In praise of cyber response transparency (and in defence of the “breach coach”)

Wired Magazine published an article last week about school cyber attacks in the United States that was wholly denigrating of the role of cyber incident response counsel – “breach coaches.” Wired’s theme was that schools are using their lawyers to deprive parents, students, and the public of information. Wired has inspired this post, though I will say little more about it than “Don’t believe everything you read.” Rather, I will be positive, and explain that transparency is at the center of good cyber incident response and that breach counsel enable transparency through clear, accurate, and timely communication.

We must communicate to manage

Let us start with the object of incident response. Sure, we want to contain and eradicate quickly. Sure, we want to restore services as fast as possible. But without making light of it, I will say that there is lots of “drama” associated with most major cyber incidents today that renders incident response about more than containment and eradication.

Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You will have many stakeholders descending on you from time zero, and every one of them wants one thing – information. You do not have a lot of that to give them, in the early days at least, but you have got to give them what you can.

In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what has happened and what you are doing about it. It means reporting to law enforcement. It means sharing threat information with peers. It means getting your message out.

This is crises communication best practice. If smoke is billowing from your house and the public has questions, the public will make its own story about your fire if you say nothing, and any obfuscation risks blowback. You must, as best you can, get your message out.

Let’s get privilege straight

Lawyers love privilege, but we may not do a good enough job at helping the public understand why it is so important, and why it is not inimical to transparency.

There are two types of privilege.

Solicitor-client privilege is the strongest form of privilege. A confidential communication between lawyer and client that relates to the giving or receiving of legal advice (in the broadest sense) is privileged.

Litigation privilege works a little differently, and is quite important for giving a person who is in litigation or who contemplates litigation a “zone of privacy” in which to prepare, strategize and plan free from an adversary’s scrutiny.

Privilege is a powerful tool for organizations because it shields communications from everyone – an adversary in litigation, a freedom of information requester, a regulator.

This is for good reason: privilege allows for good legal advice on complicated, high stakes problems. If litigation is pending or anticipated, it also allows for the adversaries to be adversaries, which contributes to the truth seeking function of adjudication. Privileged is hallowed, and recognized by our courts as central to rule of law.

Privilege, though, applies to communications, not to facts that have an independent existence. Is your head exploding yet? Let me explain this tricky idea.

Say an incident leads to the discovery of four facts – Fact A, Fact B, Fact C and Fact D. There is a question about whether those four facts prove data exfiltration of a particular set of data. Lawyer and client can communicate with each other to develop an understanding of that legal question. The lawyer can advise the client about what the evidence means, whether inferences can be drawn, and how the evidence is likely to be interpreted by a judge or a regulator. The lawyer may give an answer – “no exfiltration” – but also explain the strengths and weaknesses of taking that position. All the evaluation and advice – the communication – is privileged, but Fact A, Fact B, Fact C, and Fact D are not. In incident response, those facts are normally embodied in the forensic artifacts collected and preserved by the forensic investigator or collected in communications with the threat actor(s). Those artefacts and communications are producible in litigation and producible to a regulator, which allows others to examine them, engage in analysis (that may replicate the analysis that occurred under privilege), and draw their own conclusions. What an adversary or regulator cannot do is piggyback on solicitor-client communications to understand how the lawyer and client viewed all the nuance of the issue.

This is an important point to understand because it answers some unfounded concerns that privilege is a tool of obfuscation. It is not.

Privilege must be respected, though. There’s a now famous case in Canada in which an organization attempted to claim that recorded dialog with a threat actor was privileged because the communication was conveyed to counsel by an expert retained by counsel. The Court rightly held this was over reach. The threat actor dialog itself is fact. The same goes for forensic timelines. They are privileged because they are recorded in privileged reports. In litigation, this does help put some burden on an adversary to analyze the evidence themselves and develop their own timeline. But it’s unwise to tell a regulator, “I’m not giving you a timeline because the only place its recorded is in my privileged report.” Withhold the precise framing of the timeline in your report. Keep any conclusory elements, evaluations, and qualifications confidential, too. But give the regulator the facts. That’s all they want, and it should spare you a pointless privilege dispute.

