Data breach defendant must hand over computer forensics reports: court

An Ontario casino facing a class-action lawsuit over a data breach has lost its bid to prevent plaintiffs from getting their hands on part of a computer forensics investigation report. The casino claimed the report was protected by litigation privilege or solicitor-client privilege.

Casino Rama, located near Lake Simcoe, had its computer system hacked in 2016. As a result, a significant amount of information on vendors, employees and customers was stolen, Justice Edward Belobaba of the Ontario Superior Court of Justice noted in 2017 in Kaplan v. Casino Rama Services. The ruling was on a “carriage motion,” essentially a dispute over which law firms get to proceed with a class-action lawsuit.

Currently, Leonid Kaplan and Cheryl Mizzi are trying to sue Casino Rama over the 2016 hacking incident. No allegations against the casino have been proven in court. One issue before the courts is the scope of the breach: exactly how many people are affected? This would affect the number of plaintiffs who could potentially be awarded damages.

Kaplan and Mizzi asked the Ontario Superior Court of Justice to order defendants to hand over to plaintiff lawyers a plethora of documents prepared by a contractor that investigated the breach. The defendant used information from those reports to argue that many individuals were not in fact affected by the privacy breach.

The contractor was Mandiant Services, a division of computer security firm FireEye Inc. Mandiant was hired by CHC Casinos Canada Ltd. (the casino’s operator) and Blakes LLP, the law firm representing CHC Casinos. CHC has a contract with government agency Ontario Lottery and Gaming Corporation to manage Casino Rama.

Mandiant produced two reports. One was Mandiant’s “observations, findings, and opinions” on the cyber attack. The other made recommendations on how to remediate the damage. The defendants did not want to disclose any data from those reports.

Justice Glustein ruled Casino Rama must disclose Mandiant reports to the plaintiffs, but “only to the extent they relate to the size and scope of the class.” This is because a Casino Rama executive used the Mandiant reports as evidence of the number of individual affected by the breach, and therefore as evidence of the number of potential plaintiffs.

Among the documents the plaintiffs wanted disclosed were: “any report(s) prepared by Mandiant;” copies of “any documentation prepared by Casino Rama and provided to Mandiant during the course of its investigation;” and copies of any reports on security audits conducted at Casino Rama in 2016 and 2017.

There was “considerable argument” on whether Mandiant’s reports were subject to either litigation privilege or solicitor-client privilege, Justice Benjamin Glustein of the Ontario Superior Court of Justice wrote in Kaplan v. Casino Rama Services Inc., released June 6, 2018.

Solicitor-client privilege is a legal principle intended to protect the confidentiality of communications between lawyers and clients. The rationale is that the justice system requires “full, free and frank communication between those who need legal advice and those who are best able to provide it,” as the Supreme Court of Canada noted in Blank v. Canada (Minister of Justice), released in 2006. The intent of litigation privilege is similar but also applies to communication between lawyers and third parties.

In Casino Rama, Justice Glustein ruled that if the computer forensics reports were subject to solicitor-client privilege or litigation privilege, “then the defendants waived privilege to the extent that the Mandiant Reports address the size and scope of the prospective class. A party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue.”