Establishing and maintaining legal privilege is a crucial part of cybersecurity incident response and risk management. Whenever an organization experiences a cybersecurity incident, its leaders need to protect the organization against legal and regulatory proceedings. They may be required to disclose information about both the attack and their response efforts. The question becomes, where does privilege fit into these disclosures?
The importance of identifying and protecting privileged information among such document sets is reflected in both industry practice and official guidelines. For instance, the Office of the Superintendent of Financial Institutions (OSFI) issued a guideline earlier this year for federally regulated financial institutions (FRFIs) regarding managing technology and cyber risks, wherein they recommended FRFIs take steps to establish legal privilege over communications and documents relating to cybersecurity compliance and incident response.
Last year, Torys outlined the way in which courts in the United States and Canada are testing the strength and breadth of claims of privilege in the context of cybersecurity incident response. There have since been new developments in the area, particularly with respect to legal privilege and law enforcement, that businesses should be aware of when developing and managing their cybersecurity incident response procedures.
Cooperation with law enforcement does not waive privilege
A recent Québec Court of Appeal decision confirmed that it is possible for organizations to disclose privileged documents in efforts to cooperate with law enforcement investigations without necessarily waiving privilege against all other parties1. In this case, the document in question was a forensic accounting report produced by an accounting firm at the request of McGill University Health Centre. That report was protected by solicitor-client privilege because it was prepared at the request of legal counsel for the purposes of legal consultation. The report was always treated as privileged internally, with a clear intention towards preserving its confidentiality. However, McGill disclosed the report to an anti-corruption law enforcement authority in cooperation with a criminal investigation. Given this factual context, the Court held that there was no intention to waive privilege with respect to other third parties in disclosing the document to law enforcement authorities.
This follows older jurisprudence in other provinces, including Ontario, that allow for the disclosure of documents to limited parties for necessary functions without said disclosure constituting a waiver of privilege. For instance, the Ontario Superior Court of Justice has found that solicitor-client privilege was not waived when otherwise privileged documents were provided to external auditors of the Ontario Securities Commission in cooperation with an investigation. The provision of these documents did not waive privilege for all purposes, but only to the extent necessary to enable the audit to be completed2.
The state of U.S. law
The Capital One case referenced in our related article last year remains the most recent significant development in the area of cybersecurity and legal privilege in the United States, and it has been affirmed in subsequent case law3.
In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed into federal law in the United States, which requires select entities operating in critical infrastructure sectors to report cybersecurity incidents. Though it does not apply to all organizations, it is relevant to note that CIRCIA explicitly provides that reporting cyber incidents through CIRCIA does not constitute a waiver of attorney-client privilege or other legal protection.
As outlined above, maintaining legal privilege over legal advice, anticipated litigation and other confidential documents is critical when dealing with the fallout of a cybersecurity incident. At the same time, law enforcement agencies across Canada and the United States consistently urge organizations to report cyber attacks and cooperate with their investigations in the broader effort to curtail this criminal activity. The state of the law in both countries provides some assurance to organizations who seek to both assist law enforcement in fighting cyber criminals and protect their privileged information from broad disclosure.
These cases, however, highlight the importance of treating documents consistently from the early stages of a cybersecurity incident. Organizations should ensure that privileged documents are labelled as such, and they keep records of the basis of the privilege, how their confidentiality was protected, how their distribution was controlled, and what the justification is for any limited disclosures of the information for law enforcement, audit or other legal purposes. Insufficient records to support the intention to strictly limit any partial waivers of privilege may prevent a business from protecting such information from further disclosure in regulatory and litigation proceedings.
Centre universitaire de santé McGill c. Lemay, 2022 QCCA 1394.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.