From the zone of privilege to the public

I explain to our incident response clients that we work with them in a zone of privacy or privilege that is a safe communication zone. It is like a staging area for evidence, where we can sit with evidence, understand it, and determine what is and is not fact. The picture of an incident is formed slowly over time based on investigation. Things that seem the case are often not the case, and assumptions are to be relied upon cautiously.

It is our role, as counsel, to advise the client on what is safe to treat as fact. Once fact, it can be pushed out of the zone of privilege to the public in communications. It is at this point the communication will live on the public record and be used as evidence, so we carefully vet all such communication by asking four questions:

Is there any speculation? Are all facts accurately described? Are all facts clearly described?
Are there commitments/promises? Are they achievable?
Does the communication accurately convey the risk? If it raises alarm or encourages action, is that justified? Or will we cause stress for no good reason?
Does the communication reveal anything said under privilege (which can waive privilege)?

Our duty is to our client, and our filter is to protect our client, but it also benefits the public because it ensures that incident communications are clear and reliable. This is hard work, and the heavy scrutiny that always comes later can reveal weaknesses in word choice, even. But by and whole, organizations with qualified incident response counsel achieve transparency and engender stakeholder and public understanding and confidence.

Good notification takes time

Any organization whose network is compromised can contain the incident, and then an hour later announce, “If you have ever been employed with us or been a client of our your information may have been stolen.” This will almost always be a true statement, but it’s also a meaningless and vast over notification. Good legal counsel lead their clients to investigate.

Investigation takes time. Determining what has been taken, if anything, is the first step. If you do that well, it can take about a week. But that is only the start. Imagine looking at a 453,000 file listing, delivered to you by a threat actor without any file path metadata. The question: who is affected? Your file share is encrypted, so you do not even have readable copies of the files yet.

Is it any wonder that organizations notify weeks and months after they are attacked? You cannot rightly blame the lawyers or their clients for this. It is hard work. If an organization elects to spend six figures and four months on e-discovery to conduct file level analysis, it will be able to send a letter to each affected individual that sets out a tailored list of exposed data elements. Our regulator in Ontario has called this “the standard,” at the same time opening the door to more generalized notifications. We are moving now to population based notifications, while still trying to be meaningful. Consider the following:

All individuals who received service x between date 1 and date 2 are affected. The contact information of all such individuals has been exposed (phone, e-mail and address as provided). About a third of the individuals in this population provided an emergency contact. The identity of this person and their phone number was also exposed.

I am explaining this because time to notify is the easiest thing on which to criticize an organization. Time to notification visible, and far easier to understand than it is to explain to mas audiences with the kind of descriptions I have made here. Believe me, though, it is a very demanding challenge on which incident response counsel spend significant time and energy with their clients and data processing vendors, all with the aim of giving earlier and meaningful notifications.

Conclusion

Cyber incident response counsel are essential for effective and transparent incident management. They facilitate clear communication, crucial for stakeholder confidence and the fulfilment of obligations. Privilege, often misunderstood, enables open lawyer-client communication, improving decision-making. It’s not a tool to hide facts. Counsel guide clients through investigations and notifications, ensuring accuracy and avoiding speculation. Notification delays often stem from the complex process of determining breach scope and identifying affected individuals. Counsel help balance speed and quality of notification, serving their clients first, but also the public.

Alberta Court of Appeal Addresses Privilege in Post-Incident Reports

On April 26th, the Court of Appeal of Alberta affirmed a lower court decision that privilege in two post-incident investigation reports had been waived, also opining on the law governing whether the reports were subject to litigation privilege.

The case arises out of 2015 pipeline failure. The operator initiated an investigation for multiple purposes, ultimately leading to the creation of several reports, including the two expert reports at issue. The operator relied on an affidavit sworn by its assistant general counsel in which she stated that she contemplated litigation soon after the incident and directed all investigations to be conducted on a privileged and confidential basis under the supervision of legal counsel.

