Sally Yoon is an IPilogue Writer and a 3L JD Candidate at Osgoode Hall Law School. M. Imtiaz Karamat is an IP Osgoode Alumnus and an Associate at Deeth Williams Wall LLP. This article was originally published on the OBA’s Information Technology and Intellectual Property Law Section’s articles page.
Privacy breaches are becoming commonplace in today’s business landscape and cybersecurity is top of mind for many organizations— and for good reason. The 2022 Canadian Internet Registry Authority (CIRA) Cybersecurity Survey found that the number of breaches involving customer and employee information nearly doubled after the pandemic, and more businesses are reporting loss of customers from cyberattacks. This situation is exacerbated by the risk of litigation, as lawsuits are a legitimate consequence of a privacy breach. Ongoing activity in the privacy breach litigation space calls for organizations to re-examine their privilege strategies and prepare for potential scrutiny that may occur in the event of a dispute.
The Ongoing Litigation Risk
In 2022, Canadian courts continued to see litigation resulting from privacy breaches, with class actions being certified on the basis of a broad range of claims, including systemic negligence and breach of contract. There have also been significant developments in the jurisprudence for privacy breaches, such as the landmark release of three Ontario Court of Appeal decisions (Owsianik v Equifax Co., 2022 ONCA 813; Obodo v Trans Union of Canada, Inc., 2022 ONCA 814; and Winder v Marriot International, Inc., 2022 ONCA 815) in late 2022 that clarified the scope of liability in data breach class actions for the tort of intrusion upon seclusion.
The continued litigation reminds organizations and lawyers to ensure their privacy breach response plans conform with best practices. This is not only limited to having a robust IT framework, but includes adopting legal procedures to provide adequate protection and support. Privilege is an essential component of privacy breach litigation and should be a priority in a response strategy. In a privacy breach, legal privilege permits an organization to obtain legal advice about the incident without having to worry that such communications and related documents will be disclosed to others. This is crucial for breach response efforts, when the fast-paced environment requires candid conversations between counsel and client. Privilege is also an essential aspect for litigation preparation, by allowing lawyers to create necessary resources without fear that these materials may be disclosed and potentially used against their clients.
A Brief Review of Legal Privilege
Solicitor-client privilege and litigation privilege are two types of privilege that are involved in privacy breach litigation.
- Solicitor-client privilege protects communications between the lawyer and client; entails the seeking or giving of legal advice; and is intended to be confidential. It does not depend on on-going or anticipated litigation, and it is permanent once applied, unless waived by the client.
- Litigation privilege protects documents and communications that were created or collected for the dominant purpose of litigation that is on-going or reasonably anticipated. The privilege terminates once the respective litigation ends.
Recent Canadian Privilege Disputes
Although not as extensive as other jurisdictions, Canada has seen privilege disputes in the context of privacy breaches. The outcome of these disputes are important teaching points for organizations intending to develop their own privilege strategy.
Kaplan v Casino Rama Services Inc.
In Kaplan v Casino Rama Services Inc., 2018 ONSC 3545, a class action lawsuit was brought against the owners and operators of Casino Rama Resort (Casino Rama) following Casino Rama’s announcement of a large-scale cyberattack. During the certification stage of the lawsuit, Casino Rama relied on an affidavit that included information from reports of a cybersecurity company hired to investigate the incident. The plaintiffs requested production of the company’s reports, but Casino Rama declined on the basis of legal privilege.
The Ontario Superior Court of Justice (ONSC) found that if privilege was present, it would have been waived when the defendants disclosed and relied on information from the reports as evidence towards the size and scope of the class of persons affected by the breach. In its reasons, the ONSC said that “a party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue…” Therefore, the ONSC ordered production of the parts of the reports that related to the size and scope of the class of affected individuals.
More recently, the privilege debate is being examined in the context of information provided to provincial privacy commissioners. In November of 2019, LifeLabs LP (LifeLabs) notified the Information and Privacy Commissioner of Ontario (IPC) and the British Columbia Office of the Information and Privacy Commissioner (OIPC) that it fell victim to a cyberattack, which resulted in personal health data of approximately 15 million customers being extracted from their systems. The IPC and OIPC commenced a coordinated investigation into the incident and demanded that LifeLabs produce certain documents relevant to the investigation. LifeLabs provided some of the documents but asserted litigation or solicitor-client privilege over others.
