LifeLabs sues privacy commissioner over report on cyberattack
Credit to Author: Keith Fraser| Date: Fri, 28 Feb 2020 00:03:04 +0000
The lab-testing company that was targeted in a cyberattack wants to block B.C.’s information and privacy commissioner from acquiring a report on the incident prepared for the firm.
LifeLabs has filed a petition in B.C. Supreme Court seeking to prevent the commissioners from getting the report written by CrowdStrike, a cybersecurity firm, after the October cyberattack. The petition says the report is protected by solicitor-client privilege and litigation privilege, and was created by the cybersecurity firm for and under the direction of lawyers for LifeLabs.
“Its purpose is to enable counsel to provide informed legal advice to LifeLabs, including in respect of civil litigation and the very investigation the commissioner is now undertaking,” says the petition. “Because the CrowdStrike report is privileged, the commissioner cannot compel its production.”
There have been at least five class-action lawsuits and a separate civil claim launched against LifeLabs since the company discovered that there had been an unauthorized access to its computer system that stored information relating to up to 15 million of its customers, most of them in B.C. and Ontario. Names, addresses, health-care numbers and in some cases lab reports of the customers may have been accessed during the cyberattack. LifeLabs provides general medical diagnostic and specialty lab-testing services.
After the attack was discovered, LifeLabs says it retained lawyers to provide advice about the legal risks and responsibilities they faced and to prepare for an investigation by the commissioner as well as possible lawsuits. CrowdStrike was hired to determine the extent and manner of the cyberattack and identify any vulnerabilities in LifeLabs’ computer system, according to the petition.
The cybersecurity firm delivered a draft investigation report in January to the lawyers for the lab-testing company.
The privacy commissioners in B.C. and Ontario had in December launched a joint probe into the cyberattack and on Feb. 7 they ordered LifeLabs to produce the report to them. The company responded by filing the petition.
“At all material times, CrowdStrike was using its cybersecurity expertise to assemble and explain factual information gathered from LifeLabs so that LifeLabs’ counsel could obtain a full picture of the facts and give advice based on that full picture,” says the petition. “Like accountants and fraud analysts, CrowdStrike was effectively a translator between the client and its solicitor.”
No response has yet been filed to the petition, which contains submissions that have not been tested in court.
A spokesman for the commissioner said that because there is an active investigation into the cyberattack, there would be no comment on the litigation. The spokesman added that the probe is continuing and that there is no indication when it will be completed.