The two reports were later produced by experts. The lower court judge did not review the reports, but held they were used to decide whether to repair or replace the pipeline and encompassed “too many other concerns” to have been prepared for the dominant purpose of litigation. The lower court judge also held the operator waived privilege in the reports by sharing them with the Alberta Energy Regulator and the Association of Professional Engineers and Geoscientists of Alberta and by mentioning the conclusion of the reports at a press conference.

The press conference statement is worth quoting:

Nexen has conducted comprehensive investigations into the pipeline failure in July 2015 and the January 2016 explosion at its Long Lake Oil Sands facility to determine the root cause for each incident. . . .

• Following the Long Lake pipeline rupture discovered on July 15, 2015, Nexen conducted a comprehensive, independent investigation using Nexen’s Event Recording and Analysis (ERA) Procedure to determine the root cause.

• Based on our investigation, the root cause of the rupture was a thermally-driven upheaval buckling of the pipeline and the subsequent cooldown during the turnaround. This was the result of using an incompatible pipeline design for the muskeg ground conditions. Steps that could have been taken to mitigate the potential for upheaval buckling were not addressed.

The Court of Appeal held that this revelation did not waive privilege as found by the lower court judge. The core of its reasoning is that the statement did not clearly reveal the content of the privileged reports: “It is difficult to see how privilege could be lost over a document that is no even mentioned.”

Privilege was nonetheless waived, the Court said, by the voluntary disclosure of the reports to the Regulator and the APEGA. Although the operator disclosed the reports to the Regulator with various stipulations, none precluded the Regulator from using the reports in a prosecution or from disclosing the reports to others as required by law. Likewise, disclosure to the APEGA for its use was incompatible with maintaining a privilege claim.

On the privilege claim itself, the Court applied its decision in Suncorp, which dictates that litigation privilege must be assessed on a document-by-document basis. It then stressed that the dominant purpose test applies to the creation of a document, not the investigation that preceeded the document’s creation or the use of the document after it was created. It questioned the lower court judge’s finding because the judge made it without reviewing the reports and because the judge placed too much emphasis on the reports’ use use rather than the purpose for their creation.

The creation and maintenance of a litigation privilege claim is very technical, and this decision is illustrative in many ways. The finding that the above-quoted press conference statement did not waive privilege is most notable. The statement does have a degree of vagueness about it, but also hints at the content of privileged documents in a way that begs a question about what they say. Ultimately, the Court’s finding suggests that drafters of such statements have some latitude to garner trust from expert investigations so long as they don’t refer to the content of privilege reports. This is helpful, though to be relied upon with caution.

CNOOC Petroleum North America ULC v ITP SA, 2024 ABCA 139 (CanLII).

Apply The Emergency Mind to cyber incident response

My BLG teammates and I take the privilege of guiding clients through the perils of cyber incidents seriously. To honour the privilege, we think deeply about various aspects of our performance, including how we can perform better under pressure. Dr. Dan Dworkis’s book, The Emergency Mind: Wiring Your Brain for Performance Under Pressure is now required reading.

Dr. Dworkis is a professor of medicine and an emergency physician. His book, published in 2021, is part of a project that includes a website, podcast and other supports for individuals and teams striving to perform better under pressure. Dr. Dworkis calls The Emergency Mind a “mental toolkit.” It’s comprised of 25 prescriptions for how to think and act in high pressure situations.

When I picked up The Emergency Mind and started in, I was immediately excited. For me, there’s no greater measure of a text than its relevance, and The Emergency Mind was packed with relevant ideas. I connected with them as a lawyer and an athlete, but drew most insight in respect of my role as a cyber incident coach and team lead. I took some notes while reading, and have turned them into the table below. The left hand column summarizes some key ideas from The Emergency Mind. The Right hand column are my notes (now edited) on their application to cyber incident response.

