The Divisional Court of the Ontario Superior Court of Justice considered privilege claims over cybersecurity investigation materials in the context of the LifeLabs cybersecurity breach.
Administrative law – Decisions reviewed – Investigations – Privilege; Judicial review – Procedural requirements and fairness – Standard of review – Correctness
Lifelabs LP v. Ontario (Information and Privacy Commissioner), [2024] O.J. No. 1901, Ontario Superior Court of Justice, April 30, 2024, F.E. McWatt A.C.J.S.C.J., A. Doyle and J. Leiper JJ.
This case stems from a 2019 data breach in which cyber attackers obtained personal health data of millions of Canadians. The target of the attack was LifeLabs LP ("LifeLabs"), a large provider of laboratory testing services in Canada, which holds sensitive personal health information regarding its customers. After becoming aware of the breach, LifeLabs notified the public and used external IT consultants to investigate the breach and negotiate with the cyber attackers. Members of the public launched class action lawsuits against LifeLabs.
The largest number of people affected by the attack lived in Ontario and British Columbia. As a result, the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC (collectively, the "Commissioners") launched a joint investigation into the data breach. During the joint investigation, the Commissioners sought documents from LifeLabs that it had obtained from its consultants, including:
- an investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the attack occurred;
- email correspondence between the cybersecurity firm and the cyber attackers;
- an internal data analysis by LifeLabs describing which individual health information had been affected by the breach; and
- communications between LifeLabs and the Commissioners, through legal counsel.
LifeLabs claimed privilege over the documents sought and refused to disclose the disputed documents.
The Commissioners considered LifeLabs' claims of privilege and rendered a joint decision that the claims of privilege should fail (the "Privilege Decision").
LifeLabs applied for judicial review of the Privilege Decision. LifeLabs argued that the Commissioners erred in their application of the law on solicitor-client privilege and litigation privilege. LifeLabs also argued that the Commissioners breached its right to procedural fairness by jointly deciding the privilege claims.
The Court dismissed the application for judicial review, finding that the Privilege Decision did not breach LifeLabs' right to an independent adjudication and was not procedurally unfair. Applying the standard of correctness, the Court held that the Commissioners did not err in their application of the law of privilege to the record before them. The Court found that neither solicitor-client privilege nor litigation privilege extended to the facts contained in the disputed documents, which LifeLabs had a statutory duty to disclose. The Court held that copying counsel or providing counsel with a copy of a document does not "cloak" the document or its underlying facts with privilege.
The Court found no merit to LifeLabs' argument that the Commissioners breached its right to procedural fairness by jointly deciding the privilege claims. The Privilege Decision was made within the larger context of a joint investigation for which there was statutory authority. Further, the Court noted the record was replete with LifeLabs' acknowledgment of the process of a joint investigation.
Originally published by LexisNexis® Harper Grey Insurance Law Netletter and the Harper Grey Administrative Law Newsletter
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.