Relying on Forensic Expert Report in Cyber-Attack Class Actions May Waive Privilege
Can a defendant use the findings from an investigation on the scope of a cyber-attack to oppose certification of a data breach class action? In Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, the Ontario Superior Court said yes, but there may be a waiver of privilege in doing so.
In Kaplan, the defendant sent notice of a breach to approximately 200,000 individuals potentially affected by a cyber-attack. In the ensuing class action, the plaintiff proposed to argue at certification that the 200,000 people provided with notice could serve as a “proxy” for the definition of the class at certification. In response, the defendant delivered an affidavit that referred to findings of the expert it had hired to investigate the attack. The expert concluded that not all of the individuals who had received notice of the breach were actually affected and, in fact, the number of affected individuals was less.
After receiving the defendant’s affidavit, the plaintiff brought a motion for production of the defendant’s entire breach investigation file. It argued that the defendant’s expert’s findings were relevant to certification regarding the size and the scope of the class, and that the defendant’s reliance on the expert’s findings in its affidavit had waived any privilege over the investigation.
Justice Glustein agreed there was a waiver of any applicable privilege over the expert’s findings, but only to the extent relied upon in the affidavit and relevant to certification (i.e., regarding size and scope of the prospective class):
“A party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue. Waiver of privilege would be required as a matter of fairness, but limited only to the issue disclosed… it may be that the [expert reports] contain numerous findings, opinions, or conclusions about the events that relate to the cyberattack (including remediation), but issues such as the liability of the Defendants with respect to the breach are not raised in the [defendant’s affidavit]. Privilege on such other issues is not waived, nor would such evidence be relevant to the certification motion.”