Protecting Legal Privilege in a Data Breach Response

This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group

Responding to a data breach is a complex and fast-moving process involving a range of participants. Throughout this process, organizations will have communications and documents that are subject to legal privilege. Legal privilege is an important substantive right and a bedrock principle of our justice system. It allows an organization to communicate freely with its lawyers about a data breach to obtain candid legal advice, without fear that these communications and related documents will be disclosed to others, including in litigation. It also allows an organization’s lawyers to take steps to defend the organization in litigation or in anticipation of litigation, without fear that their “lawyer’s brief” might be disclosed to others and used against their client.

As such, protecting the organization’s legal privilege is essential, and it can be lost if certain steps are not taken to maintain it. To help you navigate these complexities, we provide below a primer on legal privilege and outline best practices for protecting legal privilege in a data breach response.

A primer on legal privilege

Two types of legal privilege are typically engaged in a data breach response:

  1. Solicitor-client privilege protects: (1) communications between a client and their lawyer; (2) that involve the seeking or giving of legal advice; and (3) that are intended to be confidential.[1] This privilege applies whether or not litigation was ongoing or anticipated at the time of the communication.[2] Once applied, the privilege is permanent, unless and until it is waived by the client.[3]

Example: An email from an internal investigation team member to counsel asking about the risk of a class action arising from a data breach would fall within the scope of solicitor-client privilege.

  1. Litigation privilege protects documents and communications made or collected for the purpose of litigation. In particular, it applies where: (1) litigation was ongoing or reasonably anticipated at the time the document or communication was made or collected; and (2) the document or communication was made or collected for the dominant purpose of litigation.[4] This privilege is not restricted to communications between a client and their lawyer.[5] The privilege ends once the litigation that gave rise to it ends.[6]

Example: A cyber forensic report prepared at the instruction of counsel for the purpose of litigation would fall within the scope of litigation privilege.

Thus, solicitor-client privilege protects a relationship (the solicitor-client relationship), whereas litigation privilege facilitates a process (the litigation process).[7] Both of these privileges require the involvement of legal counsel, and either or both may attach to any particular document or communication.[8] If a document or communication is privileged, it is generally protected from disclosure.[9] That protection may be lost, however, through deliberate or even inadvertent conduct by the privilege holder.[10] For example, it may be lost through disclosure to a third party.[11]

Best practices for protecting legal privilege in a data breach response

Data breaches are fast-moving crisis situations. While each one is unique and requires advice specific to the situation, there are some general best practices that, if implemented, will help organizations minimize the potential loss of legal privilege as they navigate a data breach response.

  1. Be prepared. Preparation is the key to a successful data breach response. Rather than waiting until after a breach occurs, organizations should prepare a comprehensive data breach response strategy, including a sound plan for retaining counsel and protecting legal privilege, before a breach occurs. Organizations should regularly update and provide training on that strategy to ensure it remains current and is well understood throughout the organization.
  2. Consult legal counsel immediately. Upon learning of an actual or potential data breach, the organization should consult legal counsel. This should include both in-house counsel and external counsel because organizations may have greater difficulty establishing that communications with in-house counsel (as compared to communications with external counsel) involve the seeking or giving or legal (rather than business) advice.[12] Immediately notifying counsel will better ensure that the organization gets necessary legal advice as it makes critical first decisions in the immediate response period, complies with its legal obligations, and gets advice on how to protect its legal privilege throughout the response process. Retaining counsel should not be an afterthought.
  3. Consider establishing separate operational and legal response teams where appropriate. Establishing two separate response teams — one operational and the other legal — can help protect legal privilege.[13] In particular, this can help establish and maintain a clear separation between privileged and non-privileged information.
  4. Protect privilege over communications with third-party service providers. Some communications with third-party service providers, such as cyber forensic investigators, can be privileged where they are made for the dominant purpose of helping the organization’s lawyers provide legal advice to the company. For example, external counsel will usually retain a forensic investigator to conduct certain analyses in connection with the data breach, and may ask the investigator to prepare a report about the data breach. This work, communications, and any report generated at the request of legal counsel is subject to legal privilege. To protect any privilege that may apply, organizations should ensure that they follow the advice of their legal counsel about engagement of and communications with forensic investigators and other third parties.   
  5. Control the distribution and disclosure of privileged advice and documents. A fundamental element of solicitor-client privilege is that the privileged information or document is intended to be confidential. Broad internal distribution of privileged advice or documents can militate against a finding of legal privilege.[14] Moreover, a privileged document or communication can lose that status through disclosure to third parties.[15] Accordingly, to help establish and maintain legal privilege, organizations, in consultation with their legal counsel, should establish a plan for how documents and information generated in connection with a data breach will be distributed and to whom. The plan may include elements such as appropriate labelling of privileged and confidential documents, limiting distribution of privileged information on a need-to-know basis, establishing a process for reviewing documents and information for legal privilege before they are disclosed outside the organization, and training employees on the nature and importance of legal privilege.
  6. Engage foreign counsel if the data breach has an impact outside Canada. If the data breach has an impact outside Canada, organizations should engage counsel in the relevant foreign jurisdiction(s) to advise them on the legal implications of the breach in their jurisdiction. This advice should include how to protect legal privilege in the jurisdiction, since the law on legal privilege differs by jurisdiction.


 

Cybersecurity Blog Series and Related Insights:

 

To learn more about developing a cybersecurity strategy and an incident response plan, download a copy of our Cybersecurity Risk Management: A Practical Guide for Businesses or visit the Cyber/Data homepage.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

 

_____________________________

[1]       Solosky v. The Queen, [1980] 1 S.C.R. 821 [Solosky], at 837.

[2]       Solosky, at 834.

[3]       Blank v. Canada (Minister of Justice), 2006 SCC 39 [Blank], at para. 37.

[4]       Blank, at para. 60; Hamalainen v. Sippola (1991), 62 B.C.L.R. (2d) 254 (C.A.), at para. 18.

[5]       Blank, at para. 27.

[6]       Blank, at paras. 36-37.

[7]       Blank, at para. 28.

[8]       Blank, at paras. 49-50.

[9]       S. & K. Processors Ltd. v. Campbell Ave. Herring Producers Ltd., 1983 CanLII 407 (B.C.S.C.) [S. & K.], at para. 5.

[10]     S. & K., at para. 6.

[11]     Telus Communications Inc. v. Canada (Attorney General), 2004 FCA 380, at para. 15.

[12]     Pritchard v. Ontario (Human Rights Commission), 2004 SCC 31, at para. 20; Alofs v. Blake, Cassels & Graydon, 2016 ONSC 6907, at para. 12.

[13]     See, e.g., In re Target Corp. Customer Data Security Breach Litigation, 2015 WL 6777384 (D. Minn. Oct. 23, 2015).

[14]     See, e.g., In re Capital One Consumer Data Sec. Breach Litig., 2020 WL 2731238 (E.D. Va. May 26, 2020), aff’d 2020 WL 3470261 (E.D. Va. June 25, 2020).

[15]     S. & K., at para. 6.

 

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address