When responding to a cyberattack, an organization will likely need to retain external cybersecurity, ransomware and digital forensics experts. Their work product (reports and other documents related to the incident or the organization’s data security practices) may later become the subject of a production request by either a regulator or plaintiff in litigation. It is therefore important to consider in advance if and how such work product may be protected by privilege in order to be able to respond adequately to such a request.
This issue – whether such documents are protected by privilege – arose in a recent decision of the Information and Privacy Commissioner of Ontario (the “IPC”). In PHIPA Decision 114, which followed a cybersecurity incident suffered by a large health company, the IPC found that the documents generated by third party experts were not privileged and were therefore subject to a demand for production. There are important lessons to be learned from this case.
In November 2019, one of Canada’s largest health diagnostics companies was the victim of a major cybersecurity incident (the “Incident”). Cyberattackers penetrated its networks, extracted data (including the personal health information of over 85,000 customers in Ontario), and demanded a ransom. This resulted in several class proceedings being commenced against the company.
In December 2019, the IPC sent a letter to the company asking a number of questions and ordered production of certain documents. This was followed by a back and forth with further demands for documents and assertions of privilege over certain requested documents. In February 2020, the IPC issued a Notice of Review, to notify the company that a review of the Incident had been commenced under the Personal Health Information Protection Act (“PHIPA”), and again demanded that the company produce a number of documents. The IPC’s demand included documents produced or received by cybersecurity firms retained by the company to assist in responding to the breach (the “Third Party Documents”). These included:
- an incident report generated by CrowdStrike (a cybersecurity IT company), including draft versions of the report (the “CrowdStrike Report”);
- a penetration test conducted by CrowdStrike after the Incident (the “Penetration Test”); and
- communications between the cyberattackers and Cytelligence, a firm retained to engage the cyberattackers (the “Cytelligence Communications”).
The company asserted litigation and solicitor-client privilege over the above documents. The IPC asked the company to produce an itemized list of documents over which it claimed privilege, containing detail sufficient to establish exactly what documents existed and the basis for each claim. The IPC also summonsed the interim general counsel of the company to ask further questions about the privilege claims.
The IPC considered whether there was sufficient evidence to support the claims of privilege. Importantly, the IPC was not addressing whether PHIPA gave it authority to compel production of privileged documents.
Litigation Privilege: The IPC found that the documents were not protected by litigation privilege because the company had not provided sufficient evidence that the documents had been created for the dominant purpose of litigation. Even absent any potential litigation, the company would have had to respond to the Incident under its statutory obligations to identify, contain, investigate and remediate potential privacy breaches. The IPC characterized the actions taken in response to these obligations as “operational needs” that stood independent of litigation. In reaching this conclusion, the IPC noted that:
- The retainer with CrowdStrike to provide incident response services predated the breach by several months, and consisted of assistance helping the company’s IT team to respond to, contain, investigate and remediate a prospective breach, as well as to provide strategic recommendations;
- As part of this service, Crowd Strike had performed an assessment of the company’s’ computer systems, and in doing so actually discovered the breach;
- CrowdStrike had performed the Penetration Test in order to test the Company’s systems before it publicly announced the breach, (so as to avoid a follow-up cyberattack); and
- The company had retained Cyintelligence to communicate with the cyberattackers, retrieve the stolen data from the cyberattackers, and understand how the cyberattackers had compromised the company’s systems (all of which were “operational needs”).
The IPC also rejected the argument that the underlying facts contained in the Third Party Documents were privileged because they were included in documents produced at the instruction of counsel.
Solicitor-Client Privilege: The IPC also rejected the claim of solicitor-client privilege. The IPC found that a blanket assertion of privilege over the Third Party Documents did not (i) explain which of these communications (if any) were made to/from either in-house or external counsel; or (ii) how they were made for the purpose of seeking or giving legal advice.
The IPC took the view that the company had not provided a list of privileged items as requested, but had instead produced a document listing out categories of documents that could exist for each retainer and asserting privilege over all of them. The IPC found that counsel had not provided sufficient detail about CrowdStrike’s work on behalf of the company.
As a result, the company was ordered to produce all of the Third Party Documents.
Takeaways for Business
The IPC’s decision illustrates how documents produced by third-party cybersecurity, ransomware and digital forensics experts in response to a cyberattack or other breach of security safeguards may become the subject of a regulator’s production demand, and may thereby also be available to plaintiffs in litigation resulting from a cyberattack. If an organization seeks to assert privilege over such documents, the regulator may ask the organization to provide detailed submissions or testimony as to why privilege should apply. Retainers, particularly advance retainers with third party providers, should be carefully worded.
Organizations should consider these privilege issues at the time of retaining an expert, and consider whether this should be done through counsel, so that, where appropriate, steps can be taken to situate their preparation within the context of impending litigation and/or seeking legal advice. In some cases, it may also then be helpful to provide explanations about the preparation and purpose of these reports so that the regulator (or the court) can assess these privilege issues. Retainers, particularly advance retainers with third party providers, should be carefully worded and have their scope precisely defined.
With sufficient advance preparation, and a clear understanding of the scope and application of privilege, an organization can reduce the risk that potentially damaging information may surface after a data incident.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including our unique advance retainer solution, breach response and breach preparation solutions.