On March 30, 2020, in PHIPA Decision 114, the IPC rejected LifeLabs’ claim of litigation privilege over the documents on the basis that the dominant purpose for the creation of the documents was not litigation. The IPC also disagreed with LifeLabs’ claim for solicitor-client privilege because LifeLabs failed to provide adequate support that it met the requirements for solicitor-client privilege (i.e., that the information in issue was communicated in confidence between lawyer and client; for the purpose of seeking legal advice; and the parties intended it to be confidential). The IPC stated that the mere fact of communication between a lawyer and their client or the transfer of reports to in-house or external counsel does not support a claim of solicitor-client privilege. The IPC further noted that “…while underlying facts given to counsel could be part of the ‘continuum of communication’ protected by solicitor-client privilege…unless disclosure of the underlying facts would reveal or allow for inference of confidential solicitor-client communications, the underlying facts themselves do not attract the privilege”.
Following PHIPA Decision 114, LifeLabs provided the documents in issue to the IPC and OIPC, but maintained that it did not waive privilege by doing so. In May 2020, the Commissioners advised LifeLabs of the information from the documents that they were contemplating using in their final report, which led LifeLabs to submit additional evidence and arguments to the IPC and OIPC in support of its privilege claim over the documents. However, in June 2020, the IPC and OIPC issued a joint decision (the Privilege Decision) that rejected LifeLabs’ claims.
In response, LifeLabs commenced applications for judicial review of the Privilege Decision in both Ontario and British Columbia. In the application, LifeLabs argues that the Privilege Decision was wrong in law in rejecting its privilege claims and challenges the IPC’s power to compel production of privileged documents. This matter is still ongoing in the courts, with related motions being heard as recently as late January 2023.
Developing a Privilege Strategy
With the above disputes in mind, it is important for organizations to develop a privilege strategy for responding to privacy breaches and preparing for potential litigation. These are some general best practices to keep in mind:
- Preparation: Prior to a privacy breach, businesses can ensure that they have a comprehensive breach response strategy, which addresses retaining legal counsel and considerations for protecting legal privilege. This strategy should be regularly updated to remain current.
- Consulting Legal Counsel: Contacting external legal counsel is a top priority upon learning of a potential breach. This allows the organization to begin obtaining the necessary legal advice to immediately respond to the matter; and reinforces claims of privilege from the start. If the organization already has internal legal counsel that has been notified of the incident, it may still be prudent to retain external counsel. This is due to in-house counsel often providing both business and legal advice, which may result in heavy scrutiny when claiming privilege in a dispute. Retaining external counsel in a breach response would reinforce that the advice being given is legal, as opposed to business-related.
- Control Communication Flow: In addition to ensuring that counsel is included in privileged communications, the distribution of such communications can be controlled and limited to only the necessary parties (including the necessary members of the organization), with the intention to limit distribution and preserve confidentiality. As part of the organization’s preparation, it can work with counsel to establish how information is to be communicated, the recipients of such information, and proper labeling practices (e.g., marking documents as “Privileged and Confidential”).
- Consider Privilege with Third-Party Service Providers: Communications with third party service providers may be considered privileged when made for the purpose of helping counsel provide legal advice to the affected organization. This includes the use of cyber forensic experts to investigate a privacy incident and generate reports at the request of legal counsel. Where possible, third parties may be jointly retained by external counsel and the organization; and the terms of the retainer and supporting documents should reflect the legal nature of the engagement. The third party can also seek instructions and report to external counsel.
- Caution When Divulging Privileged Information: Organizations intending to maintain privilege should be cautious when disclosing privileged information to external parties. This includes being on the alert for inadvertent disclosure of privileged information in legal proceedings. It may also include stating that the organization does not intend to waive privilege by responding to disclosure demands from regulators.
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.