Disclosure of forensic experts’ findings in data breach class action results in waiver of privilege

A recent decision in a data breach class action highlights potential challenges in maintaining privilege over reports prepared by third party forensic experts engaged to investigate data breaches. In Kaplan v. Casino Rama Services Inc., Justice Glustein of the Ontario Superior Court determined that the defendants had waived privilege over certain portions of  a forensic investigator’s report by relying on findings and opinions contained in the report in an affidavit filed in the class action.

Background

The plaintiffs brought a class action against the owners and operators of the Casino Rama Resort  arising out a cyberattack disclosed by Casino Rama in November 2016. After discovering the breach, Casino Rama and its counsel hired Mandiant, a third party cybersecurity company, to investigate the cyberattack.

Mandiant prepared two reports: (i) a report summarizing Mandiant’s observations, findings, and opinions arising out of its investigation of the cyberattack and (ii) a report outlining suggested remediation activities (collectively, the “Mandiant Reports”). Casino Rama maintained that the Mandiant Reports were subject to either litigation privilege or solicitor-client privilege.

Waiver of privilege over investigation reports

In response to the certification motion, Casino Rama filed an affidavit that referred to the Mandiant investigation and stated some of Mandiant’s findings, including that the breach appeared to be limited to two specific servers. The apparent purpose of this evidence was to demonstrate that the class was much smaller than the group of people who were initially notified of the breach.

Justice Glustein held that even if the Mandiant reports were privileged, Casino Rama had waived privilege to the extent that the Mandiant reports addressed information relevant to the size and scope of the prospective class. Justice Glustein reasoned that Casino Rama could not disclose and rely on certain information obtained from a privileged report and then seek to prevent disclosure of the privileged report.

However, Justice Glustein also found that the doctrine of proportionality limited production only to the portions of the Mandiant reports proportionate to the needs of the certification motion and necessary to inform the certification hearing. Other findings by the Mandiant reports, such as the liability of Casino Rama with respect to the breach, were not raised in the affidavit, and therefore privilege was not waived over those issues.

Key implications

Importantly, the decision does not address whether or not forensic investigators’ reports are privileged. Indeed, Justice Glustein did not analyze this issue at all. Instead, he determined that assuming the reports were privileged, privilege over the reports had been partially waived.

Nonetheless, the decision highlights the challenge of maintaining privilege over forensic reports while defending data breach class actions. In many data breaches, much of the best information will be provided by third party forensic experts who have the tools and expertise to investigate the breach. In many cases, such experts will be unable to make definitive findings and will only be able to provide informed opinions regarding key issues such as how the breach occurred, what information was accessed and how many individuals were affected. The decision establishes that relying in litigation on any findings or opinions provided by a third party forensic expert will likely result in waiver of privilege over those findings and opinions.

Forensic experts’ information regarding the size of the class in a data breach class action poses a particular challenge. As Justice Glustein noted, the Ontario Class Proceedings Act requires all parties to provide their best information on the number of members of the class. Casino Rama argued that it had not waived privilege with respect to Mandiant’s conclusions on the size or scope of the group of affected individuals because the Class Proceedings Act compelled disclosure of that information. Even so, Justice Glustein found that privilege had been waived because Casino Rama had “chosen” to disclose and rely on information obtained from Mandiant.

As well, this decision potentially opens the door to broader attacks on privilege claimed over forensic reports. Organizations often rely on the findings and conclusions of forensic experts when disclosing information about the breach to privacy regulators, key stakeholders, and affected individuals, among others. In light of this decision, plaintiffs in data breach class actions may challenge claims of privilege over forensic reports to the extent findings or conclusions contained in those reports have been shared with third parties, such as privacy regulators or law enforcement, or disclosed more broadly, such as to affected individuals.

Given that maintaining privilege and confidentiality is a key objective in data breach incident response, organizations must structure their response teams and communications with a view to maintaining privilege. Particularly in light of this decision, they must also carefully consider the risk of waiving privilege when disclosing forensic experts’ findings and conclusions, whether before or during class actions or other litigation arising from the breach.