Here’s an approach that I haven’t seen before: make the report about your security weaknesses the subject of solicitor-client privilege. Without seeing the report itself it’s difficult to comment but…if releasing the report would make LifeLabs more vulnerable that would suggest that they haven’t fixed the root causes of the breach…:
[…] The company maintained it would not produce documents of people it believes are covered by solicitor-client privilege. The commissioners continued to debate with the company what was covered by privilege with the company being told it could be charged for not producing materials, the document said.
The company has also asserted some information should not be released in the final report.
“LifeLabs asserted that release of the confidential information threatened the security position of its systems and could encourage future cyber-attacks,” the document said.
Further, the company said, “In Canada, solicitor-client privilege is more than a mere privilege. It is a ‘fundamental civil and legal right’ of confidentiality, non-compellability, and inadmissibility.”