One of the big questions about breach response has always been whether or not the documents produced in response to a breach, such as forensics reports and communications with third party experts, are privileged.
There are two categories of privilege that can potentially apply in this context, litigation privilege, and solicitor-client privilege.
For litigation privilege to apply, the person or organization claiming privilege must establish that the document was produced for the "dominant purpose" of assisting in actual or anticipated litigation.
Solicitor-client privilege applies to the solicitor's "work product" and to communications between a solicitor and their client for the purposes of giving and receiving legal advice, when that communication is intended to be confidential.
The issue of privilege in the context of a privacy breach and subsequent investigation was addressed recently by the Information and Privacy Commissioner for Ontario in PHIPA Decision 114, arising out of the Life labs breach which many readers will be familiar with.
For context, the decision provides a summary of the basic facts of the breach, as follows:
In November 2019, LifeLabs notified the IPC that it was the subject of a cyberattack (the "breach"). LifeLabs told the IPC that cyberattackers had penetrated LifeLabs' computer systems, extracted data, and demanded a ransom. It informed the IPC that the affected systems contained the personal health information of approximately 15 million LifeLabs customers in Canada, including names, addresses, emails, customer logins and passwords, health card numbers, and laboratory test results.1 With respect to laboratory test results, LifeLabs informed the IPC that the breach involved approximately 85,000 customers in Ontario from 2016 or earlier.
As part of the IPC's investigation into the breach, it requested that LifeLabs counsel produce to it certain documents and reports generated following the breach, as part of LifeLabs investigation and response to the breach itself.
The Commissioner's decision notes that LifeLabs is now facing multiple class action law suits arising out of the breach.
LifeLabs counsel took the position that all of the documents requested to be produced were covered by both litigation privilege (presumably as a result of the class actions) and solicitor client privilege.
Part of the problem, from the Commissioner's perspective, appears to have been that counsel, despite undertaking to produce a list of the relevant documents over which privilege was claimed, then refused to do so, and eventually produced not a list, but a document listing several "categories" of documents over which privilege was asserted.
The IPC then issued a demand for the documents, including any communications between counsel and third parties, including the cyber attackers. Counsel refused to produce this documentation and alleged that it was covered by solicitor client privilege or litigation privilege.
In the writer's opinion, it is incorrect to contend that communications with third parties are privileged. Any document or communication sent to a third party is, by definition, not privileged, unless it is covered by some sort of "common interest" privilege, which was not asserted in this matter.
It is perhaps accurate to say that the documents in the lawyer's file are covered by solicitor client privilege, but if they were sent to third parties, then the information contained therein is not. However, counsel refused to allow LifeLabs representatives to answer questions about the content of those documents, when LifeLabs responded to a summons sent by the IPC.
LifeLabs CISO acknowledged during her testimony that LifeLabs staff, in responding to the breach, took certain steps and created certain documents as part of LifeLabs response to the breach. Counsel took the position that those documents were covered by litigation privilege.
The IPC found that LifeLabs, in asserting that certain documents were covered by litigation privilege, had the burden to prove that the privilege applied to each document. However, the IPC then found that LifeLabs provided little or no evidence upon which the claim for privilege could be assessed, nor did LifeLabs address the other purposes for which the documents were created, and so LifeLabs could not establish that the documents were created for the "dominant purpose" of assisting in the litigation, which is a key part of the test.
The IPC found that the retainer of the third parties, and the communications with the cyberattackers, were part of LifeLabs response to the breach, and would have been necessary even if no litigation had been commenced, and therefore found that LifeLabs could not meet its burden of proving that the documents and communications sent to the attackers and third party service providers, and any reports produced by the third party service providers, were created for the dominant purpose of assisting in the litigation, because they would have been necessary in any event. Therefore they were ordered produced.
The IPC then carried out a similar analysis with regard to the claims that the documents were protected by solicitor client privilege. The IPC found that communications with third parties were not so protected, nor were documents created by third parties in order to assist LifeLabs in responding to the breach. Those documents (and the facts contained therein) did not become privileged merely by being given to a lawyer acting for LifeLabs.
What appears to have animated the IPC in its decision is the paucity of information given to it about the documents over which privilege was claimed, and the failure of counsel or the LifeLabs witness to provide any requested additional information which might have been used to bolster or validate the claim. There is an obvious lesson in the analysis of the lack of information provided.
The IPC's finding in this regard states as follows:
It may be that some of the documents at issue are subject to privilege, but LifeLabs is required to provide more than an overly broad assertion of privilege over all documents at issue. Without more details on what documents exist and their nature, I cannot be satisfied as to whether any of the documents are, in fact, privileged. In order for the IPC to carry out its important mandate to investigate breaches such as this one, we require all relevant information. [emphasis added]
It would seem that a more nuanced approach to the IPC's request for production of documents may have been met with a different response.
See LifeLabs (Re), 2019 CanLII 40312 (ON IPC)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.