Forensic reports are NOT privileged — Ontario Divisional Court

A comment by Canadian attorney David Fraser caught my eye on Infosec.Exchange:

This decision is going to be significant for all lawyers who work in cyber incident response and breach coaching. The IPC’s decision that forensic reports are NOT privileged was upheld as correct by the ON Divisional Court.

The case is LifeLabs LP v. ON IPC

Background

According to court documents, the case stems from a 2019 data breach in which threat actors obtained the personal health data of millions of Canadians from LifeLabs and demanded payment for its return. As part of its incident management, LifeLabs notified the public, set up call centres and used external IT experts to provide it with information about the breach and to negotiate with the threat actors.

Members of the public launched class action lawsuits against LifeLabs.

The Information and Privacy Commissioner of Ontario (“ON IPC”) announced it would investigate the cyber attack under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sch. A (“PHIPA”). The ON IPC stated its investigation would be coordinated with the British Columbia’s Information and Privacy Commissioner (“BC IPC”).

During their investigation, the ON IPC and BC IPC sought information that LifeLabs had obtained from its consultants about the data breach and its systems. LifeLabs resisted, and claimed privilege over any reports or information in those reports (“disputed documents”)

Both information privacy commissions rejected their claims of privilege.

Issues Before the Court

LifeLabs sought an order quashing the Privilege Decision and a permanent order preventing publication of the Investigation Report on its findings from its joint investigation into the Ontario and British Columbia data breaches. It also seeks various declarations which are related to the application to quash and for non-publication orders.

LifeLabs raises two issues on review: whether the ON IPC and BC IPC breached their right to procedural fairness by jointly deciding the privilege issue, and whether they erred in their application of the law on solicitor-client privilege and litigation privilege to the facts. LifeLabs argues that since the Privilege Decision is wrong, it should be set aside, and this Court should order that ON IPC refrain from publishing the Investigation Report, or releasing any report that refers to the facts and documents over which LifeLabs has claimed privilege.

ON IPC responds, supported by the submissions of the intervener, BC IPC, that there was no breach of procedural fairness. LifeLabs was fully aware of the joint investigation and did not object at any time to that decision-making process. Joint investigations are common and are provided for by the relevant provincial legislation. The Privilege Decision arose from the issues raised by LifeLabs during the joint investigation and had an opportunity to make submissions to the Commissioners. The ON IPC and BC IPC further submit that the claims of privilege have no merit and that they did not err in applying the law of privilege.

Decision

The court dismissed LifeLab’s application for review, finding no error by the IPCs.

Findings

Although the investigation report was not published, some details about the breach were revealed by Saskatchewan Information and Privacy Commission (SIPC), who publicly reported the results of their investigation. Of note, the judgment included the following:

The SIPC found that LifeLabs’ servers in Ontario had a “code-level third party vulnerability” because a software patch had not been installed. The need for the patch was not caught by LifeLabs’ third-party vulnerability management system.

LifeLabs reported to the SIPC that the only way it might have discovered the need for a particular security patch was through one of its developers, who had received an unsolicited email notification of a patch. The email had landed in the developer’s junk mailbox. The developer was not part of the security team and was not required as part of his duties to LifeLabs to search his junk mailbox. LifeLabs had not finalized eleven (11) draft privacy and security policies at the time of the breach, although by the time of the SIPC’s final report, it had done so.

The cyber-attackers had gained undetected access to some of LifeLabs’ systems for over a year. On October 28, 2019, LifeLabs’ third-party consultant noted anomalous activity and contained the affected systems for investigation.

Although LifeLabs paid the attackers to return the data, the SIPC had found there was no guarantee that any of the data taken was not retained by the cyber-attackers to be used in other ways.

During the Saskatchewan investigation, LifeLabs had refused to provide any “critical incident reports” prepared by third-party IT firms to assist with determining how the breach occurred, what personal health information was affected, what safeguards were in place, the root cause of the breach and the measures to be taken to prevent the breach from happening again.

The ON IPC and the BC IPC had ordered them to produce he third-party consultant reports and reviewed those reports to make their determinations of privilege in advance of their final report.