You may have noticed privacy regulators in British Columbia and Ontario recently issued an investigation report about the 2019 LifeLabs data breach — a cyberattack that compromised the personal health information of millions of Canadians. But here's the thing: this investigation report is over four years old. Why the delay? Because LifeLabs took the matter to court, arguing solicitor-client and litigation privilege should prevent its release.
LifeLabs contended that certain documents and communications related to their cybersecurity investigation were privileged and took steps to keep the report confidential. The Ontario Superior Court of Justice Divisional Court, however, ultimately found neither solicitor-client privilege nor litigation privilege extended to the facts contained in the disputed documents, which LifeLabs had a statutory duty to disclose as part of its duty to cooperate with the regulatory investigation.
The court emphasized that merely involving legal counsel does not automatically cloak documents or their underlying facts with privilege. Interestingly, it also mentions it is permitted for Canadian regulators to rely on or be influenced by American jurisprudence. In this case, the somewhat aging Capital One case from the U.S. was used to support the notion that expert cyber reports, even if they involve legal counsel, do not necessarily become privileged.
This isn't the first time we've seen a company try to block the release of a privacy investigation report. Remember the Aylo, formerly MindGeek, battle with the Office of the Privacy Commissioner of Canada? The Federal Court of Appeal dismissed this attempt as well, allowing the report's publication.
Solicitor-client privilege protects confidential communications between a lawyer and their client made for the purpose of seeking or providing legal advice. Litigation privilege covers documents and communications created primarily for the purpose of litigation. These privileges are fundamental to the legal system, ensuring candid communication between clients and their legal advisors.
However, these privileges have limits, especially when they conflict with statutory duties to provide information to regulators. So what did we learn from this?
The LifeLabs case demonstrates that organizations cannot use privilege to withhold facts they're legally obligated to disclose. I think it's useful to understand privilege has some limits and involving legal counsel as part of a breach remediation and subsequent investigation does not automatically render everything exchanged as privileged.
Solicitor-client or litigation privilege can't be used as a catch-all to block regulatory transparency. So, organizations should ensure their privilege claims are specific and defensible, not just an attempt to avoid reputational harm.
We can also see from this that transparency does matter and delays in releasing investigation findings can erode public trust.
Finally, privacy regulators and courts expect organizations to cooperate with investigations. Attempting to block reports might win time, but it risks reputational damage and could lead to harsher regulatory responses in the long run.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada for the IAPP.