Reliance on Forensic Expert Evidence in Cyber-Attack Class Action Results in Waiver of Privilege
In the recent decision Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, the Ontario Superior Court ordered the defendants to produce excerpts of reports prepared by the forensic experts who conducted an investigation following a data breach. The Court held that the defendants waived privilege over the documents by relying on the findings of the expert reports in opposition to the plaintiffs’ certification application.
The representative plaintiffs brought a class action against CHC Casinos Limited, Casino Rama Services Inc., and Ontario Lottery and Gaming Corporation (the “defendants”) after a cyber-attack was announced by Casino Rama Resort on November 10, 2016. CHC, which operates Casino Rama, notified approximately 200,000 individuals of the cyber-attack.
The Defendants filed an affidavit in response to the certification motion. That affidavit included references to Mandiant, a third party cybersecurity company hired to conduct an investigation on the cyber-attack, as well as all supporting documentation prepared by and provided to Mandiant in the course of its investigation. Mandiant provided two reports to CHC and its counsel which summarized Mandiant’s observations, findings and opinions arising out of the attack, and outlined remediation activities. According to the affidavit, the reports advised that many of the individuals who received notice of the cyber-attack were not affected by the data breach.
In advance of the affiant’s cross-examination, the plaintiffs brought a motion under section 12 of the Class Proceedings Act 1992 requiring the defendants to produce copies of all of the reports and supporting documentation “relevant to the size and scope of the class” that were related to their investigation of the attack. The defendants argued that the documents were privileged. The issue before the court on the motion was whether any of the documents sought by the plaintiffs ought to be produced, and if so, whether any restrictions or redactions on those documents were necessary.
Justice Glustein ruled in favour of the plaintiffs, ordering disclosure of the reports only to the extent that the reports were relevant to the size and scope of the class. The court held that it would be unfair to accept the defendants’ evidence on the size and scope of the prospective class, which was based on the investigation, without producing the portions of the reports related to that issue. Furthermore, the affiant chose to rely on the expert analysis contained in the report, which meant that any privilege attached to that aspect of the report was waived.
Notably, Justice Glustein did not decide whether the reports in question were privileged. Instead, he determined that the if the documents were assumed to be privileged, the defendants waived that privilege to the extent the reports addressed the size and scope of the prospective class:
“A party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue. Waiver of privilege would be required as a matter of fairness, but limited only to the issue disclosed.”
Essentially, the Court held that the defendants’ reliance on one portion of the report did not waive privilege for unrelated portions of the same report. Justice Glustein also considered the principles of relevance, finding that the affiant’s reliance on the forensic report in relation to the size and scope of the class was relevant to the certification motion. The Court ordered disclosure of the forensic reports to the extent they related to the certification motion.
Justice Glustein also held that the doctrine of proportionality limited the production to documents that were proportionate to satisfy the needs of the certification motion and what was necessary to inform the certification hearing. This limited production to the relevant excerpts from the reports relating to the size and scope of the class. Anything more would have been an “unfair imposition on [the] defendants”.
Generally, expert reports obtained through external counsel are considered privileged and protected from disclosure for litigation under Rule 31.06(3) of the Rules of Civil Procedure. Privilege belongs to the client and can be waived implicitly or explicitly. This case is an example of implicit waiver of that privilege upon the reliance and disclosure of particular evidence in the class action litigation context.
This decision highlights the importance of considering how information in privileged documents is used in data breach class actions, and the challenge presented in trying to maintain privilege over documents like forensic reports. Companies should consider the risk of potentially waiving privilege when disclosing the findings and reports of forensic experts in litigation arising from a data breach. Since the Ontario Class Proceedings Act requires each party to provide the party’s best information on the number of members in the class, reliance on the information obtained by a forensic expert regarding the size and scope of the class waives any privilege attached to that information.
Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.
 Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, para 9.
 Ibid at para 12.
 Ibid at para 26.
 Ibid at para 47
 Class Proceedings Act 1992, SO 1992, c 6, s 5(3).