Category: Law of Privilege

In praise of cyber response transparency (and in defence of the “breach coach”)

Wired Magazine published an article last week about school cyber attacks in the United States that was wholly denigrating of the role of cyber incident response counsel – “breach coaches.” Wired’s theme was that schools are using their lawyers to deprive parents, students, and the public of information. Wired has inspired this post, though I will say little more about it than “Don’t believe everything you read.” Rather, I will be positive, and explain that transparency is at the center of good cyber incident response and that breach counsel enable transparency through clear, accurate, and timely communication.

We must communicate to manage

Let us start with the object of incident response. Sure, we want to contain and eradicate quickly. Sure, we want to restore services as fast as possible. But without making light of it, I will say that there is lots of “drama” associated with most major cyber incidents today that renders incident response about more than containment and eradication.

Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You will have many stakeholders descending on you from time zero, and every one of them wants one thing – information. You do not have a lot of that to give them, in the early days at least, but you have got to give them what you can.

In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what has happened and what you are doing about it. It means reporting to law enforcement. It means sharing threat information with peers. It means getting your message out.

This is crises communication best practice. If smoke is billowing from your house and the public has questions, the public will make its own story about your fire if you say nothing, and any obfuscation risks blowback. You must, as best you can, get your message out.

Let’s get privilege straight

Lawyers love privilege, but we may not do a good enough job at helping the public understand why it is so important, and why it is not inimical to transparency.

There are two types of privilege.

Solicitor-client privilege is the strongest form of privilege. A confidential communication between lawyer and client that relates to the giving or receiving of legal advice (in the broadest sense) is privileged.

Litigation privilege works a little differently, and is quite important for giving a person who is in litigation or who contemplates litigation a “zone of privacy” in which to prepare, strategize and plan free from an adversary’s scrutiny.

Privilege is a powerful tool for organizations because it shields communications from everyone – an adversary in litigation, a freedom of information requester, a regulator.

This is for good reason: privilege allows for good legal advice on complicated, high stakes problems. If litigation is pending or anticipated, it also allows for the adversaries to be adversaries, which contributes to the truth seeking function of adjudication. Privileged is hallowed, and recognized by our courts as central to rule of law.

Privilege, though, applies to communications, not to facts that have an independent existence. Is your head exploding yet? Let me explain this tricky idea.

Say an incident leads to the discovery of four facts – Fact A, Fact B, Fact C and Fact D. There is a question about whether those four facts prove data exfiltration of a particular set of data. Lawyer and client can communicate with each other to develop an understanding of that legal question. The lawyer can advise the client about what the evidence means, whether inferences can be drawn, and how the evidence is likely to be interpreted by a judge or a regulator. The lawyer may give an answer – “no exfiltration” – but also explain the strengths and weaknesses of taking that position. All the evaluation and advice – the communication – is privileged, but Fact A, Fact B, Fact C, and Fact D are not. In incident response, those facts are normally embodied in the forensic artifacts collected and preserved by the forensic investigator or collected in communications with the threat actor(s). Those artefacts and communications are producible in litigation and producible to a regulator, which allows others to examine them, engage in analysis (that may replicate the analysis that occurred under privilege), and draw their own conclusions. What an adversary or regulator cannot do is piggyback on solicitor-client communications to understand how the lawyer and client viewed all the nuance of the issue.

This is an important point to understand because it answers some unfounded concerns that privilege is a tool of obfuscation. It is not.

Privilege must be respected, though. There’s a now famous case in Canada in which an organization attempted to claim that recorded dialog with a threat actor was privileged because the communication was conveyed to counsel by an expert retained by counsel. The Court rightly held this was over reach. The threat actor dialog itself is fact. The same goes for forensic timelines. They are privileged because they are recorded in privileged reports. In litigation, this does help put some burden on an adversary to analyze the evidence themselves and develop their own timeline. But it’s unwise to tell a regulator, “I’m not giving you a timeline because the only place its recorded is in my privileged report.” Withhold the precise framing of the timeline in your report. Keep any conclusory elements, evaluations, and qualifications confidential, too. But give the regulator the facts. That’s all they want, and it should spare you a pointless privilege dispute.

