Apply
* Calgary
* Montréal
* Ottawa
* Toronto
* Vancouver
* About Us
About Us
* Our Story
* ESG@BLG
* Diversity & Inclusion
* BLG U
* Innovation
* Media Centre
Our Story
* Our Offices
* Calgary
* Montréal
* Ottawa
* Toronto
* Vancouver
*
View Offices
* Stay Connected
* News
* Events
* Deals & Suits
* Media Coverage
* Accolades
* Alumni
* Contact Us
* Media Centre
* Subscribe
* Alumni
* Close
Clear
SearchLoading
SERVICES
No results
PEOPLE
No results View All People
INSIGHTS
No results View All Insights
NEWS
No results View All News
View All Results
* English
* LANGUAGE
* English
* French
*
*
*
*
*
*
INSIGHTS
Back
1.
2. Insights
3. LifeLabs: Court considers privilege claims over cy...
SHARE
FACEBOOK
LINKEDIN
EMAIL
May 16, 2024
ARTICLE
LIFELABS: COURT CONSIDERS PRIVILEGE CLAIMS OVER CYBERSECURITY INVESTIGATION
MATERIALS
In most cases, a cybersecurity breach triggers a multi-faceted response which
may involve legal counsel, internal personnel, external investigators, and
others. A responding organization or public body will usually take steps to
investigate, whether it be as a matter of internal business procedure,
compliance with statutory obligations, seeking or obtaining legal advice, or
preparation for anticipated litigation. Often these purposes overlap, which
raises the question: what information in the investigation file is privileged?
The Divisional Court of the Ontario Superior Court of Justice recently addressed
this question in the judicial review decision of LifeLabs LP v. Information and
Privacy Commr. (Ontario), 2024 ONSC 2194 (CanLII). The Court upheld a decision
by the Information and Privacy Commissioner of Ontario (ON IPC) that certain
documents requested in the course of a regulatory investigation were not subject
to privilege. The Court found that litigation and solicitor-client privilege do
not extend to underlying facts that would otherwise be disclosed pursuant to a
statutory duty. Moreover, it held that copying counsel to a document does not
automatically cast a “cloak” of privilege over the document or its underlying
facts.
The Court’s analysis highlights the interplay between the law of privilege and
compliance with statutory investigative obligations in a cybersecurity incident
response context. In our view the decision is fact-specific and does not change
the law, but it is cautionary and instructive.
BACKGROUND
This case arose from a 2019 cyber incident in which criminals accessed the
personal information of millions of individuals, the majority of whom lived in
Ontario and British Columbia.
LifeLabs is a health information custodian under the Personal Health Information
Protection Act, 2004, S.O. 2004, c. 3, Sched. A (PHIPA). Under PHIPA, LifeLabs
has duties in relation to privacy breaches and the ON IPC has the authority to
conduct investigations in relation to those duties.
The privacy commissioners for Ontario and British Columbia coordinated a joint
investigation. During the investigation, the commissioners relied on their
statutory powers to order LifeLabs to disclose various documents relating to
LifeLab’s investigation. LifeLabs resisted and asserted privilege over five sets
of documents and the information within them:
1. The investigation report prepared by a third-party cybersecurity firm hired
by LifeLabs, which described how the cyberattack occurred.
2. Email correspondence between a cyber intelligence firm, hired by LifeLabs,
and the cybercriminals.
3. An internal data analysis prepared by LifeLabs to determine whose personal
health information was affected for statutory notification purposes.
4. A submission from LifeLabs, through legal counsel, to the commissioners in
response to certain specific questions.
5. A report by Deloitte LLP, hired by LifeLabs, which was prepared as part of
the representations that LifeLabs submitted to the commissioners.
On June 25, 2020, the commissioners jointly decided that LifeLabs’ claims of
privilege were not substantiated on the evidence and that they should fail. The
commissioners also held that facts which exist independently outside the
privileged documents are not protected from regulatory investigations simply
because they are included in privileged documents.
In response, LifeLabs sought judicial review of the commissioners’ decision.
