CyberLex

CyberLex

Insights on cybersecurity, privacy and data protection law

Deletion of Browser History to Prevent Embarrassment Not Spoliation

Posted in E-Discovery, Privacy
Marissa Caldwell

In Catalyst Capital Group Inc v Moyse2016 ONSC 5271 the Ontario Superior Court considered whether the defendant, Brandon Moyse, who deleted his Internet browsing history from his personal computer in the face of a preservation order, had intentionally destroyed relevant evidence, giving rise to spoliation.  Spoliation is an evidentiary rule that gives rise to a rebuttable presumption that destroyed evidence would be unfavourable to the party that destroyed it.

Background

The underlying action arose after Moyse, who had been employed by Catalyst, left the company to take a position with  a competing investment management firm. Catalyst brought an action for breach of confidence for the alleged misuse of confidential information regarding  a target company in which Catalyst had unsuccessfully attempted to acquire an interest. Subsequently, the target company was successfully acquire by Catalyst’s competitor, and Catalyst claimed Moyse had delivered  Catalyst’s confidential information to its competitor and its competitor had used it in the successful acquisition.

After Moyse had joined the competitor company and before this action was commenced, Catalyst obtained a consent order requiring Moyse and the competitor company to preserve and maintain all records in their possession, power or control “relating to Catalyst and/or related to their activities since March 27, 2014 and/or related to or was relevant to any of the matters raised in the Catalyst action.”  The order required specifically that Moyse turn over his computer to counsel for forensic imaging of the data stored on it.

However, before turning his personal computer over to his lawyer, Moyse deleted his personal browsing history and purchased software entitled “RegCleanPro”  to further delete registry information. In addition, Moyse wiped clean his Catalyst-issued mobile device before returning it.

Spoliation

After determining that the elements of an action for breach of confidence could not be made out on the facts of the case, the Court turned to the question of spoliation.  A finding of spoliation requires four elements to be established:

  • the missing evidence must be relevant;
  • the missing evidence must have been destroyed intentionally;
  • at the time of destruction, litigation must have been ongoing or contemplated; and
  • it must be reasonable to infer that the evidence was destroyed in order to affect the outcome of the litigation.

In explaining why he had erased his browsing history, Moyse said he was worried that Catalyst would be able to access his personal internet browsing history and that, in light of the anticipated court proceedings, this history might become part of the public record. In particular, Moyse was concerned that his having accessed adult entertainment websites would become public.

Moyse stated that he did not believe it was improper to delete his internet browsing history as the order did not require him to maintain his computer in “as is” condition.  Because the focus of the preservation order was to maintain and preserve documents, he felt that by deleting his browsing history, he was deleting personal information not relevant to the litigation.  Moyse was aware that simply deleting his browsing history through the browser would not fully erase the record so he searched online for a more permanent solution.  He purchased the first program he found, RegCleanPro.  He ran the RegCleanPro software to clean his computer registry the day before he delivered his computer to his lawyers.

The Court accepted Moyse’s evidence as to why he had deleted his internet browsing history.  This was partially based on the fact that Moyse had a girlfriend and that it was understandable that he would not want his browsing of adult entertainment websites included in the record. It was concluded that Moyse had not intended to destroy relevant evidence and that this precluded any finding of spoliation. Catalyst contended that Moyse could have looked at Catalyst documents related to the target company in his dropbox before erasing his browsing history.  This argument was dismissed as there was no evidence that Catalyst documents had ever been transferred into Moyse’s dropbox and because the forensic image of his computer showed that the last time Moyse accessed his dropbox pre-dated his working on the target company file.

Regarding the mobile device, the Court accepted that Moyse wiped it to delete pictures and texts of a personal nature.  Because Catalyst maintained access to all of the emails on the device, no spoliation was found.

Justice Newbould found that Catalyst had not established that Moyse had intentionally destroyed evidence in order to affect the outcome of the litigation.  As such, there was no basis to find or infer a presumption that Moyse destroyed evidence that would be unfavourable to him.

