Data and AI Governance Consultant | INQ
In 2019, LifeLabs, a major laboratory testing provider in Canada, faced a severe data breach where cyber-attackers accessed personal health data of millions, leading to significant legal and operational repercussions. The case LifeLabs LP v. Information and Privacy Commissioner (Ontario) 2024 ONSC 2194, adjudicated by the Superior Court of Justice, revolves around this incident, shedding light on the boundaries of privileged information during investigations of privacy breaches.
This article summarizes the facts and the court’s findings, including tips for businesses to navigate investigations by the privacy commissioner avoiding pitfalls such as falsely claimed privilege.
What Happened?
Cyber-attackers targeted LifeLabs, compromising the data of many Canadians, particularly those in Ontario and British Columbia. The data concerned included names, addresses, dates of birth, email addresses, health card numbers, passwords, security questions and answers, IP addresses, and lab results.
On October 31, 2019, the cyber-attackers contacted LifeLabs and demanded payment for the safe return of personal data. LifeLabs paid the cyber-attackers in exchange for the data and an agreement not to publicly release it on the internet. Following this breach, the Ontario and BC privacy commissioners initiated a joint investigation, demanding access to various documents LifeLabs hoped to protect under claims of privilege. The commissioners’ investigation report has not been published to-date.
An important aspect of this case is an independent report by the Office of the Saskatchewan Information and Privacy Commissioner (SIPC) which independently reported on the breach, publicly revealing many details that LifeLabs had hoped to keep under wraps by claiming privilege. The commissioners and subsequently the court relied on this report repeatedly when making the argument that the information LifeLabs claimed to be privileged was in fact no longer confidential, a prerequisite for the privilege claim.
Decision Overview
The crux of the judicial review concerned whether LifeLabs could legitimately claim solicitor-client and litigation privilege over certain documents produced during the breach's investigation. Their goal was to not have these documents be part of the investigation report to be published by the privacy commissioners. Specifically, the documents LifeLabs wanted to see privileged were:
The investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the cyberattack occurred.
The email correspondence between the cyber intelligence firm and the cyber-attackers after the discovery of the attack by LifeLabs.
An internal data analysis prepared by LifeLabs to describe which individual health information had been affected by the breach and to notify those affected pursuant to PHIPA.
A submission from LifeLabs to the commissioners dated May 15, 2020 in response to certain specific questions, communicated through legal counsel.
The report by Deloitte LLP prepared as part of the representations by LifeLabs and submitted to the commissioners for that purpose.
The Superior Court upheld the decision that these claims of privilege did not hold, emphasizing that factual information necessary for compliance with statutory duties must remain accessible and cannot be withheld by virtue of being placed in reports either provided to or prepared by legal counsel over which privilege was claimed.
Key Takeaways for Businesses
1. Understand What Constitutes Privilege
Privileged information typically includes communications expressly between a lawyer and their client, specifically intended for legal advice, such as the litigation strategy. However, facts that exist independently of these communications are not protected under privilege, even if they are useful for preparing for litigation. For instance, factual details about a cybersecurity breach, even if communicated through legal channels, do not automatically qualify as privileged.
This case contains a good example of a failed strategy: The commissioners asked LifeLabs about security alerts received from their third-party cybersecurity software. LifeLabs had their counsel interview the employee who had information about these alerts. LifeLabs then responded to the commissioners based on that interview, and then claimed privilege over that information on the basis that it was a solicitor-client communication and/or subject to litigation privilege.
Tips for Businesses:
Regularly review and understand the types of communications and documents that qualify for legal privilege.
Ensure that factual information, especially that which pertains to compliance and regulatory duties, is appropriately documented outside of privileged communications.
2. Compliance Over Privilege
The court noted that statutory obligations, such as those involving the investigation and remediation of data breaches under health information protection laws, cannot be circumvented by claiming privilege. It says very clearly that although privilege did not attach to the disputed documents, relying among other things on the publication of the SIPC report on the case, even if the claims of privilege has been accepted, this would not have defeated the commissioners’ duty to make factual inquiries about the data breach. (However, the case is less clear about what valid claims of privilege would mean for the publication of an investigation report). This serves as a crucial reminder that compliance with legal and regulatory requirements takes precedence over protecting certain factual information as privileged.
Tips for Businesses:
Develop clear protocols for responding to data breaches that align with privacy compliance obligations.
Train your legal and compliance teams to distinguish between privileged legal advice and factual reporting necessary for statutory compliance.
3. Documentation and Transparency
The decision underlines the importance of transparent and accurate documentation of cybersecurity incidents and subsequent remediations. Businesses must ensure that their internal records accurately reflect the steps taken in response to breaches and are prepared to disclose these facts during investigations, regardless of privilege claims.
Tips for Businesses:
Implement robust documentation procedures that can withstand legal scrutiny.
Prioritize transparency with regulatory bodies, understanding that cooperation can mitigate potential penalties and foster trust.
Proactively engage with legal counsel to prepare for potential investigations.
Review past cases and regulatory guidelines to better understand the expectations and requirements of privacy commissioners.
Conclusion
The LifeLabs case serves as a pivotal learning point for businesses handling sensitive personal data. It underscores the necessity of balancing legal privileges with statutory duties, particularly in the context of privacy breaches.
If your business is navigating the complex landscape of a data breach or requires expert guidance on managing privacy and compliance issues effectively, reach out to INQ Consulting. INQ Consulting specializes in data protection and AI governance, offering tailored solutions that address the unique challenges presented by today's digital threats. Engaging with their team of experts can ensure that your organization not only meets legal requirements but also fortifies its defenses against future vulnerabilities. Don't let your business face these critical challenges alone—partner with INQ Consulting to safeguard your data and your reputation.
To learn more, visit www.inq.consulting or contact us at ai@inq.consulting. To keep up with the latest in AI news, subscribe to the Think INQ newsletter.
コメント