Practice the discipline of “suboptimal”
Idea: Bad outcomes and mistakes will happen. Identify (label) and accept the mistake, rapidly pivot to face the new reality, and learn from the event. Quote: “Personally, when I perform the labeling part of a response, I begin by saying, ‘Well, this is suboptimal.’ Labelling something as ‘suboptimal’ acknowledges the challenging nature of what is happening without pulling me or my team off-line the way that calling it ‘horrible’ or ‘hopeless’ might.”	Labelling thoughts and emotions is a well-known and effective mindfulness technique. To use it in incident response, one must first acknowledge that incident response can provoke emotion. This is true, especially when things go wrong. Evidence is sometimes deleted, information is leaked or conveyed to third parties prematurely, threat actors do not do what is predicted, and so on. When faced with these problems, the team must resist the urge to dwell on the matter of fault and continue to look forward. Learning comes later in the incident response process, at least after the acute phase has passed. I also appreciate Dr. Dworkis’s use of the term “suboptimal” because it mirrors the typical objective we set in guiding clients through an incident – to “optimize” the course of action in light of business, reputational and legal risks. Use of the terms “optimal” and “suboptimal” highlights the fluid nature of incident response. There are always multiple paths to the end.
Combine action and analysis
Idea: Have and foster an ability to apply the right mode of thinking and action – be it fast or slow. Quote: “When you are not forced to act, jumping into a response without further analysis of the emergency is sometimes a bit like throwing darts without looking at the dartboard. You might hit the board, but because you don’t understand where you are aiming, you’re much more likely to miss the target entirely and waste your darts.”	This is reminiscent of an idea I have shared with associates about practicing law fast and slow, adapted from Daniel Khaneman’s text Thinking Fast and Slow. We need to know when a legal problem deserves a quick handling – enabled by assumptions and qualifications – and when we must buy time for more robust analysis. In incident response, we are primarily in fast thinking, “action mode.” There are moments on calls when you need to pause, draw deep on experience and instinct, and declare how best to proceed. The qualification is implicit, though sometimes we explain that we are making a decision based on “gut.” At the same time, slowing the pace of decision making down is a major responsibility of a cyber incident coach. Dr. Dworkis’s dart board metaphor can illustrate the tendency of many inexperienced incident response teams to rush at the outset of a cyber incident. I’m not counselling inaction, but most teams will benefit from a pause and emotions check at the outset. There is more time available than you feel.
Favour praxis over theory
Idea: Identify solutions that can actually be applied in the moment whether or not they represent theoretical best practice. Favour praxis – the application of knowledge to real life. Quote: “One of the best ways you can start to consider the details of praxis and theory in your field is to explore deeply the actual mechanisms that must function correctly for you to deliver your skill. Get curious about how the sausage is made, so to speak. Lean into learning both deeply in your chosen skills, and laterally into the adjacent skills that help you and your team succeed.”	This is a good one for me, particularly as it pertains to the challenge of analyzing large, stolen data sets. Doing a proper analysis based on e-discovery is plainly the ideal, but e-discovery is expensive and time consuming, and time-to-notify is a very visible fact. Burning weeks and months on e-discovery can spoil an excellent early-stage response, leaving an organization who has spent the time and money to “do the job right” the subject of overwhelmingly negative judgement and outcry. So, before engaging in e-discovery, we build the best possible informal view of the data set, we build towards reasonable assumptions, and we see if classes of individuals can be notified without e-discovery. We help clients weigh the risk of “over notification” against the risk of delay. These solutions are neither precise nor pretty, but can be defensible.
