You are on page 1of 5

Legal Privilege and Data Security Incident Response

Law and Practice

Dan Michaluk, Hicks Morley1

This is a paper for internal and external legal counsel who help organizations with data
security incident response. It addresses how to structure the response process to
support a claim that communications and documents generated in the process are
privileged.

The role of lawyers in incident response

Incident response, working well, should invite reasonably prompt engagement of an


“incident response team” – a group of handlers who “analyze the incident data,
determine the impact of the incident, and act appropriately to limit the damage and
restore normal services.”2

Not all incidents require the engagement of legal counsel. The National Institute of
Standards and Technology identifies internal legal departments as a mere
“dependency,” and sets out the following role:

Legal experts should review incident response plans, policies, and


procedures to ensure their compliance with law and Federal guidance,
including the right to privacy. In addition, the guidance of the general
counsel or legal department should be sought if there is reason to believe
that an incident may have legal ramifications, including evidence
collection, prosecution of a suspect, or a lawsuit, or if there may be a need
for a memorandum of understanding (MOU) or other binding agreements
involving liability limitations for information sharing.3

In practice, incidents that involve or may involve the compromise of personal


information are treated as if they “may have legal ramifications.” Lawyers do not just
participate – they assume control of the incident response process, directing all
investigation activity and advising on steps to take in order to mitigate legal risks.

1A data security, privacy and FOI lawyer and partner at Hicks Morley who has helped organizations
respond to data security incidents, workplace fatalities and other critical events since 2006 and has
represented organizations in numerous privilege-related FOI appeals. With thanks to Ian Dick for
reviewing a draft and providing insightful comments.
2Computer Security Incident Handling Guide, National Institute of Standards and Technology, Special
Publication 800-61, Rev 2 (August 2012), 13.
3 Ibid, 27.
-2-

Lawyers should be in this role to best mitigate the organization’s legal risks. The
collateral benefit of putting a lawyer in charge of incident response is the creation of a
sound basis for privilege.

Two types of privilege

Canadian law recognizes numerous types of privilege. The two types of privilege we
will focus on for the purpose of this paper are solicitor-client privilege and litigation
privilege. Both types of privilege are highly relevant to the incident response process,
and each type of privilege has distinct requirements and a distinct scope.

Solicitor-client privilege

Solicitor-client privilege protects confidential “communications” between a lawyer and


their client that entail the giving and seeking of legal advice.4 Legal advice encompasses
advice as to what should be done in the relevant legal context5 – a characterization
broad enough to apply to the tasks ordinarily conducted by lawyers who coordinate
incident response.

Communications are privileged, not facts that exist independently of a privileged


communication.6 For example, a compromised organization may write its lawyer to
convey that the cause of an incident is a particular failure based on facts A, B and C.
That communication is privileged, but documentary evidence tending to prove facts A,
B and C is not.

Given solicitor-client privilege attaches to communications between a lawyer and their


client, issues arise when a third-party is involved in conveying to the lawyer the factual
basis upon which advice is to given. In incident response, this fact gathering can be a
product of witness interviews and computer forensic investigation.

Lawyer conducted interviews with an organization’s employees may rightly be


considered to be privileged communication between solicitor and client and not a third-
party communication at all.7 Such interviews with non-employees cannot. Consider
lawyer conducted interviews of a university’s students undertaken in pursuit of a
hacker who has compromised the university’s system; no reasonable claim to solicitor-
client privilege can be made.

4 Solosky v The Queen, [1980] 1 SCR 821, 1979 CanLII 9 (SCC), 837.
5 Gower v Tolko Manitoba Inc, 2001 MBCA 11 (CanLII), para 19 (Tolko).
6Foster Wheeler Power Co v Société intermunicipale de gestion et d'élimination des déchets (SIGED) inc, [2004] 1
SCR 456, 2004 SCC 18 (CanLII), para 39.
7 Supra, Tolko, para 38. It should not matter whether the lawyer’s notes are a verbatim transcript of the
interview or a product of some degree of judgement. For this argument see, Gerald Chan and Carolo Di
Carlo, “A Purposive Approach to Privilege in the Context of Internal Investigations” (2019), 49
Advocate’s Quarterly 306.
-3-

Third-party computer forensic investigators are often retained in response to an


incident to facilitate the giving of confidential incident-related legal advice, raising an
issue about whether their contribution to the response effort is severable from the
solicitor-client relationship or, alternatively, “essential to the maintenance or operation
of the client-solicitor relationship.”8

The most protective framing may be one that has the lawyer and forensic expert
working side-by-side, with the expert authorized to seek and receive legal advice from
the instructing lawyer in rendering their own services.9 On this point, Justice Doherty’s
reasoning in Chrusz is important. He says that a third-party may be retained to
“[assemble] and translate information provided by the client so that the solicitor can
understand the nature and legal significance of it.”10 So long as the assembling is from
internal sources of information (or data) rather than the “outside world,” the claim to
solicitor-client privilege is sound.11 This construct fits the solicitor-computer forensics
professional-client relationship well.

