VANCOUVER -- The B.C.-based laboratory testing company that was targeted in a cyberattack last fall is trying to keep the province's privacy commissioner from accessing a third-party report on the breach.
In a petition filed this month in B.C. Supreme Court, LifeLabs argued it shouldn't have to turn over a report prepared by cybersecurity firm CrowdStrike because it's protected by solicitor-client privilege.
"It was created by a third-party cybersecurity expert for – and under the direction of – LifeLabs' counsel," the document reads. "At all material times, CrowdStrike was using its cybersecurity expertise to assemble and explain factual information gathered from LifeLabs so that LifeLabs' counsel could obtain a full picture of the facts and give advice."
CrowdStrike's mandate, according to the petition, was to determine the extent of the cyberattack and identify vulnerabilities in LifeLabs' computer system.
Beyond solicitor-client privilege, the company argued the report is protected by litigation privilege, which covers documents and communications prepared expressly in anticipation of a lawsuit.
"Litigation was more than a reasonable prospect with the CrowdStrike report was prepared – putative class proceedings had already been filed," the petition reads.
LifeLabs is currently facing separate class action lawsuits related to the breach in B.C. and Ontario. The vast majority of the 15 million customers whose personal information was potentially compromised in the breach live in those two provinces.
LifeLabs said its legal team ordered the CrowdStrike report on Nov. 18, weeks after the cyberattack was discovered on Oct. 31 and almost a month before the public was informed about what happened on Dec. 17.
The company did alert the government shortly after the breach, but asked for time to ensure its systems were secure before making the incident public.
B.C.'s information and privacy commissioner was told about the cyberattack on Nov. 5, and is still investigating what happened in co-operation with Ontario's privacy commissioner.
According to the petition, CrowdStrike delivered a draft version of its report on Jan. 23, and the commissioners sent a letter ordering LifeLabs to turn over a copy on Feb. 7. The company was asked to deliver the report by Feb. 11, but has so far refused.
B.C.'s information and privacy commissioner hasn't filed a response to the lawsuit. The claims contained in LifeLabs' petition have not been tested in court.