LifeLabs fights privacy commissioner’s bid for privately commissioned report on cyberattack in wake of data breach

BIV's lawsuit of the week


LifeLabs LP is taking the Information and Privacy Commissioner for British Columbia to court, claiming the commissioner cannot compel the firm to hand over a third-party report into an October 2019 cyberattack due to solicitor-client privilege.

The medical testing company filed a petition in BC Supreme Court on February 20. LifeLabs claims the commissioner is investigating the hack and sought a report by cybersecurity firm CrowdStrike Services Inc. that had been commissioned by LifeLabs’ counsel.

“Its purpose is to enable counsel to provide informed legal advice to LifeLabs, including in respect of civil litigation and the very investigation the Commissioner is now undertaking,” the petition states. “Because the CrowdStrike Report is privileged, the Commissioner cannot compel its production.”

According to the petition, LifeLabs and its lawyers retained CrowdStrike in the weeks after the hack to assist counsel “with providing legal advice about LifeLabs’ legal risks and responsibilities relating to the Cyber-Attack and to prepare for a potential investigation by the commissioner and the defence of potential civil litigation.”

LifeLabs claims its lawyers can’t provide “meaningful legal advice” without relying on outside cybersecurity investigators to give expert opinions on the extent of the data breach.

“CrowdStrike was using its cybersecurity expertise to assemble and explain factual information gathered from LifeLabs so that LifeLabs’ counsel could obtain a full picture of the facts and give advice based on that full picture,” the petition states. “Like accountants and fraud analysts, CrowdStrike was effectively a translator between the client (LifeLabs) and its solicitor.”

But LifeLabs also faces multiple class-action lawsuits launched in the wake of the data breach, which potentially compromised the personal information of 15 million Canadians, primarily in B.C. and Ontario.

In another petition filed by LifeLabs in BC Supreme Court on February 13, the company seeks to strike a claim filed against it for breach of privacy and breach of contract in British Columbia’s Civil Resolution Tribunal (CRT) by Victoria resident Roman Cremonese. LifeLabs claims the Civil Resolution Tribunal does not have jurisdiction over privacy claims, and the complexity of the case makes the forum inappropriate. Moreover, the company asserts that Cremonese’s claims likely overlap with potential class actions that have yet to be certified. 

“The claim engages a complicated factual matrix – one requiring the consideration of a large body of highly technical expert evidence – that the CRT’s streamlined process is ill-equipped to accommodate,” the petition states. “In addition, the interests of those affected by the Cyber-Attack will be prejudiced if the CRT, through a highly expedited online process, begins making findings about the subject matter of the Privacy Commissioner’s investigation before that investigation is complete.”

The factual bases of both petitions have not been tested in court and the respondents had not responded to the claims in court by press time.