Decide not to decide
Idea: Do not waste your decision-making resources. Devote them to the most important and difficult decisions. Quote: “During an emergency, the most critical decisions are those that irreversibly (or at least strongly) commit your team to a particular mental model or course of action.”	No cyber incident coach is happy to be brought into a matter and paired with an incident response forensics vendor who has already been retained. That single decision bears more on the outcome of an incident than any other in my view. This is because we must trust the chosen vendor, especially regarding the scope and depth of the investigation. There is a limited ability to consider and discuss the scope of forensic evidence collection, and deference to a vendor’s standard practice is the norm. These practices vary, and over and under scoping an investigation can have highly negative consequences.
Practice Wabi-sabi
Idea: Employ the Japanese concept of wabi-sabi, which emphasizes the values of simplicity, imperfection, and transience. Quote: “… if you deny that situations change, you create a potentially dangerous schism in your universe and the reality around you. As this gap increases, the solutions and plans you had generated before reality changed will be rapidly ineffective.”	My strong preference is to contact a threat actor early because it is a fast way to gather reliable information and because it is a means of enhancing control and keeping the primary adversary in view. Threat actors – perhaps frustrated by repeated engagement with organizations who are more interested in investigation than payment – have adopted countermeasures, becoming very stingy with their information. We also recently provided counsel on an incident in which our client had reliable intelligence that a threat actor would be slow to publish in the absence of contact, which meant it could delay a reach out while remaining in control. This perfectly illustrates Dr. Dworkis’s point. The Wabi-sabi way demands detachment from a tactic we have so often helped clients deploy to a successful end.
See the forest and the leaf
Idea: Default to an attention span that is zoomed in, but don’t lose sight of the whole field. Quote: “… emergency medical providers often find themselves handling multiple sick patients simultaneously. In these circumstances, it might not be possible, or desirable, to completely restrict your focus to a single patient. Here, communication and delegation are key, and cognitively offloading some of your thinking to skilled team members helps you deploy your focus where you need it most.”	At any given time, we will be working with ten to twenty clients who are responding to incidents – our patients. As a team lead, my attention is drawn most to those clients with incidents in the acute phase, which lasts from one to three weeks. Beyond that, incidents move into a slower phase that involves e-discovery, notification and reporting. We delegate much of the work in that phase to an excellent team of associates. These associates have a greater degree of technical knowledge about the latter phase of incident response than the partners who act as leads. Given the money spent on e-discovery and notification, the latter phase of incident response is not low risk, but it does move slower, and tasks can be delegated effectively with good communication. Good communication requires a lead to “run the board” regularly – re-building a view of all cases – and making course corrections before small latter phase problems grow.
Harness the wisdom of the room
Idea: To the extent possible, rely on information and knowledge from every individual on the team. Quote: “As a leader, you will frequently feel tension between your need to process multiple points of view and to move forward rapidly with a plan. At some points during a crisis, your emphasis should be on action and execution of your plan. At others, the emphasis might be on unifying your team’s vision through open discussion.”	Dr. Dworkis recommends asking the team, “What are we missing? What have we not tried yet?” I’ve done more of this questioning at his urging, and like how it affects the team dynamic. It’s an acknowledgement that incident response is complex, that there are few clear answers and that the perspective of the team matters. It’s an invitation to humility, and a humble crises leader is a good crises leader.

