LifeLabs is taking the BC Privacy Commissioner to the BC Supreme Court for having the audacity to seek information about a breach.
In most normal countries, regulators issue fines against companies who breach privacy laws (sometimes in the midst of a leak or a breach). In Canada, however, things work differently. Regulators can issue strongly worded letters, but that’s about it. While this might be enough to turn Canadian privacy laws into the laughing stock of the world, what happened in the LifeLabs story pretty much adds insult to injury for Canada’s international image on privacy. In short, LifeLabs is filing a petition at the BC Supreme court to block the BC Privacy Commissioners access to information regarding last years breach.
Last year, Lifelabs suffered a data breach. In all, 15 million Canadians had their information compromised. In response, a Toronto lawyer filed a lawsuit against LifeLabs. In January, a second class action lawsuit was filed in BC against LifeLabs.
By this point in time, there were already serious questions over whether the privacy commissioners have any power at all. Back in August, Facebook responded to the strongly worded letter of two privacy commissioners by effectively blowing them off by saying they disagree with their report. The move was likely made because of the realization that the privacy commissioners in Canada are powerless to enforce the law. In large part, Facebook was right because the next step was for the commissioners to step out of their roles as commissioners and personally sue Facebook to get them to comply.
While federal parties (including the governing Liberal party) vowed to strengthen privacy laws in response to this glaring hole, the issue died out after the election was over. Just like every other government, the party knew that once the votes have been cast, they no longer have to worry about working for Canadians. So, when the NAFTA 2.0 implementation committee came around, they were asked about the privacy implications of NAFTA 2.0. The governments response was effectively, “I dunno. Why, is privacy important or something?”
So, with privacy laws demonstrably having no teeth and a government who no longer care about the importance of personal privacy, it seems that companies are beginning to take notice.
When the BC Privacy Commissioner decided to seek information about the LifeLabs data breach, Lifelabs took the rather bold step of taking the commissioner to court. From TriCity News:
LifeLabs is taking the Information and Privacy Commissioner for British Columbia to court, claiming the commissioner cannot compel the firm to hand over a third-party report into an October 2019 cyberattack due to solicitor-client privilege.
The medical testing company filed a petition in B.C. Supreme Court on Feb. 20. LifeLabs claims the commissioner is investigating the hack and sought a report by cybersecurity firm CrowdStrike Services Inc. that had been commissioned by LifeLabs’ counsel.
“Its purpose is to enable counsel to provide informed legal advice to LifeLabs, including in respect of civil litigation and the very investigation the Commissioner is now undertaking,” the petition states. “Because the CrowdStrike Report is privileged, the Commissioner cannot compel its production.”
According to the petition, LifeLabs and its lawyers retained CrowdStrike in the weeks after the hack to assist counsel “with providing legal advice about LifeLabs’ legal risks and responsibilities relating to the Cyber-Attack and to prepare for a potential investigation by the commissioner and the defence of potential civil litigation.”
LifeLabs claims its lawyers can’t provide “meaningful legal advice” without relying on outside cybersecurity investigators to give expert opinions on the extent of the data breach.
The report goes on to point out that this filing also is a step towards blocking at least a few of the class action lawsuits filed against it. The reasoning, they say, is that this whole data breach thing is kind of complicated. Therefor, it’s not really appropriate to file a class action lawsuit in the court it was filed in. Plus, without the evidence being accessible, it makes the lawsuit much harder to prove in court anyway.
The sick thing about all of this is that the company might actually get what they want. After all, what concrete powers do the commissioners have in the first place? So far, all we seen are strongly worded letters that likely go straight to the shredding company upon receipt. Whats worse is that a LifeLabs win will signal to companies that they can very easily walk all over the commissioners without a care in the world. Nothing will come of it.
On top of it all, with a complicit government who seemingly won’t lift a finger to fix this massive regulatory gap, this will likely continue for some time. With Canadian personal information on the line, it will mean that Canadians will continue to pay the price of this neglected regulatory hole.
Drew Wilson on Twitter: @icecube85 and Facebook.