Catalyst had also argued that spoliation should be recognized as an independent tort.  While Canadian courts have allowed the pleading of a tort of spoliation to proceed to trial, there were no cases referred to in Catalyst’s submissions that actually recognized spoliation as a tort.  Due to the finding that there was no spoliation, the Court did not consider whether such a tort exists in Canada.

Takeaways for Business

This decision exposes reasons why a carefully drafted preservation order is essential.  If the order had stated that Moyse turn over his computer in “as is” condition and he had still deleted his browsing history, Moyse’s credibility as a witness would likely have been called in to question.  If the order had stated that Moyse turn over his computer in “as is” condition and he had left it in the same condition, forensic experts could have definitively known if he had confidential information to share.

In short, a preservation order should state everything that is to be preserved, and the manner in which it is to be preserved.

 

FinTech in Canada: A Report Studying The Canadian FinTech Ecosystem

Posted in Big Data, Financial, FinTech
Genevieve PintoDan Doliner

“FinTech in Canada: British Columbia Edition” brings insight from more than a hundred stakeholders in the Canadian FinTech sector on challenges and opportunities, provides a comparative overview of the FinTech ecosystem in Canada and 16 other countries, including the U.K., U.S. and Australia and offers recommendations to advance FinTech in Canada.

The Digital Finance Institute and McCarthy Tétrault LLP have co-authored a comprehensive report, “FinTech in Canada: British Columbia Edition” studying the Canadian FinTech ecosystem. The report reviews the current FinTech landscape in Canada, with a special focus on Vancouver, and a comparative overview of FinTech in 16 international jurisdictions. A product of a unique internationally collaborative process, the report brings together insights of key stakeholders in Canadian FinTech, including banks, government agencies, tech firms, law firms, advisory firms, universities, VCs and industry associations.

The report maps the FinTech ecosystem in Canada, and its strengths, challenges and opportunities with a view to understanding the future of FinTech, in Canada and globally. The report offers recommendations and a roadmap for Canada to capitalize on its FinTech opportunity and be an international leader in FinTech.

FinTech in Canada: British Columbia Edition” is a collaboration between McCarthy Tétrault LLP’s FinTech group and the Digital Finance Institute. The Digital Finance Institute is a prestigious Canadian-based think tank for FinTech established in 2013 with a mandate to address the balance of innovation and regulation; support initiatives for financial inclusion; and advocate for diversity in FinTech. K&L Gates LLP, a global law firm, contributed insight and content for the report regarding the U.S. and Australian FinTech ecosystems.

For the full report, click here.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

No Waiver of Privilege for Contractor Emails on Company Account

Posted in E-Discovery, Privacy
Dan Doliner

Can a company which provides a corporate e-mail account to a contractor, and then gets into a legal dispute with that contractor, use the contractor’s emails in that corporate account in the litigation? The answer appears to be no, in certain circumstances.

The Facts

A company engaged a contractor who provided it with certain services, and in this context, the company provided the contractor a corporate e-mail account. The contractor used this corporate e-mail account to exchange e-mails with his lawyer about a legal dispute he had with the company. Can the company use these e-mails in the litigation with the contractor? This is the main question in a recent decision of the Ontario Superior Court of Justice, in Narusis v. Bullion Management Group, 2016 ONSC 4731 .

The defendant, Bullion Management Group Inc. (“BMG”) employed the plaintiff, Nathan Narusis (“Narusis”), beginning in 2007. In December 2011, BMG and Narusis agreed that Narusis would continue to provide BMG with services, but as a contractor, through a corporation controlled by Narusis.

