Navigating the Boundaries of Legal Privilege in the Wake of a Cyber Attack: Lessons Learned from the LifeLabs Breach

  • 15 mai 2024
  • Mitch Koczerginski, Robbie Grant, Ada Ang, McMillan LLP

After experiencing a cyber attack, organizations tend to keep a tight grip on incident-related information. There are good reasons for this. First, information about a cyber attack could reveal vulnerabilities ripe for exploitation by other cyber criminals. Second, the availability of sensitive incident details may result in increased scrutiny of the organization’s decisions leading up to or following the incident, resulting in possible reputational harm or even civil and regulatory liability.

Organizations may therefore try to protect sensitive incident-related information by invoking some form of legal privilege. However, recent legal developments have highlighted the limited scope of legal privilege when it comes to records generated during the incident investigation and response process.

In LifeLabs LP v. Information and Privacy Commr. (Ontario),[1] a panel of the Divisional Court of Ontario’s Superior Court of Justice upheld a regulatory decision ruling that legal privileges asserted by LifeLabs did not apply to, among other things, internal analysis of affected data, communications with threat actors, and the forensic investigation report prepared by a third-party cybersecurity consultant.

This decision underscores the importance of raising awareness regarding the limitations of legal privilege among the incident response team and developing an effective strategy to manage confidentiality concerns over sensitive incident information.

Background

LifeLabs LP (“LifeLabs”) provides laboratory testing across Canada and, as part of this service, handles sensitive personal health information about its customers.[2] In 2019, LifeLabs was the target of a ransomware attack that resulted in unauthorized access to personal health information of millions of Canadians.[3] The Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC (collectively, the “Commissioners”) conducted a joint investigation into the incident.[4]

As part of their investigation, the Commissioners sought various documents pertaining to the cyber attack that LifeLabs had acquired from its consultants.[5] These included:

  1. an investigation report by a cybersecurity firm describing the cyber attack;
  2. email correspondence between a cyber intelligence firm and the cyber attackers after discovery of the attack;
  3. LifeLabs’ internal data analysis describing the individuals affected by the breach; and
  4. other communications between LifeLabs and the Commissioners.[6]

LifeLabs refused to provide the disputed documents, claiming that such information was protected by solicitor-client privilege and/or litigation privilege.[7] The Commissioners jointly held that the claims of privilege should fail, as Lifelabs did not provide the Commissioners with sufficient evidence to demonstrate that the materials were actually subject to the asserted legal privileges.[8]