Legal Privilege: Is It the Shield You Expect It To Be?

Written By Lauren Preston

In today's digital landscape, the risk of a cyberattack or a data breach of some kind, whether due to internal failures or external threats, is a stark reality for organizations, particularly those handling sensitive personal information, such as credit card information and healthcare records.

 When a data breach occurs, organizations often respond with various teams pulling together, including legal counsel (internal and external), internal staff and outside security experts to (a) determine the root cause of the breach, (b) protect sensitive information, including internal communication, and (c) contain the breach to prevent further possible harm to affected individuals.

Determining the root cause of the breach involves constant communication and collaboration between investigators, lawyers, breach coaches, and internal staff.  Discussions, whether verbally or on paper, during this stressful time involve communicating certain facts and opinions. These necessary communications, which could potentially be incriminating, need to be protected. This protection often comes from using external legal counsel to shield communications with privilege. Legal privilege will, in most cases, provide you with the shield to protect your confidential communications, which allows your organization to investigate the cause of a breach freely.

Involving external legal counsel early in the breach also ensures that legal considerations are integrated from the start, which can help shape the investigation, guide regulatory reporting, and frame public communications to reduce liability and scrutiny from the public.

 

Does this mean, however, that you can just copy external legal counsel on correspondence to attach privilege to it? The short answer is – No, not always.

 In recent court rulings (e.g. LifeLabs LP v Information and Privacy Commr (Ontario) 2024), the court did not allow legal privilege in all regards and outlined clear limits where legal privilege would not be relied on to hide all details of a breach.

 In 2019, LifeLabs, Canada’s largest lab testing company, suffered a major cyberattack that exposed the personal and health information of approximately 8.6 million people, mostly in Ontario and British Columbia. The stolen data included names, birthdates, health numbers, lab results, and even some login credentials. The privacy commissioners of Ontario and B.C. launched a joint investigation and requested several documents from LifeLabs. Part of the request included a cybersecurity report, emails with the attackers, and an internal analysis. LifeLabs naturally refused, claiming the documents were protected by legal privilege and likely cautious that certain root causes and findings would be made public when the commissioner completed its investigation.

 Both privacy commissioners and later the Ontario Divisional Court ruled that LifeLabs could not withhold the documents. The court emphasized that legal privilege does not override legal obligations to disclose facts under privacy laws like PHIPA and PIPA.

 Interestingly, the court also upheld the IPC’s reliance on a US case (Capital One Consumer Data Security Breach Litigation, 2020 U.S. Dist. LEXIS 91736 (E.D. Va May 26, 2020)), which substantiated the view that simply adding legal counsel as a party to the contract (which is often the case during a cyber incident), does not render those deliverables subject to the U.S. work product doctrine (and similarly, Canada’s litigation privilege). The court confirmed that the report produced by the cybersecurity firm retained by LifeLabs was, in those circumstances, for business purposes and not for the dominant purpose of litigation.

 What we now know from the Lifelabs case, given the same or similar facts:

  • Facts are not privileged - legal privilege does not protect basic facts that organizations are required to disclose by law.

  • Just copying external legal counsel isn’t enough – nor does it make the communications automatically privileged. There must be a clear legal purpose and mandate to provide advice regarding the incident.

  • Third-party reports may not be protected - if a cybersecurity firm does routine work and then investigates a breach, its findings may not be privileged—especially if litigation isn’t the main reason for the report.

 

So what are the takeaways?

Your Incident Response Plan matters and is an essential document for your privacy program.

 Since legal privilege has limits, your privacy breach response plan needs to include guidance about stakeholder communication during an incident. A properly drafted and executed plan ensures that stakeholders know what they should and should not communicate in writing, who they should be communicating with, how to manage customer and employee inquiries, and of course, what happens when the incident escalates to a point that requires regulator notification.

 At a high level, your Incident Response Plan should include at least:

  • Incident Identification and Escalation: Steps to identify the potential incident and confirm its occurrence including when to include third party assistance. Procedures should include triggers for escalating the incident internally.

  • Assessment and Impact Analysis: Evaluating the likelihood and impact the incident will have, including assessing the potential harm to customers, employees and the organization.

  • Compliance and Reporting: Triggers which ensure privacy laws are complied with, including timely notifications to regulators and affected individuals.

  • Guide Internal Communication: Procedures for notifying staff and ensuring that staff understand what should and should not be shared based on what is protected by privilege as well as how to document facts properly.

  • Manage External Communication: Provide clear steps for communicating with regulators and the public, including how to notify individuals about what information was compromised.

  • Handle Sensitive Information Carefully: Some communications—like those with attackers—can never be privileged and must be managed with caution.

  • Support Privilege Claims: If privilege is claimed, the Incident Response Plan should ensure there’s documentation to prove it was for legal advice or litigation.

 Legal privilege is certainly a useful tool, however, it is not a shield for all breach-related information and communication – and where a breach or incident is managed properly, there will be little need for it. Keeping in mind that the LifeLabs case was fact-specific (including regarding health information), it is still a reminder that organizations must be transparent with regulators and have a well-prepared Incident Response Plan to navigate legal and reputational risks effectively.

 Prioritize your incident management and ask us how we can help you draft a properly considered and operational Incident Response Plan.

Lauren Preston

Lauren Preston is a Privacy Solutions Architect at Bamboo Data Consulting who thrives on making privacy practical, approachable, and even enjoyable. With expertise spanning finance, tech, health, and more, she loves creating strategies that help businesses stay secure while building trust. When she’s not tackling privacy challenges, Lauren writes about everything from data compliance tips to building privacy-first cultures while focusing on the legal aspect of privacy. She’s a Certified Information Privacy Professional (CIPP/C) who believes privacy can be as interesting as her next creative challenge - or at least close!

Previous

The Importance of Privacy Training and Policies in Healthcare Organizations
Next

Data Subject Requests: The Hidden Risk in Plain Sight