As an employee of BMG, Narusis was provided with a corporate e-mail account; he continued to use the same corporate account when he became a contractor. In January 2011 BMG distributed to its employees an “Employee Policy & Procedures Manual” (the “Policy”). This Policy states that e-mails exchanged through BMG’s corporate e-mail account are not guaranteed to be private and could be subject to inspection. The Policy required all e-mail account users to sign an acknowledgement that they understood and would abide by the terms of the Policy. Narusis did not sign such acknowledgement.

In September 2012 BMG terminated the working relationship with Narusis. In connection with the termination, Narusis launched an action against BMG.

As part of discovery, BMG searched its corporate e-mail server for e-mail correspondence relating to Narusis. BMG sent copies of relevant e-mail communications to its counsel. BMG’s counsel reviewed the e-mails and noticed that some of the e-mails were communications between Narusis and one or more of his lawyers. BMG’s counsel immediately stopped reviewing those e-mails, and sealed them pending the determination of the court in their regard.

BMG filed a motion with the court, seeking an order deeming the e-mails not subject to solicitor-client privilege. After hearing the motion, a Case Management Master dismissed it. The Master determined that e-mails exchanged between Narusis and his lawyers, despite being sent through BMG’s e-mail server, were subject to solicitor-client privilege, and therefore, could not be admitted as evidence.

BMG appealed, requesting the court to set aside the Master’s decision.

The Court’s Decision: Dismissal

In its appeal, BMG raised two key arguments:

  1. The court should apply the legal tests relating to protection of privacy, and thus find, on a balance of interests, that the interest of submitting evidence (in this case, Narusis’s e-mail exchange with his lawyers) prevails over Narusis’s right to privacy.
  2. Narusis waived solicitor-client privilege over his communications with his counsel by corresponding with his counsel via Narusis’s corporate e-mail account, thus, making these e-mails available for BMG to review.

Privacy Protection Rules Do Not Apply to Solicitor-Client Privilege

The court determined that the e-mail exchange between Narusis and his lawyer was subject to solicitor-client privilege and therefore the legal tests relating to privacy were not applicable.

The court noted that solicitor-client privilege is distinguished from the more general protection of privacy. These two rights are related but not the same. Narusis’ e-mail exchange with his counsel was an interaction in which counsel was engaged in providing legal advice or ‘otherwise acting as a lawyer.’[1] In addition (and as further discussed below), Narusis had a reasonable expectation that the e-mail exchange with his lawyer would remain confidential. Thus, the e-mails were subject to solicitor-client privilege.

Lederer J. noted that solicitor-client privilege is fundamental to the proper functioning of the Canadian legal system. Without solicitor-client privilege, access to justice and equality of justice would be compromised.[2] The court further noted that ‘solicitor-client privilege must be as close to absolute as possible to ensure public confidence and retain relevance.’[3]

Solicitor-Client Privilege: Sending E-mails Via Corporate E-mail Account Does Not Constitute Waiver

The court concluded that the facts of the case indicated that Narusis had not, implicitly or explicitly, waived his solicitor-client privilege over the e-mails.

BMG distributed the Policy to its employees, stating that e-mail transmitted through the corporate account is ‘not guaranteed to be private’. The court found that the Policy did not forbid use of the corporate e-mail account for personal matters, and that despite the Policy ‘not guaranteeing’ privacy, Narusis had a reasonable expectation of privacy.

The court considered Narusis’ particular circumstances: he refused to acknowledge the Policy; he was employed by BMG for several years at the time the Policy was circulated and used his corporate e-mail account according to existing practices; and he was not considered an employee at the time the relationship with BMG was severed.

Lederer J. found that Narusis did not show an intention to deliver the e-mails to anyone other than, or in addition to, his counsel. The release of Narusis’ e-mail exchange with his counsel to BMG’s review was inadvertent. In addition, there was no public disclosure of the e-mails. Once the court found that Narusis’ e-mail exchange with his lawyer was subject to solicitor-client privilege, ‘anything that purports to be a waiver that does not involve a conscious, deliberate decision, must be narrowly construed and applied.’[4]

Takeaways for Business

E-mail continues to be one of the most dominant technological tools in all aspects of business operations. Consequently, e-mail exchange will continue to play a significant role in legal disputes. This case reflects the importance of understanding the intricacies relating to the use of e-mail.

