The Ontario Divisional Court released an important decision this week in a judicial review case that I thought would be worth highlighting.
The party bringing the judicial review was LifeLabs, the same entity that made national headlines when it experienced a large multiprovince ransomware attack a few years ago.
LifeLabs wanted the court to quash decisions by the Office of the Information Privacy Commissioner of Ontario following an investigation into the circumstances surrounding the data breach. In particular, LifeLabs claimed the information that was submitted as part of the investigation was covered by either solicitor-client privilege or litigation privilege, but the IPC disagreed with that assertion and concluded such privileges did not apply.
When organizations experience a breach, the first thing they tend to do is retain a lawyer. The lawyer then enters into a three-way contract between the client, the lawyer and a cybersecurity forensic firm. The reason the lawyer enters the contract is to ensure the information-gathering being done as part of the cybersecurity work is covered by privilege.
A few years ago, a U.S. court pierced that veil in a case involving Capital One. Well, that veil is now pierced in Ontario as well via the LifeLabs case.
Both the IPC and the court concluded the information at issue was not subject to privilege, meaning it can be looked at in the course of investigations into the breach. Now lawyers that help breach victims will need to rethink how they set up their relationships to try and regain some of the advantages that having privilege can offer.
I'm not quite ready to do away with the three-way agreements I'm accustomed to using in the breach cases that I'm retained on. That being said, I'm sure that over time other techniques will emerge to try and establish a privileged relationship between the client and the cybersecurity firm.
It will be interesting to see if LifeLabs chooses to appeal to the Ontario Court of Appeal.
In other Ontario IPC news this week, Khaled El Eman was appointed the regulator's next scholar in residence. With his vast expertise in health privacy issues, anonymization and artificial intelligence, I think bringing him onboard is an excellent idea and the kind of thing more regulators should consider doing.
Regulators are far too often criticized for not having enough variety in their perspectives or first-hand industry knowledge. This type of move is an excellent way for a regulator to tap into the knowledge of academics and industry leaders.
My congratulations to El Eman and to the IPC.