LifeLabs is seeking leave to appeal an Ontario Superior Court of Justice decision that found the medical services company cannot defeat statutory responsibilities by placing facts about privacy breaches inside privileged documents.
One cyber insurance expert doesn’t believe the appeal will be successful. “It’s an established principle that facts cannot be privileged,” Neal Jardine, global director of cyber risk intelligence and claims with BOXX Insurance, told Canadian Underwriter.
The Apr. 30 Superior Court ruling (LifeLabs LP v. Information and Privacy Commr. (Ontario)) revolved around a 2019 data breach in which cyber attackers obtained the personal health data of millions of Canadians. More than 8 million LifeLabs customers in Ontario and British Columbia were affected, and the privacy commissioners of both provinces conducted a joint investigation into the cyberattack.
“Although LifeLabs complied with the orders and recommendations set out in the joint investigation report, the company claimed the report should not be released to the public as it contained solicitor-client and litigation-privileged information,” the Information and Privacy Commissioner of Ontario (ON IPC) said in a press release.
LifeLabs brought an application for judicial review of the ON IPC and Office of the Information and Privacy Commissioner for British Columbia’s (BC IPC) decision to dismiss LifeLabs’ request and proceed with the publication of the report.
In its initial decision on the matter, the Ontario Superior Court found:
“ON IPC asked LifeLabs about security alerts for a piece of software to address vulnerabilities on May 15, 2020. LifeLabs had their counsel interview the employee who had information about the question. LifeLabs then provided responses based on that interview, and then claimed privilege over that information on the basis that it was a solicitor-client communication and/or subject to litigation privilege.”
Ontario’s Superior Court unanimously upheld the decision to publish the ON IPC’s investigation report. “The court held that health information custodians cannot evade their responsibilities under Ontario’s health privacy law by categorizing facts about privacy breaches as privileged information,” ON IPC says in the release.
But despite “its significant public education value,” the report still cannot be published because of LifeLabs’ intention to appeal the ruling, ON IPC says. “[ON IPC and BC IPC] must wait for a ruling from the Court of Appeal for Ontario on whether any information in the investigation report is privileged or confidential before publishing the report.”
Jardine says the LifeLabs case is significant, because it clarifies that companies can’t privilege the facts of a case.
Discussion versus facts
“You can privilege the discussion or the comments between lawyers and their clients around what happened, but you can’t privilege the facts,” Jardine says. “The facts are the facts.
“Accurate information is essential for the privacy commissioner to determine how the breach occurred, what was exposed, and whether your response was appropriate. The relevant information to support their review will be made public in their report.”
Saskatchewan’s privacy commissioner had already publicly reported on its investigation into the breach.
Jardine believes this case will clarify the post-report handling of cyber events by insurance companies and adjusters.
“When a cyber event happens, the first question I am asked is if litigation privilege needs to be invoked. This legal precedent, when the appeal is not successful, will confirm that privilege can’t be used to protect the facts of a cyber event that are required to be disclosed to meet privacy statutory responsibilities.”
Jardine says constant identification of the facts, versus what is anecdotal, contextual or opinion, is key. Facts are best placed in a separate report to legal counsel in anticipation of litigation.
Jardine says he understands insureds wanting to keep everything privileged — you don’t want to disclose information about the incident or investigation that could lead to a cybercriminal becoming aware of your cyber risk management techniques or how you protect your network, and potentially open yourself up to future cyberattacks.
Keep it separate
But at the same time, he reminds his clients that you need to disclose enough of the facts of the cyber incident so privacy commissioners understand decisions made relative to statutory obligations regarding reporting and notification to those whose privacy may have been compromised.
In LifeLabs, ON IPC asked the company about security alerts for a piece of software to address vulnerabilities. LifeLabs had its counsel interview the employee who had information about the question.
“LifeLabs then provided responses based on that interview, and then claimed privilege over that information on the basis that it was a solicitor-client communication and/or subject to litigation privilege…” the decision reads. “[We] reject this submission on the statutory authority of the ON IPC to conduct investigations into the duties owed by health custodians and the law of privilege.”
What lessons should cyber clients take from the ruling?
“Issues of privilege can be critical and clients need to know their insurer’s strategy on when and how to bring in counsel to protect the investigation and opinions for privilege,” Jardine says. “Privilege can be a valuable tool if those whose privacy has been violated choose to claim damages against you. Not all claims need counsel or privilege, but when necessary, their advice and assistance is critical to mitigating a cyber loss.”
If privilege will be advantageous to the defence, you need to assign counsel before the forensic team is assigned, he says. “Experienced cyber insurance adjusters know that certain businesses have a high probability of a privacy exposure due to the nature of their operations and counsel needs to be assigned quickly. Other businesses may not have a privacy exposure that warrants privilege counsel.
“Understanding clients’ exposures on the initial reporting of cyber events will ensure that the right experts are involved quickly.”
Be aware that the facts of the privacy exposure will need to be disclosed to privacy commissioners. “Keep the facts of the incident separate from those privileged client conversations, emails, opinions and investigations,” Jardine says. “Keep the facts in one report, and what can be privileged clearly identified and in a separate report to counsel.”
Feature image by iStock.com/putilich