THE JUDICIAL REVIEW DECISION
The Divisional Court dismissed LifeLabs’ application for judicial review and
upheld the commissioners’ decision. The Court’s analysis focused on the
application of fundamental principles of litigation and solicitor-client
privilege in the regulatory context of this case. Several important findings
were made:
A) UNPRIVILEGED FACTS ARE PRODUCIBLE
Litigation privilege protects confidential documents and communications whose
“dominant purpose” is preparation for litigation. It applies to a party’s
litigation strategy but does not extend to underlying facts that would otherwise
have to be disclosed, even if those facts are obtained through counsel or are
useful in preparing for litigation. The Court held that LifeLabs could not claim
litigation privilege over facts that LifeLabs had an obligation to disclose
under PHIPA.
Similarly, the Court held that solicitor-client privilege, which protects
confidential communications made between counsel and their client for the
purpose of seeking or giving legal advice, does not extend to facts that are
required to be produced pursuant to a statutory duty. The Court echoed the ON
IPC’s submission that “[w]hen deciding if such facts are privileged, one must
keep one eye on the need to protect the freedom and trust between solicitor and
client and another eye on the potential use of privilege to insulate otherwise
discoverable evidence.”1
The Court upheld various findings of fact made by the ON IPC that the evidence
did not substantiate LifeLabs’ privilege claims. In particular, LifeLabs did not
provide evidence that disclosure of the disputed information would reveal
litigation strategy or solicitor-client communication, or that the investigation
report prepared by the third-party cybersecurity firm was prepared for the
dominant purpose of litigation.
Significantly, this is a warning that health information custodians cannot
defeat their duty to respond to investigatory inquiries by placing facts inside
privileged documents. If an investigator retained by an organization’s counsel
to conduct a privileged investigation, for example, reports to counsel that the
digital evidence shows that the threat actor(s) used a data staging tool – a
precursor to data exfiltration – the fact the threat actor(s) used a staging
tool (and possibly the underlying evidence) must be produced. The report itself
(which may contain nuance and context) remains privileged. Understanding the
distinction between a privileged and non-privileged document or communication is
one of the most important things for organizations under attack to understand;
it allows for safe communication of facts and evidence to regulators and all
other stakeholders while protecting privilege.
B) IN RE CAPITAL ONE IS PERSUASIVE IN RELATION TO THIRD-PARTY CYBERSECURITY
SERVICE PROVIDERS
The Court also made an important finding about the basis for a privilege claim,
particularly when an organization uses a forensic investigator who provides
services in advance of an incident. The Court noted that the U.S. decision In re
Capital One Consumer Data Security Breach Litigation, 2020 U.S. Dist. LEXIS
91736 (E.D. Va May 26, 2020) is persuasive authority for the proposition that
where a company hired a cybersecurity firm to perform essentially the same
services before and after the breach, simply inserting counsel’s name into the
contract and having counsel receive deliverables on behalf of the client does
not render those deliverables subject to the U.S. work product doctrine, which
is akin to Canada’s litigation privilege.
The Court upheld the ON IPC’s reliance on In re Capital One and its finding that
the cybersecurity firm retained by LifeLabs that produced a report on the breach
did so for business purposes and not for the dominant purpose of litigation.
Many organizations hire third-party providers to provide managed security
services that entail monitoring networks for intrusion. Managed service provider
contracts often include a bundle of hours for incident response. Use of these
services is appropriate for initial investigation, but LifeLabs suggests that
use of the same provider to conduct a privileged forensic investigation (without
very careful documentation) is a risk.
PRACTICAL TAKEAWAYS
Protecting legal privilege is critical when responding to a cybersecurity breach
and, as illustrated in LifeLabs, a careful approach to creating and making
privilege claims is required. The following practices will help organizations
establish, maintain, and assert privilege when responding to a cybersecurity
breach.
1. Be proactive and have an incident response plan. Having a plan in place
before an incident occurs will help avoid an ad hoc and under-protective
approach to establishing a privilege claim. The plan should include a
procedure for invoking privilege that is intentional, discretionary, and
alive to the relevant risks. Automatic and non-discretionary procedures,
such as routinely copying a lawyer to documents without more, are
insufficient.
2. Engage legal counsel at the outset. Ideally this would be part of the
incident response plan. Involving legal counsel before any investigative
steps are taken is critical to establishing and maintaining privilege.
Counsel can provide essential advice on statutory and legal obligations,
anticipated or actual litigation, third-party service provider retainers,
and public communications, all of which trigger privilege considerations.