From the zone of privilege to the public

I explain to our incident response clients that we work with them in a zone of privacy or privilege that is a safe communication zone. It is like a staging area for evidence, where we can sit with evidence, understand it, and determine what is and is not fact. The picture of an incident is formed slowly over time based on investigation. Things that seem the case are often not the case, and assumptions are to be relied upon cautiously.

It is our role, as counsel, to advise the client on what is safe to treat as fact. Once fact, it can be pushed out of the zone of privilege to the public in communications. It is at this point the communication will live on the public record and be used as evidence, so we carefully vet all such communication by asking four questions:

  • Is there any speculation? Are all facts accurately described? Are all facts clearly described?
  • Are there commitments/promises? Are they achievable?
  • Does the communication accurately convey the risk? If it raises alarm or encourages action, is that justified? Or will we cause stress for no good reason?
  • Does the communication reveal anything said under privilege (which can waive privilege)?

Our duty is to our client, and our filter is to protect our client, but it also benefits the public because it ensures that incident communications are clear and reliable. This is hard work, and the heavy scrutiny that always comes later can reveal weaknesses in word choice, even. But by and whole, organizations with qualified incident response counsel achieve transparency and engender stakeholder and public understanding and confidence.

Good notification takes time

Any organization whose network is compromised can contain the incident, and then an hour later announce, “If you have ever been employed with us or been a client of our your information may have been stolen.” This will almost always be a true statement, but it’s also a meaningless and vast over notification. Good legal counsel lead their clients to investigate.

Investigation takes time. Determining what has been taken, if anything, is the first step. If you do that well, it can take about a week. But that is only the start. Imagine looking at a 453,000 file listing, delivered to you by a threat actor without any file path metadata. The question: who is affected? Your file share is encrypted, so you do not even have readable copies of the files yet.

Is it any wonder that organizations notify weeks and months after they are attacked? You cannot rightly blame the lawyers or their clients for this. It is hard work. If an organization elects to spend six figures and four months on e-discovery to conduct file level analysis, it will be able to send a letter to each affected individual that sets out a tailored list of exposed data elements. Our regulator in Ontario has called this “the standard,” at the same time opening the door to more generalized notifications. We are moving now to population based notifications, while still trying to be meaningful. Consider the following:

All individuals who received service x between date 1 and date 2 are affected. The contact information of all such individuals has been exposed (phone, e-mail and address as provided). About a third of the individuals in this population provided an emergency contact. The identity of this person and their phone number was also exposed.

I am explaining this because time to notify is the easiest thing on which to criticize an organization. Time to notification visible, and far easier to understand than it is to explain to mas audiences with the kind of descriptions I have made here. Believe me, though, it is a very demanding challenge on which incident response counsel spend significant time and energy with their clients and data processing vendors, all with the aim of giving earlier and meaningful notifications.

Conclusion

Cyber incident response counsel are essential for effective and transparent incident management. They facilitate clear communication, crucial for stakeholder confidence and the fulfilment of obligations. Privilege, often misunderstood, enables open lawyer-client communication, improving decision-making. It’s not a tool to hide facts. Counsel guide clients through investigations and notifications, ensuring accuracy and avoiding speculation. Notification delays often stem from the complex process of determining breach scope and identifying affected individuals. Counsel help balance speed and quality of notification, serving their clients first, but also the public.

Alberta Court of Appeal Addresses Privilege in Post-Incident Reports

On April 26th, the Court of Appeal of Alberta affirmed a lower court decision that privilege in two post-incident investigation reports had been waived, also opining on the law governing whether the reports were subject to litigation privilege.

The case arises out of 2015 pipeline failure. The operator initiated an investigation for multiple purposes, ultimately leading to the creation of several reports, including the two expert reports at issue. The operator relied on an affidavit sworn by its assistant general counsel in which she stated that she contemplated litigation soon after the incident and directed all investigations to be conducted on a privileged and confidential basis under the supervision of legal counsel.