Litigation privilege

Litigation privilege protects communications and documents prepared for the


“dominant purpose” of existing or anticipated litigation.12 “Litigation” includes
regulatory investigations that could result in prosecution.13

In a sense, litigation privilege is broader than solicitor-client privilege because it


protects both solicitor-client communications and documents that are derivative of the
solicitor-client relationship, including communications with third-parties.14 However,
unlike solicitor-client privilege (which exists indefinitely unless waived), litigation
privilege terminates when litigation ends.15

The dominant purpose requirement is central to a litigation privilege claim in the


context of data security incident response. The “bad fact” that must be carefully
managed in every incident is the fact of routine: every incident invites an investigation,

8 See General Accident Assurance Company v Chrusz, 1999 CanLII 7320 (ON CA), 50 (Chrusz).
9See Camp Development Corporation v South Coast Greater Vancouver Transportation Authority, 2011 BCSC 88
(CanLII).
10 Chrusz, supra 48.
11 Ibid, 49.
12 Lizotte v Aviva Insurance Company of Canada, [2016] 2 SCR 521, 2016 SCC 52 (CanLII), para 1.
13 TransAlta Corporation v Market Surveillance Administrator, 2014 ABCA 196 (CanLII), para 40.
14 Blank v Canada (Minister of Justice), [2006] 2 SCR 319, 2006 SCC 39 (CanLII), para 32 (Blank):
“Confidentiality, the sine qua non of the solicitor-client privilege, is not an essential component of the
litigation privilege.”
15Blank, supra, para 36 (along with any “closely related proceedings”). The common law temporal limit
does not necessarily apply to privilege exemptions in freedom of information statues: see Ontario
(Attorney General) v Holly Big Canoe, 2002 CanLII 18055 (ON CA), para 13.
-4-

but only some investigations will be for the dominant purpose of existing or anticipated
litigation.

Importantly, there may be more than one purpose that calls for an investigation, and
the mere existence of a purpose other than litigation will not necessarily preclude a
litigation privilege claim.16

Incident response counsel should also bear in mind that there can be no dominant
purpose if litigation is not a “reasonable prospect,”17 and although a claimant’s
subjective concerns about the prospect of litigation are irrelevant, a court may critically
examine the process by which a decision to invoke the protection of litigation privilege
has been reached.18

Practical considerations

In light of the above, incident response counsel and incident-response policy-makers


should consider the following:

• Writing incident response polices to invite a careful and express decision to


invoke privilege. Who makes the decision? When? Based on what information? How is
it to be documented? The policy should address these questions.

• Forming incident response teams that are comprised of all necessary personnel
and no unnecessary personnel. Limited team size will facilitate confidentiality,
which will facilitate privilege claims.

• Establishing a communication protocol with a view to keeping all substantive


communications about the incident protected from disclosure. Tell team
members to avoid texting and e-mailing each other about the incident except to
deal with routine administrative and factual matters. Explain to team members
that any concerns about the incident and any discoveries can (and should) be
safety brought to legal counsel’s attention.

• Establishing a retainer with forensic and other experts with a view to claiming
privilege over the experts’ work product. Experts should receive direction from
counsel, report to counsel and should be authorized to receive legal advice for
counsel on behalf of the client.

16Mamaca v Coseco Insurance Company, 2007 CanLII 54963 (ON SC), para 6. Alberta authority indicates that
the claim may need to be justified on a rather expensive, record-by-record basis: Alberta v Suncor Inc, 2017
ABCA 221 (CanLII), para 43. Compare this with Ontario authority that suggests a court may decide
whether or not to require a document-by-document justification: Coseco, supra, para 21.
Strong v General Motors of Canada Ltd, 1996 CanLII 8161 (ON SC), para 14 and Hamalainen v Sippola, 1991
17

BCCA 440 , paras 22 and 26.


18 See e.g., Celli v White, 2010 BCSC 313 (CanLII).
-5-

• Having counsel conduct witness interviews. If that can’t be done, tightly script
witness interviews.19 Interview notes should be marked as confidential and
privileged.

• Vetting all third-party and public communications, and creating a tracking sheet
for facts and conclusions that have been released.

Following these steps, and by paying careful attention to roles, responsibilities and
communication protocol will prove to be of great assistance if the anticipated litigation
becomes a reality or if the public seeks access to information under freedom of
information legislation.

November 25, 2019 Draft20

19The failure to script interviews explains why Justice Nordheimer ordered the disclosure of recordings
of “witness statements” given to an defendant’s employee who acted under very loose direction of
corporate counsel were not treated as subject to litigation privilege in R v Assessment Direct Inc, 2017
ONSC 5686.
Prepared for Cybersecurity in Higher Education: Preparing and Improving to Mitigate Risk a CAUBO-
20

CUCCIO workshop.