Preparation and performance under pressure go hand in hand, and we all know that preparation for cyber incidents is a critical best practice. My urging to cyber responders (lawyers and non-lawyers alike) is to expand your scope of preparation to encompass performance under pressure. This will help you develop fundamental skills and behaviors to that will have an impact on your and your teams’ performance. Reading The Emergency Mind would be a great start.

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

Manitoba Ombudsman blesses response to e-mail incident

Manitoba Ombudsman Jill Perron has issued her report into Manitoba Families’ 2020 e-mail incident. The incident involved the inadvertent e-mailing of personal health information belonging to 8,900 children in receipt of disability services to approximately 100 external agencies and community advocates. It is such a common incident that it is worth outlining the Ombudsman’s incident response findings.

Manitoba Families meant to transfer the information to the Manitoba Advocate for Children and Youth to support a program review. It included information about services received. Some records included diagnoses.

Manitoba Families mistakenly blind copied the external agencies and advocates on an e-mail that included the information in an encrypted file and a follow-up e-mail that included the password to the file. It had made the same mistake about a week earlier. Several agencies alerted Manitoba Families to its error, and it began containment within a half hour.

The Ombudsman held that Manitoba Families’ containment effort was reasonable. She described it as follows.

Attempts at recalling the email began minutes later at 8:29 a.m. and continued at various intervals. Also, at 8:35 a.m., CDS sent an email to all unintended recipients noting in bold that they were incorrectly included on a confidential email from Children’s disAbility Services and requested immediate deletion of the email and any attachments. Follow up calls to the unintended recipients by CDS program staff began to occur that morning to request deletion of the emails and a list was created to track these calls and the outcomes. A communication outline was created for these calls which included a request to delete emails, a further request that emails be deleted from the deleted folder and that any emails that went to a junk email folder also be deleted…

In January 2021, we received additional written communication from the program stating that all agency service providers and advocates were contacted and verified deletion of the personal health information received in error. The log form created to track and monitor the name of the organization, the date and details of the contact was provided to our office.

The Ombudsman reached a similar finding regarding Manitoba Families’ notification effort, though she needed to recommend that Manitoba Families identify the agencies and advocates to affected individuals, which Manitoba Families agreed to do upon request.

What’s most significant – especially given class action proceedings have been commenced – is a point the Ombudsman made about evidence that Manitoba Families appears not to have gathered.

In addition to assuring families about the deletion of the email, additional information such as who viewed the email, if the attachment was opened and read, whether it was forwarded to anyone else or printed, whether it was stored in any other network drive or paper file or, conversely, that no records exist – can be helpful information to provide those affected by a privacy breach. It is best practice, therefore, to provide families with as much assurance as possible about the security of their child’s health information.

The question is, what is one to make of an arguable shortcoming in an incident response investigation? I say “arguable” because the probability of any of these actions occurring is very low in the unique circumstances of this incident, which involved trusted individuals receiving a password-protected and encrypted file. Manitoba Families ought to have collected this evidence because they called the e-mail recipients anyway, it is helpful and was probably available for collection. If it did not do so, however, I believe it is perfectly acceptable to for Manitoba Families to stand by the scope of a narrower investigation and and put the plaintiff to proof.

PHIA Case 2020-1304

Alberta OIPC finds Blackbaud incident gives rise to RROSH

Hat tip to my good colleague Francois Joli-Coeur, who let our group know yesterday that the OIPC Alberta has issued a number of breach notification decisions about the Blackbaud incident, finding in each one that it gave rise to a “real risk of significant harm” that warrants notification and reporting under Alberta PIPA.

Blackbaud is a cloud service provider to organizations engaged in fundraising who suffered a ransomware incident last spring in which hackers exfiltrated the personal information of donors and educational institution alumni. The true scope of the incident is unknown, but likely large, affecting millions of individuals across the globe.

Blackbaud issued notably strong communications that de-emphasized the risk of harm. It rested primarily on the payment of a ransom, assurances by the threat actors that they would delete all data in exchange for payment and its ongoing dark web searches. Most affected institutions (Blackbaud clients) notified anyway.

On my count the OIPC issued seven breach notification decisions about the incident late last year, each time finding a “real risk.” In a decision involving an American college with donors or alumni in Alberta, the OIPC said:

In my view, a reasonable person would consider the likelihood of significant harm resulting from this incident is increased because the personal information was compromised due to a deliberate unauthorized intrusion by a cybercriminal. The Organization reported that the cybercriminal both accessed and stole the personal information at issue. The Organization can only assume that cybercriminal did not or will not misuse, disseminate or otherwise make available publicly the personal information at issue.

This is not surprising, but tells us how the OIPC feels about the assurance gained from paying a ransom to recover stolen data.

See e.g. P2020-ND-201 (File #017205).

The Five Whys, the discomfort of root cause analysis and the discipline of incident response

Here is a non-law post to pass on some ideas about root cause analysis, The Five Whys, and incident response.

This is inspired by having finished reading The Lean Startup by Eric Ries. It’s a good book end-to-end, but Ries’ chapter on adaptive organizations and The Five Whys was most interesting to me – inspiring even!

The Five Whys is a well-known analytical tool that supports root cause analysis. Taichii Ohno, the father of the Toyota Production System, described it as “the basis of Toyota’s scientific approach.” By asking why a problem has occurred five times – therefore probing five causes deep – Ohno says, “the nature of the problem as well as its solution becomes clear.” Pushing to deeper causes of a failure is plainly important; if only the surface causes of a failure are addressed, the failure is near certain to recur.