The two reports were later produced by experts. The lower court judge did not review the reports, but held they were used to decide whether to repair or replace the pipeline and encompassed “too many other concerns” to have been prepared for the dominant purpose of litigation. The lower court judge also held the operator waived privilege in the reports by sharing them with the Alberta Energy Regulator and the Association of Professional Engineers and Geoscientists of Alberta and by mentioning the conclusion of the reports at a press conference.

The press conference statement is worth quoting:

Nexen has conducted comprehensive investigations into the pipeline failure in July 2015 and the January 2016 explosion at its Long Lake Oil Sands facility to determine the root cause for each incident. . . .

•         Following the Long Lake pipeline rupture discovered on July 15, 2015, Nexen conducted a comprehensive, independent investigation using Nexen’s Event Recording and Analysis (ERA) Procedure to determine the root cause.

•         Based on our investigation, the root cause of the rupture was a thermally-driven upheaval buckling of the pipeline and the subsequent cooldown during the turnaround. This was the result of using an incompatible pipeline design for the muskeg ground conditions. Steps that could have been taken to mitigate the potential for upheaval buckling were not addressed.

The Court of Appeal held that this revelation did not waive privilege as found by the lower court judge. The core of its reasoning is that the statement did not clearly reveal the content of the privileged reports: “It is difficult to see how privilege could be lost over a document that is no even mentioned.”

Privilege was nonetheless waived, the Court said, by the voluntary disclosure of the reports to the Regulator and the APEGA. Although the operator disclosed the reports to the Regulator with various stipulations, none precluded the Regulator from using the reports in a prosecution or from disclosing the reports to others as required by law. Likewise, disclosure to the APEGA for its use was incompatible with maintaining a privilege claim.

On the privilege claim itself, the Court applied its decision in Suncorp, which dictates that litigation privilege must be assessed on a document-by-document basis. It then stressed that the dominant purpose test applies to the creation of a document, not the investigation that preceeded the document’s creation or the use of the document after it was created. It questioned the lower court judge’s finding because the judge made it without reviewing the reports and because the judge placed too much emphasis on the reports’ use use rather than the purpose for their creation.

The creation and maintenance of a litigation privilege claim is very technical, and this decision is illustrative in many ways. The finding that the above-quoted press conference statement did not waive privilege is most notable. The statement does have a degree of vagueness about it, but also hints at the content of privileged documents in a way that begs a question about what they say. Ultimately, the Court’s finding suggests that drafters of such statements have some latitude to garner trust from expert investigations so long as they don’t refer to the content of privilege reports. This is helpful, though to be relied upon with caution.

CNOOC Petroleum North America ULC v ITP SA, 2024 ABCA 139 (CanLII).

Federal Court dismisses awkward solicitor-client privilege claim

Earlier this year, the Federal Court dismissed a claim that a column in a spreadsheet was subject to solicitor-client privilege because disclosure would reveal legal advice obtained prior to its development.

Solicitor-client privilege (literally) protects advisory communications between a solicitor and its client, and it can protect such communications if they find their way into other documents. For example, if two employees of a lawyer’s client discuss the (corporate) lawyer’s advice confidentially via e-mail, their description of the advice may be redacted in response to a production requirement because its disclosure would reveal the solicitor-client communication.

In this case, a corporate taxpayer argued that a column in a spreadsheet was protected by solicitor-client privilege based on the same rationale. It relied on an affidavit that explained that it received legal advice prior to the development of the column and that disclosure of the column would reveal it “by what is being computed, how the computation is done,” and “by associated text in the reacted column.” The Court exercised its discretion to review the prior legal advice and held that the column was simply the “operational outcome or end product of legal advice” and not protected.

This is a fact specific, though illustrative outcome. Even the fact of obtaining legal advice on a particular matter is sensitive and ought normally be kept secret because, once disclosed, inferences can be drawn about advice taken based on the “operational outcome” or “end product” of the advice. Of course, a lawyer’s legal advice can be either be accepted or rejected or followed precisely or loosely, but clients are often drawn to back the legitimacy of their actions by reference to their careful adherence to legal advice. That’s plainly a risk.