In this case, the court found that the circumstances before it do not constitute waiver of solicitor-client privilege. However, in its analysis, the court suggested that had Narusis been an employee, and/or signed the Policy, and/or personal e-mails been forbidden, the outcome may have been different. For a business, loss of solicitor-client privilege can be a detrimental blow in litigation.

The decision in this case illustrates the importance of having effective policies to administrate the use of corporate e-mail. Such policies should take into account the particular circumstances of the business by offering solutions to specific issues that are part of the environment in which the business operates. However, as shown by this case, many times a policy alone is not enough, and it must be supplemented by the appropriate management procedures and technologic tools, to allow effective control of the use of corporate e-mail.

[1] Referring to Blood Tribe Department of Health v. Canada (Privacy Commissioner), 2008 S.C.C. 44, at para. 10.

[2] Ibid, (Blood Tribe), at para. 9.

[3] Referring to R. v. McClure, [2001] 1 S.C.R. 445, at para. 35.

[4] Referring to Leggat v. Jennings, 2015 ONSC 237, at paras. 30-31.

Canada-EU Agreement to Share Air Travellers’ Data Doesn’t Fly

Posted in European Union, Privacy
Krupa Kotecha

An agreement between Canada and the European Union over the sharing of air passengers’ personal information failed to pass muster in the European Court of Justice because Canada was found to have inadequate privacy protections. 

On September 8, 2016, the Court of Justice of the European Union (“CJEU“)  issued an  Opinion on the consistency of Canada and the European Union’s agreement on the transfer of passenger name record data (“PNR Agreement”) with the Charter of Fundamental Rights of the European Union (“EU Charter”).

The draft PNR Agreement was initially created with the intention of allowing the transfer of PNR data to Canadian authorities for its use, retention and, where appropriate, subsequent transfer, for the purpose of combatting terrorism and other serious transnational crime. PNR data includes passenger travel habits, payment details, dietary requirements and other information that might contain sensitive data on a passenger’s health, ethnic origin or religious beliefs.

The draft PNR Agreement further provides for PNR data security and integrity requirements, an immediate masking of sensitive data, the right of access to data, the rectification and erasure of data, the possibility of administrative and judicial redress, and storage of the data for a maximum period of five years.

However, the European Parliament refused to approve the  draft PNR Agreement until the CJEU considered whether the information sharing arrangement respected the fundamental rights of EU citizens as set out in the EU Charter. The Opinion is the result of the CJEU’s consideration.

The Opinion, written by Advocate General Paolo Mengozzi, states that “certain provisions of the agreement envisaged, as currently drafted, are contrary to the EU Charter of Fundamental Rights” and that the PNR Agreement extends beyond what is “strictly necessary [to achieve] the public security objective pursued by the agreement.” As stated in the accompanying press release, additional aspects of the agreement that were held to be contrary to the agreement include the provisions which:

  • provide for the processing, use and retention by Canada of PNR data containing sensitive data;
  • confer on Canada, beyond what is strictly necessary, the right to make any disclosure of information without a requirement for any connection with the public security objective pursued by the agreement;
  • authorise Canada to retain PNR data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the public security objective pursued by the agreement;
  • allow PNR data to be transferred to a foreign public authority without the competent Canadian authority, subject to review by an independent authority first being satisfied that the foreign public authority in question to which the data is transferred cannot itself subsequently communicate the data to another foreign body.

As a result, the Opinion asserts that the PNR Agreement, as it stands, contravenes Articles 7 and 8 and Article 52(1) of the EU Charter. The Advocate General’s opinion was based on the notion that, “at a time when modern technology allows public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should ensure that the proposed measures, even when they take the form of envisaged international agreements, reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data.”

