Loss of Legal Privilege over Cyberattack Investigation Report

The 2018 Ontario Superior Court decision in Kaplan v. Casino Rama Services illustrates how an organization can lose the right to assert legal privilege over a cyber incident investigation report by disclosing information contained in the report, and demonstrates the importance of a legal privilege strategy.

Legal Privilege

Cyber incident response activities usually involve the creation of many kinds of communications and documents, including forensic investigation reports, that might be subject to legal disclosure obligations in connection with contractual audits, regulatory investigations or civil lawsuits, even if the organization’s personnel expected the communications and documents to remain confidential.

An organization might be able to protect some of those communications and documents against involuntary disclosure by asserting legal privilege. There are two kinds of legal privilege – legal advice privilege (which protects confidential communications between a client and their lawyer for the purpose of seeking or giving legal advice) and litigation privilege (which protects communications and documents created for use in connection with ongoing or reasonably anticipated litigation).

A client can waive, intentionally or inadvertently, the right to assert legal privilege.

The Casino Rama case

The Casino Rama case involved a proposed class action lawsuit against the owners and operators of the Casino Rama Resort relating to a cyberattack that resulted in the theft of personal and financial information of Casino Rama’s employees and customers.

In connection with the plaintiffs’ application for certification of the proposed class action lawsuit, Casino Rama filed an affidavit that provided details of the cyberattack based on the results of a forensic investigation conducted by Mandiant, an independent cybersecurity company engaged by Casino Rama and its legal counsel. The plaintiffs then applied to court for an order requiring Casino Rama to produce Mandiant’s reports. Casino Rama resisted the application on various grounds, including by asserting legal privilege over the reports.

The court did not decide whether the Mandiant reports were protected by legal privilege. Instead, the court held that even if the reports were protected by legal privilege, the privilege had been waived by Casino Rama when it filed an affidavit based on information provided by Mandiant. The court reasoned that “it would be unfair to the Plaintiffs to ask the court to accept the Defendants’ evidence on the size and scope of the prospective class, based on the Mandiant investigation, without producing those parts of the Mandiant Reports relating to that issue”. The court explained: “A party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue. Waiver of privilege would be required as a matter of fairness, but limited only to the issue disclosed”. The court also held that principles of relevance and proportionality limited the required disclosure of the reports to the parts relevant to the size and scope of the potential class.

Comment

The Casino Rama decision illustrates the importance of implementing a legal privilege strategy when responding to a cybersecurity incident. To the extent practicable, the strategy should enable the organization to establish and maintain legal privilege over sensitive forensic investigation reports regarding the cybersecurity incident while still complying with legal obligations to report the incident to regulators, give notice of the incident to affected individuals and organizations, and disclose information about the incident in legal proceedings. The strategy should be periodically reviewed and refreshed to be consistent with guidance provided by recent court decisions.

Read more here.

U.S. Financial Institution Regulators Issue Guidance About Cyber Insurance