This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
NEWS & ARTICLES NEWS & ARTICLES

NEWS & ARTICLES

| 3 minute read

Navigating the Murky Waters of Cyber-Attack Privilege | LifeLabs LP v. Information and Privacy Commissioner of Ontario

The LifeLabs LP v. Information and Privacy Commissioner of Ontario case continues to be a significant topic of interest for lawyers and insurance professionals in Canada, particularly those in the cyber insurance community. This decision has the potential to drastically limit the ability of victims of cyber-attacks to maintain privilege over documents produced in response to a breach. Recently, the Ontario Superior Court of Justice declined to order the Ontario Privacy Commissioner to disclose the materials on which they relied when ordering LifeLabs to relinquish certain records developed through counsel in response to a cyber-attack, despite LifeLabs' efforts to preserve privilege.

In 2019, the diagnostic and medical testing service provider was the victim of a ransomware attack which compromised the most personal data imaginable of up to 15 million patients. Results of lab tests, health card numbers, and contact information of patients were included in the compromised data.

After LifeLabs reported the disclosure, privacy commissioners in both British Columbia and Ontario began investigations into the breach, which were followed shortly by class-action lawsuits in both provinces. As part of their investigation, the commissioners requested a number of documents from LifeLabs, including a number of documents over which LifeLabs claimed solicitor-client privilege. As part of their response to the breach, LifeLabs, through counsel, retained the services of a number of third parties to negotiate with the threat actors and conduct penetration tests, among other services. LifeLabs claimed that as these documents were subject to solicitor-client privilege or, alternatively, litigation privilege as they had been obtained through third parties retained by their counsel and in anticipation of possible litigation.

In March 2020, the Information and Privacy Commissioner of Ontario released a decision determining that LifeLabs had not proven its claim of privilege and ordering that the documents be disclosed. In the view of the commissioners, even absent the litigation, LifeLabs would have engaged the same third parties to respond to the breach. 

LifeLabs produced the documents as ordered, but maintained their claim of privilege and commenced an application for judicial review. In order to bolster their position, LifeLabs sought to compel the Commissioner to disclose various documents, communications, and policies relied on by the BC and Ontario Commissioners in coming to their decision. LifeLabs was of the view that these documents would demonstrate the process by which the privilege decision was arrived at was unfair due to (among other reasons) improper collaboration between the Ontario and BC privacy commissioners. Somewhat ironically, the Commissioners claimed deliberative privilege over the documents, which generally protects the administrative tribunals from being compelled to testify as to how their decision was arrived at.

In October of 2022, Justice Corbett of the Ontario Superior Court of Justice dismissed LifeLabs’ application, finding that LifeLabs had failed to show grounds on which this privilege should be breached. LifeLabs sought to vary the order dismissing the motion and in January, the Superior Court of Justice released its decision. The Court upheld Justice Corbett’s dismissal, finding that the law on deliberative privilege had been correctly applied.

 The LifeLabs saga continues, with the results of the ultimate judicial review application having the potential to significantly impact whether or not the documents were retained through counsel. The same court sidestepped the issue in the earlier Kaplan v Casino Rama Services Inc. decision, finding that if the reports were ever privileged, privilege had been waived when a corporate representative referred to the documents in an affidavit. South of the border, in the In Re: Capital One case, the Court ordered the production of reports on a breach conducted by a cyber security company, notwithstanding the involvement of outside counsel. It remains to be seen whether the principles in this decision will be adopted in Canada. It would seem that slowly, the shield of privilege is being eroded in relation to the documents created by victims of cybercrime in order to investigate and respond to breaches.

Victims of cyber-attacks are often told to coordinate all responses through breach counsel in order to maintain solicitor client privilege in the event of subsequent litigation. While the In Re: Capital One decision has yet to be followed in Canada, the results of the LifeLabs application for judicial review could have a significant impact on the ability of victims of cyber-attacks to shield what little privacy they have left, even when those efforts are coordinated through breach counsel.

Questions? 

Should you have any questions with respect to this bulletin, or if you would like more detailed information related to this case analysis, please contact Duncan Taylor at dtaylor@brownleelaw.com.

Tags

brownlee llp, business law, class actions, privacy