3. Understand that some very sensitive work by third-party experts will not be
privileged because it is fact and only fact. Communications between
third-party experts and threat actor(s) are the best example of this type of
sensitive but non-privileged communication. Put clearly, they can never be
privileged. Not only may such communications be producible in litigation or
in a regulatory investigation, but they are also often leaked by threat
actor(s) themselves. Counsel should direct the expert to speak carefully,
with a view to eventual disclosure.
4. Be prepared to substantiate a privilege claim on the evidence. Parties
asserting privilege should be prepared to put forward evidence that
substantiates their claims on a document-by-document basis.2 As the
Divisional Court in LifeLabs noted, a privilege claim may require proof that
disclosure of the facts would disclose litigation strategy or
solicitor-client communication. A party claiming litigation privilege over a
document should be able to show that it was prepared for the dominant
purpose of litigation.
If you have questions about this publication or if you would like to speak with
us about BLG’s leading cyber incident response practice, please contact the
authors or the individuals identified below.
Footnotes
1 LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194
(CanLII) at para. 80.
2 Alberta v. Suncor Inc, 2017 ABCA 221 (CanLII) at para. 43; Mamaca v. Coseco
Insurance Company, 2007 CanLII 54963 (ON SC) at paras. 16-23; Shaughnessy Golf &
Country Club v. Drake International Inc., 1986 CanLII 163 (BC CA) at 14.
* By: Ingrid Vanderslice, Daniel J. Michaluk
* Services: Cybersecurity, Privacy & Data Protection
* SHARE
FACEBOOK
LINKEDIN
EMAIL
KEY CONTACTS
* DANIEL J. MICHALUK
NATIONAL CO-LEADER, PRIVACY & CYBERSECURITY
Location Toronto Email DMichaluk@blg.com Phone 416.367.6097
Quick info View full bio
SHARE
FACEBOOK
LINKEDIN
EMAIL
*
*
DANIEL MICHALUK
NATIONAL CO-LEADER, PRIVACY & CYBERSECURITY
SERVICES
* Cybersecurity, Privacy & Data Protection
* Privacy & Security Breaches
* Cybersecurity Disputes
* Education
* Government & Public Sector
*
* [See more on full bio]
Back View full bio
* ERIC S. CHARLESTON
NATIONAL CO-LEADER, CYBERSECURITY
Location Toronto Email ECharleston@blg.com Phone 416.367.6566
Quick info View full bio
SHARE
FACEBOOK
LINKEDIN
EMAIL
*
*
ERIC CHARLESTON
NATIONAL CO-LEADER, CYBERSECURITY
SERVICES
* Cybersecurity, Privacy & Data Protection
* Corporate Commercial
* Disputes
Back View full bio
* FRÉDÉRIC WILSON
NATIONAL CO-LEADER, PRIVACY
Location Montréal Email FWilson@blg.com Phone 514.954.2509
Quick info View full bio
SHARE
FACEBOOK
LINKEDIN
EMAIL
*
*
FRÉDÉRIC WILSON
NATIONAL CO-LEADER, PRIVACY
SERVICES
* Cybersecurity, Privacy & Data Protection
* Compliance with Privacy & Data Protection
* Privacy Regulators' Investigations
* Privacy & Security Breaches
* Information Technology
*
* [See more on full bio]
Back View full bio
* SHANE MORGANSTEIN
ASSOCIATE
Location Toronto Email SMorganstein@blg.com Phone 416.367.7281
Quick info View full bio
SHARE
FACEBOOK
LINKEDIN
EMAIL
*
*
SHANE MORGANSTEIN
ASSOCIATE
SERVICES
* Corporate Commercial
* Cybersecurity, Privacy & Data Protection
* Mergers & Acquisitions
* Privacy & Security Breaches
* Information Technology
Back View full bio
* Contact Us
* Media Centre
* Subscribe
* Alumni
* Accessibility
* CASL
* Legal
* Privacy
* Cookies
*
*
*
*
*
*
© 2024 Borden Ladner Gervais LLP ("BLG"). All rights reserved.
This Website uses cookies and similar technologies to maintain security, analyze
and improve our Website and assist in our marketing efforts. Note that some
cookies are essential to ensure the operation and security of our Website. To
change your preferences at any time and for more information, consult our Cookie
Notice: More information about your privacy
Custom Settings Accept All Cookies