Check your privilege

Top of the list for most organisations in their cyber response plan is probably some form of the phrase “call an expert". 

A recent Canadian decision highlights the importance of careful thought about who you’re going to call, and what they are asked to do – particularly if the results of any investigation might not be something a business wants made public. 

Expert investigations into the cause and extent of a cyber breaches are a fundamental part of the response toolkit, bringing to bear skill sets that most organisations don’t have in house. But, a significant decision from the Ontario Superior Court of Justice will shape the degree of protection afforded to information about data breaches and may influence how New Zealand regulators deal with documents that could expose targets to legal risk and which – for reputational reasons – some would rather not see the light of day. 

In LifeLabs LP v Information and Privacy Commissioner of Ontario, LifeLabs sought to maintain privilege over expert reports prepared about the LifeLabs LP (LifeLabs) data breach and its systems. Facing a class action lawsuit and the attention of the two Canadian regulators, LifeLabs desperately sought to keep private the reports on its systems and failings which were central to the data breach.

The Ontario Superior Court disagreed, in a move which signals a lack of tolerance for those who fail to keep personal information under proper lock and key. 

LifeLabs is a provider of general and specialised laboratory testing across Canada. In 2019, LifeLabs announced that it had suffered a ransomware attack which resulted in the attackers obtaining the personal health data of millions of Canadians. LifeLabs notified the public and used external IT experts to provide it with information about the breach, and to negotiate with the cyber-attackers. 

As would be expected, the Information and Privacy Commissioner of Ontario (ON IPC) commenced an investigation into the LifeLabs data breach. The ON IPC coordinated its investigation with the Office of the Information and Privacy Commissioner for British Colombia (BC IPC). 

Part of this investigation involved both IPCs requesting information that LifeLabs had obtained from its consultants about the data breach. LifeLabs resisted these requests, claiming both solicitor/client privilege and litigation privilege over the contents of the reports. The ON IPC and the BC IPC both considered that the claims for privilege should fail, a decision which LifeLabs sought to judicially review. LifeLabs argued that since the decision to deny the existence of privilege was wrong, the Court should make a permanent order preventing publication of the investigation report by the ON IPC and the BC IPC. 

Does advice have litigation privilege?

The Court dismissed LifeLabs’ application for judicial review. In its assessment of the privilege decision, the Court considered that the IPCs applied the law correctly when rejecting LifeLabs’ claims of privilege over the records. The records which LifeLabs asserted privilege over included:

• the investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the cyberattack occurred
• the email correspondence between the cyber intelligence firm and the cyber-attackers after the discovery of the attack by LifeLabs
• an internal data analysis prepared by LifeLabs to describe which individual health information had been affected by the breach and to notify those affected
• submissions from LifeLabs to the IPCs communicated through legal counsel
• the report prepared by Deloitte as part of LifeLabs’ response to the IPCs.
   

LifeLabs argued that it had no obligation to investigate, remediate, or produce information and that independent facts on those issues are not producible if contained in privileged documents. If the Court had accepted that argument, it effectively would have permitted a regulated entity to defeat investigative orders by placing unpalatable facts within its knowledge into a privileged report to counsel.

Perhaps unsurprisingly, the Court found in favour of the statutory authority of the IPCs to conduct investigations into the duties owed by health data custodians. Notably, the Court said that health information custodians, such as LifeLabs, cannot defeat these responsibilities by placing facts about privacy breaches inside privileged documents. This conclusion flowed not only from the statutory mandate of the IPCs, but also from how both litigation privilege and solicitor / client privilege functions in practice. 

Litigation privilege attaches to the litigation process and applies to communications or information compiled for the dominant purpose of preparing for a proceeding. As the facts in the reports and information compiled by LifeLabs was prepared for the purpose of investigating the data breach, the IPCs’ statutory duty to inquire (and LifeLabs’ requirement to respond) did not permit a claim of litigation privilege over those facts, even where those reports and facts would also be used by LifeLabs in defending a parallel civil lawsuit. 

Similarly, solicitor/client privilege applies to communications between a lawyer and their client, where the communication is for the purpose of obtaining legal advice. This category of privilege therefore did not extend to protect facts that were required to be produced pursuant to statutory duty. 

One example of how LifeLabs attempted to use privilege as a sword rather than a shield was in response to the ON IPC’s request for information about security alerts for software used by LifeLabs to address vulnerabilities. LifeLabs had their legal counsel interview the employee who had information about the question, provided responses based on that interview, then claimed privilege over that information on the basis that it was a solicitor/client communication and/or subject to litigation privilege. 

These litigation tactics did not fly with the Court, which concluded overall the IPCs’ statutory duty to investigate overrode any claims of privilege asserted by LifeLabs. However, these claims were clearly an improper use of the protection afforded by the law of privilege. It is arguable that had the information obtained by LifeLabs been for the primary purpose of informing LifeLabs about its legal risk following the data breach, the assertion of privilege would have more likely stood firm. 

What this means for New Zealand

The case is important for New Zealand organisations given that the legal principles applicable to privilege are replicated in both Canada and New Zealand. Further, as this issue hasn’t (publicly) arisen in New Zealand, the likelihood of a New Zealand court looking to other jurisdictions for guidance on how to deal with this issue is high. 

Additionally, our Privacy Commissioner has similar investigative powers to the Canadian IPCs. The decision provides a steer for New Zealand-based organisations on how privilege is likely to be viewed by our Privacy Commissioner, and indicates that, in the event of an investigation, any reports, records, or information held by an organisation about a data breach will likely be disclosable. The effect of this is that organisations will not be able to rely on privilege other than for its proper application (i.e., for the purpose of preparing for imminent legal proceedings or to receive legal advice). 

The high public interest in privacy duties owed by those who hold sensitive personal information necessitate disclosure of all relevant information to the regulator. 

Amongst other findings, the decision noted that LifeLabs had not demonstrated it had adequate safeguards in place to protect private health data, that it would prevent similar breaches from occurring in the future and that it had properly investigated the breach. 

The effect of the decision is that LifeLabs will not be able to keep secret any factual information which could be used in civil lawsuits against it, or be able to hide details from the Canadian regulatory authorities. It reinforces the point that after experiencing a data breach, the best course of action is transparency, cooperation and accountability, particularly to avoid situations like this. Fortunately for LifeLabs, neither the ON IPC or the BC IPC sought costs. 

Data breaches are becoming more frequent, both overseas and domestically. For organisations in the unenviable position of responding to a data breach, certain steps are of paramount importance:

• Even though time is of the essence, it can be tempting to rush into instructing experts. Consider pausing for a moment to think carefully about what the experts are being engaged to do and always seek legal advice first.
• Lawyer up early in the process to support your technical and public relations response. Use specialists who know what they’re talking about, and don’t risk engaging a legal adviser who can’t help you effectively manage and mitigate risk.
• In the case of notifiable privacy breaches, notification to the Privacy Commissioner is required within 72 hours of becoming aware of the breach. Your legal advisor should assist with this, as it is important to set the right tone from the beginning when engaging with the regulator.