Data Breach: A Cautionary Tale Of What Legal Privilege Can Be Asserted Over In A Cybersecurity Investigation

Case Comment: LifeLabs LP v. Information and Privacy Commr (Ontario)

On April 30, 2024, the Divisional Court of the Ontario Superior Court of Justice (the "Court") released its decision in LifeLabs LP v. Information and Privacy Commr. (Ontario),¹ where the Court dismissed LifeLabs LP's ("LifeLabs") application for judicial review. The Court held that the Privacy Commissioners of Ontario and British Columbia did breach LifeLabs' right to procedural fairness, and that they did not err in their application of the law on solicitor-client privilege and litigation privilege.

Background
This case arises from a 2019 data breach where cyber-attackers targeted LifeLabs and obtained the personal health data of millions of Canadians, with most people affected living in Ontario and British Columbia. LifeLabs paid the cyber-attackers a ransom for the safe return of the personal data and an agreement not to publicly release it on the internet.

The Information and Privacy Commissioner of Ontario ("ON IPC") announced it would investigate the cyber-attack pursuant to the Personal Health Information Protection Act ("PHIPA").² The ON IPC stated that their investigation would be coordinated with the British Columbia's Information and Privacy Commissioner (collectively, the "Commissioners").

During their investigation, the Commissioners ordered LifeLabs to disclose various documents relating to their investigation into the data breach. LifeLabs refused to disclose the documents and asserted privilege over five sets of documents and the information within them:

1. The investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the cyberattack occurred,
2. The email correspondence between the cyber intelligence firm hired by LifeLabs and the cyber-attackers,
3. An internal data analysis prepared by LifeLabs to describe which individual health information had been affected for notification purposes,
4. A submission from LifeLabs to the Commissioners in response to certain specific questions, communicated through legal counsel, and
5. The report of Kevvie Fowler, Deloitte LLP, prepared as part of the representations by LifeLabs and submitted to the Commissioners for that purpose.

The Commissioners found that LifeLabs' claims of privilege over facts available from other non-privileged sources are not protected merely because they are included in the privileged documents. The Commissioners also found that LifeLabs' claims of privilege over the documents were not substantiated and that they are not subject to privilege.

LifeLabs sought judicial review of the Commissioners' decision.

Judicial Review Decision

The Court upheld the Commissioners' decision that the claims of privilege did not hold and dismissed LifeLabs' application for judicial review. The decision emphasized that factual information necessary for compliance with statutory duties must remain accessible and cannot be withheld by virtue of being placed in reports over which privilege was claimed.

The Court set out the definition of litigation privilege, holding that litigation privilege protects the disclosure of documents and communications whose "dominant purpose" is preparation for litigation. It is applicable to a party's litigation strategy but does not extend to facts obtained through its lawyers, or information that would otherwise have to be disclosed.

The Court also discussed solicitor-client privilege, which protects communications between a lawyer and their client for the purposes of seeking or providing legal advice. However, it does not extend to protect facts that are required to be produced pursuant to statutory duty. The Court held that "[e]ven if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure."³

The Court cautioned against the potential misuse of claiming this privilege and warned that simply providing counsel with a copy of a document does not "cloak" the original document with privilege. The Court held that health information custodians, such as LifeLabs, cannot defeat their responsibilities under PHIPA by placing information about privacy breaches inside privileged documents.

The Court upheld the Commissioners' findings that LifeLabs' claims of privilege were not substantiated based on the evidence. LifeLabs did not describe any examples of legal advice that would be made public via the information contained in the five sets of disputed documents that were also found to be facts on their own independently. Therefore, it was found that disclosure of the requested documents would not reveal any litigation strategy or confidential solicitor-client communications.

The Court also noted that the U.S. decision In re Capital One Consumer Data Security Breach Litigation has persuasive authority to support a finding that where a company has a prior retainer with a cybersecurity firm to provide essentially the same services before and after a breach, simply inserting counsel's name into the contract and stating that deliverables would be made to counsel does not render those deliverables subject to the U.S. work product doctrine, which is akin to Canada's litigation privilege.⁴

The Court therefore upheld ON IPC's finding that the cybersecurity firm retained by LifeLabs that produced a report on the breach did so for business purposes and not for the dominant purpose of litigation.

The Court further dismissed LifeLabs' argument that the ON IPC failed to act independently by jointly determining the issue with British Columbia's Information and Privacy Commissioner, holding that an informed person would conclude that there was no apparent bias or lack of independence from the jointly issued decision by the Commissioners.

Takeaways

The LifeLabs LP decision serves as a cautionary tale for businesses handling personal data and emphasizes the significance of managing privilege issues at an early stage in the incident response process. The decision sets out that the use of the same cybersecurity firm that regularly provides services before and after a breach for the purposes of a privileged forensic investigation into the cause of the breach is at risk of being disclosed, as was the case for LifeLabs. Overall, this decision underscores the importance of properly protecting legal privilege when responding to a cybersecurity breach.

Footnotes

1. LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194.
2. Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A.
3. Ibid, para 80.
4. In re Capital One Consumer Data Security Breach Litigation, 2020 U.S. Dist. LEXIS 91736 (E.D. Va May 26, 2020).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.