The limits of privilege in cyber investigations
Solicitor-client privilege and litigation privilege do not protect facts that are required to be disclosed under statutory duty, the Ontario Superior Court of Justice ruled in a recent decision.
The case revolved around a LifeLabs LP data breach in which cyber attackers obtained the personal health data of millions of Canadians. The court ruled “health information custodians” such as LifeLabs cannot defeat statutory responsibilities by placing facts about privacy breaches inside privileged documents.
Litigation privilege protects the disclosure of documents and communications whose “dominant purpose” is preparation for litigation, the decision reads.
From a cyber perspective, the decision means documentation and communication from third parties or consultants related to breach occurrence — for example information contained in IT forensics reports — could become a matter of public record.
In LifeLabs, the Office of the Saskatchewan Information and Privacy Commissioner (SIPC) publicly reported on its investigation into the breach.
What happened
The breach occurred in 2019, with the largest number of affected people living in Ontario and British Columbia. The privacy commissioners for those two provinces launched a joint investigation into the breach.
During the investigation, the Information and Privacy Commissioner of Ontario (ON IPC) and Office of the Information and Privacy Commissioner for British Columbia (BC IPC) sought information that LifeLabs had obtained from its consultants about the breach and LifeLabs’ systems. LifeLabs resisted, claiming privilege over any reports or information in those reports, said the Apr. 30 decision, LifeLabs LP v. Information and Privacy Commr. (Ontario).
Ultimately, Justice Janet Leiper found that both privacy commissioners’ statutory duty to inquire and LifeLabs’ duty to respond “does not permit a claim of litigation privilege over facts obtained through its lawyers, even where those facts might also play a role in defending against parallel civil litigation.”
After receiving documents and representations from LifeLabs’ lawyers, ON IPC and BC IPC jointly decided claims of privilege should fail. This was outlined in a June 25, 2020 ‘privilege decision.’ The two privacy commissions also finalized their investigation report; neither report has been published.
“Importantly, the investigation report did not seek to publish any of these disputed reports or documents, but rather to include the facts responsive to the legislative mandate of the ON IPC and the BC IPC,” the decision reads.
In an application for judicial review, LifeLabs sought an order quashing the privilege decision and a permanent order preventing publication of the investigation report. The company also claimed ON IPC erred in law in applying solicitor-client and litigation privilege, which the privacy commissioner disputed.
BC IPC was an intervener in the case.
Application dismissed
Leiper dismissed the application for judicial review, finding ON IPC did not err in law. “The [privilege] decision is logical, clear and persuasive. It considered all the arguments raised by LifeLabs and gave comprehensive reasons for rejecting the claims of privilege.”
LifeLabs initially did not dispute it had an obligation to investigate and remediate the data breach. “Indeed, its correspondence with the ON IPC and BC IPC in the early days post-data breach emphasized the steps it was taking in that regard.
“LifeLabs now argues that it had no obligation to investigate, remediate or produce information and that independent facts on those issues are not producible if contained in privileged documents…,” Leiper writes. “If these submissions were accepted, this would permit a regulated entity to defeat investigative orders by placing unpalatable facts within its knowledge into a privileged report to counsel.”
For example, on May 15, 2020, ON IPC asked LifeLabs about security alerts for a piece of software to address vulnerabilities. LifeLabs had its counsel interview the employee who had information about the question.
“LifeLabs then provided responses based on that interview, and then claimed privilege over that information on the basis that it was a solicitor-client communication and/or subject to litigation privilege…” Leiper writes. “I reject this submission on the statutory authority of the ON IPC to conduct investigations into the duties owed by health custodians and the law of privilege.”
Saskatchewan findings
Leiper found ON IPC also correctly articulated the law when it said, “facts that have an independent existence outside of solicitor-client privileged communications are not privileged.”
On June 9, 2020, SIPC reported publicly on its investigation into the breach, which affected 93,647 Saskatchewan residents. SIPC found LifeLabs’ servers in Ontario had a “code-level third-party vulnerability” because a software patch had not been installed. The need for the patch was not caught by LifeLabs’ third-party vulnerability management system, the decision notes.
Attackers gained undetected access to some of LifeLabs’ systems for more than a year, until a third-party consultant noted abnormal activities and contained the affected systems for investigation on Oct. 28, 2019. Three days later, the attackers contacted LifeLabs and demanded payment for the safe return of personal data. LifeLabs paid the attackers in exchange for the data and an agreement not to publicly release it on the internet.
SIPC was concerned with the ongoing risk because of the breach, and disagreed with LifeLabs that the risk was ‘low’ given the data obtained included names, addresses, dates of birth, email addresses, health card numbers, passwords, security questions and answers, IP addresses and lab results for 241 Saskatchewan residents.
LifeLabs also refused to provide any “critical incident reports” prepared by third-party IT firms to assist with determining how the breach occurred, what personal health information was affected, what safeguards were in place, the root cause of the breach, and measures to be taken to prevent the breach from happening again.
Leiper dismissed LifeLabs’ claims ON IPC failed to act independently by jointly determining the issue with another regulator.
“There is ample precedent for joint investigations undertaken by various Canadian privacy regulators,” she writes. “LifeLabs did not put before the court any challenge to any prior joint investigations.
“This practice reflects the reality that data breaches are not confined to provincial boundaries.”
Feature image by iStock.com/Jane_Kelly
