DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Forensic reports are NOT privileged — Ontario Divisional Court

Posted on May 4, 2024 by Dissent

A comment by Canadian attorney David Fraser caught my eye on Infosec.Exchange:

This decision is going to be significant for all lawyers who work in cyber incident response and breach coaching. The IPC’s decision that forensic reports are NOT privileged was upheld as correct by the ON Divisional Court.

The case is LifeLabs LP v. ON IPC

Background

According to court documents, the case stems from a 2019 data breach in which threat actors obtained the personal health data of millions of Canadians from LifeLabs and demanded payment for its return.  As part of its incident management, LifeLabs notified the public, set up call centres and used external IT experts to provide it with information about the breach and to negotiate with the threat actors.

Members of the public launched class action lawsuits against LifeLabs.

The Information and Privacy Commissioner of Ontario (“ON IPC”) announced it would investigate the cyber attack under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sch. A (“PHIPA”).  The ON IPC stated its investigation would be coordinated with the British Columbia’s Information and Privacy Commissioner (“BC IPC”).

During their investigation, the ON IPC and BC IPC sought information that LifeLabs had obtained from its consultants about the data breach and its systems. LifeLabs resisted, and claimed privilege over any reports or information in those reports (“disputed documents”)

Both information privacy commissions rejected their claims of privilege.

Issues Before the Court

LifeLabs sought an order quashing the Privilege Decision and a permanent order preventing publication of the Investigation Report on its findings from its joint investigation into the Ontario and British Columbia data breaches. It also seeks various declarations which are related to the application to quash and for non-publication orders.

LifeLabs raises two issues on review: whether the ON IPC and BC IPC breached their right to procedural fairness by jointly deciding the privilege issue, and whether they erred in their application of the law on solicitor-client privilege and litigation privilege to the facts. LifeLabs argues that since the Privilege Decision is wrong, it should be set aside, and this Court should order that ON IPC refrain from publishing the Investigation Report, or releasing any report that refers to the facts and documents over which LifeLabs has claimed privilege.

ON IPC responds, supported by the submissions of the intervener, BC IPC, that there was no breach of procedural fairness. LifeLabs was fully aware of the joint investigation and did not object at any time to that decision-making process. Joint investigations are common and are provided for by the relevant provincial legislation. The Privilege Decision arose from the issues raised by LifeLabs during the joint investigation and had an opportunity to make submissions to the Commissioners. The ON IPC and BC IPC further submit that the claims of privilege have no merit and that they did not err in applying the law of privilege.

Decision

The court dismissed LifeLab’s application for review, finding no error by the IPCs.

Findings

Although the investigation report was not published, some details about the breach were revealed by Saskatchewan Information and Privacy Commission (SIPC), who publicly reported the results of their investigation. Of note, the judgment included the following:

The SIPC found that LifeLabs’ servers in Ontario had a “code-level third party vulnerability” because a software patch had not been installed. The need for the patch was not caught by LifeLabs’ third-party vulnerability management system.

LifeLabs reported to the SIPC that the only way it might have discovered the need for a particular security patch was through one of its developers, who had received an unsolicited email notification of a patch. The email had landed in the developer’s junk mailbox. The developer was not part of the security team and was not required as part of his duties to LifeLabs to search his junk mailbox. LifeLabs had not finalized eleven (11) draft privacy and security policies at the time of the breach, although by the time of the SIPC’s final report, it had done so.

The cyber-attackers had gained undetected access to some of LifeLabs’ systems for over a year. On October 28, 2019, LifeLabs’ third-party consultant noted anomalous activity and contained the affected systems for investigation.

Although LifeLabs paid the attackers to return the data, the SIPC had found there was no guarantee that any of the data taken was not retained by the cyber-attackers to be used in other ways.

During the Saskatchewan investigation, LifeLabs had refused to provide any “critical incident reports” prepared by third-party IT firms to assist with determining how the breach occurred, what personal health information was affected, what safeguards were in place, the root cause of the breach and the measures to be taken to prevent the breach from happening again.

The ON IPC and the BC IPC had ordered them to produce he third-party consultant reports and reviewed those reports to make their determinations of privilege in advance of their final report.

Read more about the case at Canli.org

Category: Blog

Post navigation

← Years later, Marriott admits data were not encrypted before its 2018 data breach. Now what?
Fred Hutch notifies more patients of November 2023 attack (1) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.