In this case, it is unclear whether something precipitated the (more basic) disclosure of an advisory relationship, but one can see how arguing the resulting inference can be very awkward and risky. The only way to do it is to “double down” and disclose more about the advisory relationship and the resulting inference. If not it inviting of waiver in the underlying advice (which the Court did not find here), it seems to be one step down a slippery slope to that outcome.

Canada (National Revenue) v. BMO Nesbitt Burns Inc., 2022 FC 157.

ABCA decision on defending allegations about privileged communication

On April 12th, the Court of Appeal of Alberta held that a defendant waived solicitor-client privilege by affirmatively pleading that its counsel had no instructions to agree to a time extension for filing a prospectus.

The defendant faced a lawsuit that alleged its counsel gave a time extension and had the actual authority to do so. The majority judges explained that a party faced with such an allegation about a privileged communication can make a bald denial and safely rest on its privilege. The defendant went further, thereby putting its privileged communications in issue.

PetroFrontier Corp v Macquarie Capital Markets Canada Ltd, 2022 ABCA 136 (CanLII).

The perils of e-mail attachments and privilege claims

The Court of Appeal for Saskatchewan issued a freedom of information judgement last week that illustrates a good practice point for FOI practitioners: claim privilege over privileged e-mails and their attachments together.

“Record 1” was an e-mail sent to Ministry legal counsel for the purposes of obtaining legal advice about its attachments. Though part of the privileged communication, the Ministry indexed the attachments as “Record 2” and “Record 3.” It claimed that the attachments were privileged, and also exempt pursuant to the Saskatchewan exemption for “information obtained in confidence from other governments.”

By making its exemption claims in this way, the Ministry revealed that it sought legal advice on communications (and information) it received from other governments. Is it any surprise, then, that the Court affirmed a finding that the attachments were not protected by solicitor-client privilege?

While viewing the Court’s finding is understandable, I don’t agree that it is correct. The attachments to (privileged) Record 1 are clearly part of a privileged communication. As part of that communication (and not necessarily on their own), the attachments are privileged. The Ministry ought to have better protected its privilege by indexing Record 1 in its entirety and, if Records 2 and 3 were responsive on their own, indexing each separately.

Saskatchewan (Ministry of Health) v West, 2022 SKCA 18 (CanLII).

Federal Court of Appeal – litigation database privileged, no production based on balancing

On October 20th, the Federal Court of Appeal set aside an order that required the federal Crown to disclose the field names it had used in its litigation database along with the rules used to populate the fields. It held the order infringed the Crown’s litigation privilege.

The case management judge made the order in a residential schools abuse class action. The Crown had produced approximately 50,000 documents, with many more to come. The plaintiffs sought the fields and rules (and not the data in the fields) to facilitate their review. The case management judge, though acknowledging litigation privilege, judged the fields and rules as less revealing than the data in the fields and ordered production in the name of efficient procedure.

The Court of Appeal held that the case management judge erred because they “subordinated the Crown’s substantive right to litigation privilege to procedural rules and practice principles.” It also held, “a party attempting to defeat litigation privilege must identify an exception to litigation privilege and not simply urge the Court to engage in a balancing exercise on a case-by-case basis.”

Canada v. Tk’emlúps te Secwépemc First Nation, 2020 FCA 179 (CanLII).

Court says privilege in letters left online waived

On May 5th the Court of Appeal for Newfoundland and Labrador affirmed a finding that a party had waived its solicitor-client privilege in two letters that had been published online.

The letters contained legal opinions to a defendant to an outstanding civil action. They were authored about five and nine years before the action was commenced, but apparently are “highly relevant” to the action. The plaintiffs downloaded the letters from the internet and produced them back to the defendant, which provoked the defendant’s privilege claim.

The defendant had learned the documents were circulating about six months prior to receiving the plaintiffs’ production when contacted by a CBC reporter and one of the plaintiffs (who also posted the letters on her Facebook). It decided not to attempt to take down the letters from the internet because of the expense and, in the Court’s words, because “the genie was out of the bottle and control over the documents would be virtually impossible to maintain.” Strangely, the defendant did not advise its defence counsel of the problem, so defence counsel only asserted privilege after receiving production (again, about six months later).