Reis, in a book geared to startups, explains how to use The Five Whys as an “automatic speed regulator” in businesses that face failures in driving rapidly to market. The outcome of The Five Whys process, according to Ries, is to make a “proportional” investment in corrections at each five layers of the causal analysis – proportional in relation to to the significance of the problem.

Of course, root cause analysis is part of security incident response. The National Institute of Standards and Technology suggests that taking steps to prevent recurrences is both part of eradication and recovery and the post-incident phase. My own experience is that root cause analysis in incident response is often done poorly – with remedial measures almost always targeted at surface level causes. What I did not understand until reading Ries, is that conducting the kind of good root cause analysis associated with The Five Whys is HARD.

Ries explains that conducting root cause analysis without a strong culture of mutual trust can devolve into The Five Blames. He gives some good tips on how to implement The Five Whys despite this challenge: establishing norms around accepting the first mistake, starting with less than the full analytical process and using a “master” from the executive ranks to sponsor root cause analysis.

From my perspective, I’ll now expect a little less insight out of clients who are in the heat of crises. It may be okay to go a couple levels deep while an incident is still live and while some process owners are not even apprised of the incident – just deep enough to find some meaningful resolutions to communicate to regulators and other stakeholders. It may be okay to tell these stakeholders “we will [also] look into our processes and make appropriate improvements to prevent a recurrence” – text frequently proposed by clients for notification letters and reports.

What clients should do, however is commit to conducting good root cause analysis as part of the post-incident phase:

*Write The Five Whys into your incident response policy.

*Stipulate that a meeting will be held.

*Stipulate that everyone with a share of the problem will be invited.

*Commit to making a proportional investment to address each identified cause.

Ries would lead us to believe that this will be both unenjoyable yet invaluable – good reason to use your incident response policy to help it become part of your organization’s discipline.

The role of legal counsel in ransomware response – cyber divergence on display

Two publications released earlier this month illustrate different views on how to structure ransomware response, and in particular on how to structure the involvement of legal counsel.

On Wednesday of last week, the Ontario Ministry of Government Services issued a bulletin entitled “What is Ransomware and How to Prevent Ransomware Attacks” to the broader public sector. It features a preparation and response playbook that will be much appreciated by the hospitals, universities, colleges, school boards and municipalities targeted by the MGS.

The playbook treats ransomware response as primarily a technical problem – i.e., a problem about restoration of IT services. Legal counsel is mentioned in a statement about incident preparation, but is assigned no role in the heart of the response process. Indeed, the MGS suggests that the Information and Privacy Commissioner/Ontario is the source of advice, even “early on” in an incident:

If you are unable to rule out whether or not PII was compromised (which will likely be the case early on in an incident), contact the Privacy Commissioner of Ontario (416) 326-3333.

Contrast this with what Coveware says in its very significant Q3 ransomware trends report that it released on November 4th. Coveware – arguably the best source of ransomware data – explains that data exfiltration threats now feature in 50% of ransomware incidents and that ransom payments are a poor (and becoming poorer) method of preventing threat actors from leaking what they take. Coveware says:

Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel. Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set.

The Coveware view, shared by Canadian cyber-insurers, is that ransomware is primarily a legal and reputational problem, with significant downside legal risks for institutions who do not engage early with legal counsel.

I favor this latter view, and will say quite clearly that it is bad practice to call a privacy regulator about a potentially significant privacy problem before calling a privacy lawyer. A regulator is not an advisor in this context.

This is not a position I take out of self-interest, nor do I believe that lawyers should always be engaged to coordinate incident response. As I’ve argued, the routine use of lawyers as incident coordinators can create problems in claiming privilege when lawyer engagement truly is for the “dominant purpose of existing or anticipated litigation.” My point is that ransomware attacks, especially how they are trending, leave institutions in a legal minefield. Institutions – though they may not know it – have a deep need to involve trusted counsel from the very start.

