Waiver of privilege over cybersecurity report¹

The Ontario Superior Court recently ordered Casino Rama Resort to produce excerpts of reports prepared by a cybersecurity company who investigated a cybersecurity breach. In directing production of portions of the reports, the court found that Casino Rama’s use of the reports in opposition to the certification application had resulted in a waiver of privilege.

Proposed class action proceedings

In 2016, Casino Rama suffered a cyberattack. The customers and employees allegedly harmed by the cyberattack initiated a class action against Casino Rama and brought a certification application. The Ontario Class Proceedings Act requires that each party to a motion for certification provide its best information on the numbers of members in the class.

Pursuant to this requirement, Casino Rama provided an affidavit that relied on documents and information prepared by Mandiant, a cybersecurity company hired by Casino Rama and its legal counsel to investigate the cyberattack. In particular, the impact of the affidavit evidence (which relied upon the Mandiant reports) was that many of the persons given notice of the breach would not have been affected by the data breach and accordingly would be relevant to the number of members in the class.

In response to Casino Rama’s affidavit, the plaintiffs brought a motion seeking an order for Casino Rama to produce the Mandiant investigation reports and supporting documentation. Casino Rama opposed production, relying on privilege.

Waiver, relevance, and proportionality

The court found that waiver of privilege may occur in circumstances other than express waiver, namely where fairness and consistency require production. As Casino Rama was attempting to rely on Mandiant’s opinions or analysis to inform the affidavit, it would be unfair for the court to accept Casino Rama’s cybersecurity evidence, without requiring production of the portions of the Mandiant report relating to the issue. As stated by the court at para 25, “[f]airness requires disclosure of all excerpts of the opinion relevant to the part of the opinion relied upon by the waiving party.” The legislative obligation in the Class Proceedings Act to provide the “best information on the number of members in the class” is not a defence to waiver.

As the reports were not privileged as a result of waiver, the court considered whether the portions of the reports were relevant to the certification motion or pre-certification discovery. The court found that the information on the size and scope of the class was relevant to the certification motion.

Finally, the court considered proportionality of production as a relevant factor for pre-certification production. The court concluded that production of the limited aspects of the Mandiant reports relevant to size and scope of the class satisfied the principle of proportionality.

Take-away

Preserving and maintaining privilege over third-party expert reports is a constant challenge. Care must be taken from the outset of an investigation to ensure privilege is maintained and not waived. Consideration of different and distinct expert engagements for aspects of a mandate likely to require evidence in court requires early and careful review.

Footnote

¹Kaplan v Casino Rama Services Inc., 2018 ONSC 3545