In these circumstances, the Court of Appeal held that privilege had been waived. Its key findings were as follows:

    • The defendant itself was aware of the publication of the letters well before the plaintiffs produced the letters in the litigation, but did not assert privilege against the plaintiffs. That defence counsel did not know that the letters were circulating until the plaintiffs produced them was irrelevant. Privilege belongs to the client, not its counsel.
    • Plaintiff counsel’s act of downloading of the letters from the internet for use in the litigation ought not be presumed to be improper. Although the Court confirmed that opposing counsel are obliged not to take advantage of an inadvertent disclosure of privileged communications, in this case the letters were somewhat old and it appears that the existence of an inadvertent disclosure was simply not reasonably apparent.
    • It was not wrong for the application judge to consider the lack of evidence about safeguarding efforts in deciding the waiver issue against the defendant: “A privilege-holder ought to be able to provide some evidence of how the privileged documents were safe-guarded to protect the privilege for it is within its power to do so.”

This is a careful judgement that’s directed at the facts. In my reading of it, the Court leaves some (though perhaps limited) room to assert privilege against an opposing party in litigation even though documents make their way inadvertently to the internet and are left there because “the genie is out of the bottle.”

Federation of Newfoundland Indians Inc. v Benoit, 2020 NLCA 16 (CanLII).

NSCA denies privilege claim for statement made in collective agreement bargaining

On March 10th, the Nova Scotia Court of Appeal held that a government statement made to the province’s teachers union in the course of collective agreement bargaining was not subject to settlement or case-by-case privilege.

The union has brought an application that alleges breach of the duty to bargain in good faith and a Charter infringement. The statement it wishes to use in this application is hardly a secret. The Deputy Minister of Finance and the Treasury Board apparently told the Union’s lead negotiator that, if the teachers did not accept an offer, the Government would introduce legislation to impose lower compensation. The negotiator then conveyed the statement to the union’s 9,300 person membership by way of letter in advance of a ratification vote.

In this context the Court held that the a privilege claim could not be rightly made. In addressing the settlement privilege claim, the Court also held that the inevitability of litigation could not be presumed.

Nova Scotia (Attorney General) v Nova Scotia Teachers Union, 2020 NSCA 17 (CanLII).

Legal Privilege and Data Security Incident Response – Law and Practice

I’m off to a cyber conference in Montreal this week to sit on a panel about threat exchanges. My role will be to address the legal risks associated with sharing threat information and a university’s ability to effectively assert a confidentiality interest in the same information. I’m genuinely interested in the topic and have prepared not just one, but two papers!

Here is the first one – a nuts and bots presentation on privilege and data security incident response. I hope it is useful to you. Feedback welcome through PMs.

Sask CA says Commissioner’s request for privileged communications unnecessary

On May 16th the Court of Appeal for Saskatchewan held that the Office of the Information and Privacy Commissioner, Saskatchewan should not have required the University of Saskatchewan to produce communications that it claimed were subject to solicitor-client privilege.

The Commissioner began by inviting the University to provide evidence that supported its privilege claim. The University filed an affidavit from a non-lawyer stating that legal counsel had advised that “some” of the withheld documents are subject to solicitor-client privilege. It did not file an index of records.

This led the Commissioner to immediately request the records. Although the Commissioner had asked the University for a index of records, it did not ask again – an omission that the Court held to breach the principle that demands an adjudicator only review solicitor-client communications when absolutely necessary to assess a privilege claim.

This fact-specific decision illustrates how strictly the absolute necessity principle will be enforced. The Court also spoke about what privilege claimants ought to be required to present in support of their claims. In doing so, it suggested that an index that identifies records will ordinarily provide an adequate basis for assessing a privilege claim in the absence of any evidence suggesting a claim is “ill founded”.

University of Saskatchewan v Saskatchewan (Information privacy Commissioner), 2018 SKCA 34.