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

IPC/Ontario – Appropriate for hospital to notify of breach because it maintained a shared EMR

The IPC/Ontario has issued a significant decision about information governance under the Personal Health Information Protection Act. Specifically, it held that a hospital that gives a physician access to an electronic medical record for use in private practice is a health information custodian together with the physician, but that it can retain a duty to notify of a breach arising out of the private practice.

Background

The hospital maintained an EMR system and gave access to its credentialed physicians and their employees for use in private practice. Employees in two such private practices accessed EMRs without authorization. The hospital notified affected patients and reported the breach to the IPC, which led the IPC to investigate.

In the course of investigation it came to light that some of the employees had shared their login credentials with others outside of the hospital, but apparently to enable health care. The employees also apparently accessed some records (for non-health care purposes) with the consent of friends of family members. Both of these actions violated hospital policy.

Decision

The IPC held that the access enabled by credential sharing and the access made with the consent of family members was made in breach of PHIPA. Although a more benign form of unauthorized access, the IPC found a breach based on section 10(2) of PHIPA, which states, “A health information custodian shall comply with its information practices.”

Regarding the identity of the custodian, the IPC held that both the hospital and the two private practice physicians were custodians in the circumstances – the physicians being custodians “when they access patient information in [the EMR] for the purpose of privatizing health care to their private practice patients.” Such access, the IPC explained, invites a disclosure by the hospital and a collection by the physicians; in this context the physicians were not the hospitals’ agents.

Despite the physicians’ custodianship, the IPC held it was appropriate for the hospital to notify in the circumstances. It said:

[122] In the cases under review, THP and the private practice physicians also treated THP as the health information custodian responsible for notifying affected individuals of the private practice employees’ unauthorized accesses in THP’s EMR. In these circumstances, I agree that THP was the appropriate party to give notice under section 12(2) of PHIPA. As the health information custodian who maintains the EMR, THP was best placed to discover and investigate the extent of the employees’ activity in the EMR, identify all the parties whose personal health information had been accessed without authority, and initiate contact with these individuals, all of whom are THP patients, but some of whom may not have any relationship with the particular private practice physician for whom the employee worked. In these cases, notification by THP was appropriate, taking into account not only the language of section 12(2)[29] but also the interests of the affected individuals.

[123] I also agree with THP that in some circumstances, notification by the collecting custodian may be more appropriate, and a reasonable approach to fulfilling the notice obligation in section 12(2). For example, in a case where the private practice physician has a more significant relationship with the patient whose privacy was breached, notice from that physician (rather than from the custodian who disclosed the information) may be prudent. So long as the notice is given as required upon the events described in section 12(2) (and complies with the other requirements of that section), I agree with THP that circumstances such as the patient’s interests and the relationships between the patients and the various custodians involved may be relevant factors in deciding how best to fulfil the notification obligation. I am not persuaded that applying such an approach to notification in future cases would have the consequences of discouraging hospitals from adopting EMR technologies, or from participating in broader initiatives like a provincial electronic health record system.

Implications

The kind of shared accountability invited by this decision can cause confusion and risk. It will behoove hospitals and other custodians who provide shared access to their EMR systems to be very clear and detailed in establishing who is responsible for what. The hospital in this case, for example, decided post-incident to make more clear that physicians who are given outside access are responsible for training and supervising their employees. It also expressly obligated physicians to participate in privacy investigations arising from the actions of an employee.

The IPC’s finding on who provides notification is very qualified, and rests partly on the fact that the hospital in this case voluntarily provided notification to affected individuals. While taking control of notification may be beneficial to hospitals who maintain and provide third-party access to EMR systems, providing notification may also signal responsibility for a breach and for the related risks for which hospitals have little or no ability to control. The hospital in this case dealt with this tension by stipulating to its physicians that they may be named in hospital notification letters “as being responsible for the breach.” Other hospitals, may wish to require physicians to notify themselves in certain circumstances. The IPC’s decision does not appear to preclude such alternatives.

Trillium Health Partners (Re), 2020 CanLII 15333 (ON IPC).