As cybersecurity incidents have increased dramatically in recent years, so have regulatory investigations and litigation. Regulators and plaintiffs regularly ask for production of forensic reports and other documents relating to internal investigations of data breaches, ransomware and other incidents, and the limits of legal privilege over these materials are being tested on both sides of the border. As businesses continue to develop their incident response plans, boards and management should be aware of recent cross-border trends questioning the scope of lawyer-client, work product and litigation privilege over cybersecurity investigations.
Cybersecurity incidents are usually closely managed by in-house or external counsel, given that the cause, consequences and response to the breach ties closely to the organization’s legal and regulatory risks. Correspondence, internal reports and expert assessments of incidents are routinely labelled privileged because they are requested by counsel or created to support the analysis of the company’s legal exposure. However, courts are just starting to test the strength and breadth of those privilege claims in Canada.
The Ontario Superior Court considered this issue in Kaplan v. Casino Rama Services Inc., a proposed class action relating to a cyberattack on a casino. The plaintiffs sought production of a third-party investigative report, communications, and security audit records1. Casino Rama claimed privilege over the records. The court declined to rule on the privilege claim itself, but instead focused on waiver of privilege and relevance. Casino Rama had to disclose portions of the records it referred to in its certification materials (thereby waiving any valid privilege) and which were relevant to class size and scope (as opposed to broader issues of relevance to the merit of the claim if certified)2.
A more common scenario involves a regulator’s request for a forensic report about a data breach in the course of an investigation. Typically, the forensic firm was hired and instructed by counsel and the report is marked privileged on the basis that it supports counsel’s legal advice to the client. But the report also includes detailed factual information about the evidence relating to the security compromise.
This issue came before the Ontario Information and Privacy Commissioner (IPC) following a cybersecurity attack on LifeLabs. In 2019, LifeLabs notified the IPC that it had suffered a compromise of personal and health information of approximately 15 million customers3. The IPC requested documents from LifeLabs relating to the incident and its internal investigation4.
LifeLabs claimed litigation and solicitor-client privilege over various documents, including security testing and communications with hackers by its incident response advisors, as well as correspondence with third parties involved in its concurrent litigation defence5. Unless explicitly authorized by statute, Canadian regulators cannot compel production of privileged information to decide the validity of privilege claims. As a result, a privilege dispute between an organization and a regulator must be reviewed by the courts, or decided by the regulator on the basis of a description of the records only6.
To address the privilege objections, the IPC demanded the production of an itemized list of responsive documents describing “what documents exist and the basis for each claim”7. Unsatisfied with LifeLabs’ response listing broad categories of documents, the IPC ordered production of third-party documents including forensic reports and internal analyses of changes made by LifeLabs in response to the breach8. Importantly, the IPC’s reasoning turned on the lack of evidence provided by LifeLabs to justify its claims of privilege rather than a specific finding that the documents were not privileged.
The Commissioner noted that it is not enough for a party to have been subject to concurrent litigation for incident response documents to be litigation privileged9. LifeLabs needed to rebut a presumed inference that “the third party documents were necessarily also created in response to the operational needs of the company as it dealt with the breach”10. As well, the mere communication of third-party reports in LifeLabs’ control to in-house or outside counsel did not necessarily give rise to solicitor-client privilege according to the IPC11. While LifeLabs indicated that it was seeking judicial review of this order, no public decision has yet been released.
The law is relatively more developed in the United States, with a fact-specific body of cases leading to the recent decision in In re Capital One.
Capital One had a standing retainer with Mandiant, a well-known cybersecurity advisory and incident response firm. After Capital One suffered a cybersecurity incident, external counsel engaged Mandiant, under the umbrella of the existing business retainer, to report on the “technical factors” leading to the breach12. Capital One relied on the work product doctrine (which is similar to litigation privilege in Canada) to resist production of this report in a consumer class action13. The court found that re-purposing a standing business retainer into a legal retainer was insufficient to establish privilege because Mandiant offered Capital One the same services before the cyber incident as afterwards. Put another way, the existing business advisory services could not be re-papered by counsel to protect them from production in litigation.
Notably, the court compared Capital One’s relationship with Mandiant to that of Experian and Mandiant in an earlier case14. In contrast to Capital One’s standing retainer, Experian had first retained outside counsel who then engaged the services of Mandiant15. In contrast to Capital One’s internal distribution of the forensic report, Mandiant sent its report to Experian’s outside and internal legal counsel, but not its internal incident response team, which supported the claim it was prepared for litigation rather than business advice16.
The result is that while the report in Experian was protected, the report in Capital One had to be produced because the court was not convinced that the report would have been substantially different than if the company was not facing litigation relating to the data breach.
More recently, the Pennsylvania Federal Court required production of a forensic report in the Rutter’s data security breach litigation. The court found that the third-party investigative report generally focused on whether there had been a breach and its scope—factual information relevant to the business well before litigation was contemplated17.
While the law on this issue is still developing across North America, organizations must consider privilege early in the investigation of cybersecurity incidents. Boards, management and incident response team members should consider:
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.