While this is a significant blow for the PNR Agreement, the Advocate General’s Opinion is not binding on the CJEU. The judges of the CJEU are now beginning their deliberations in this case and will issue a final ruling later in the year. If the CJEU determines that the PNR Agreement is incompatible with the Treatises, it will not be permitted to enter into force until amended.

Monetizing Data: Seizing Opportunities, Managing Risk – – Please Join Us Wednesday, September 28, 2016 for a McCarthy Tétrault Advance™ Seminar

Posted in Big Data, Privacy
Collect all the data. Store all the data. Once you’ve got a massive reservoir of data, you’ll be able to answer all the questions the business wants to ask, right? Bonus: Anonymize the data, package it all and sell it (or insights from it), thereby driving revenue and leapfrogging over the competition.

Not so fast. Monetizing that data may well be the right decision for your company, but that same data can be a significant liability from a legal, regulatory and security perspective.

Are you really ready to become a data-driven company? Have you worked out your data strategy? Are your legal documents (contracts, privacy policies, terms of use, etc.) aligned with your data strategy? Join us for this informative session as we discuss these hot button topics:

  • Of course I own the data: Do you really? Are you getting it from a company with which you contract? Are there restrictions on how you can use that data? Do you have the legal authority to do with it what you want?
  • Big Data can equal big risk: Big Data is all about getting more information, while privacy and cybersecurity are about reducing risk through reducing information. Is there a happy medium?
  • Meet the regulators… all of them: While misuse of personal information will still attract the attention of the Privacy Commissioner (with fines and mandatory breach notification coming soon), data use has also caught the eye of other regulators: telecommunications bodies, competition agencies, consumer protection organizations, etc. How familiar are you with your new friends and their rules?

Our speakers are:

Donald Houston, Partner, Competition Law, McCarthy Tétrault

Kirsten Thompson, Partner, Cybersecurity, Privacy and Data Management, McCarthy Tétrault

Other speakers to be announced

Note: For those participants who cannot join us in-person, we are offering this program via webinar. If you are interested in this alternative, please select the appropriate option during the online registration process. All instructions and information on how to access the webinar will be forwarded in English only a few days before the event.

This program qualifies for up to 1.5 hour of eligible educational activity or CPD/MCE credit under the mandatory education regimes in British Columbia, Ontario and Québec.

Thank you for confirming or declining this personal invitation.

For questions about this event, please contact Sangeetha Karalamoorthy.

Date: 
Wednesday, September 28 , 2016

Time: 
Registration and Lunch: 11:30 a.m. (EST)
Program Timing: 12:00 p.m.(EST) – 1:30 p.m. (EST)

Location:
McCarthy Tétrault Toronto Office
Suite 5300, TD Bank Tower
66 Wellington St. West, Toronto

Insurance Company’s “formal dispute resolution process” Not Formal Enough to Avoid PIPEDA Access Request

Posted in Legislation, Privacy
Kirsten ThompsonAlex Treiber

Background

The Office of the Privacy Commissioner of Canada (“OPC”) investigated a complaint made to its Office after an insurance company refused to provide a policyholder access to her personal information relating to a joint home insurance policy she held with her husband. The policyholder had made her original request for access pursuant to the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”), which the insurance company had denied.

The policyholder then made a complaint about the denial of access to the Office of the Ombudsman (“Ombudsman”) for the insurance company’s parent company, which is a bank (“Bank”). The insurance company continued to deny the policyholder access, and also denied the policyholder access to any subsequent information generated following her complaint filed with the Ombudsman. The policyholder had sought access to a recorded telephone conversation along with emails, internal reports and other communications related to a claim. The policyholder then complained to the OPC, which investigated.

In its submissions, the Respondent insurance company attempted to rely on three exemptions to disclosure in order to support its refusal to provide access to the complainant: first, the Respondent relied on s. 9(1) of PIPEDA, which allows access to be denied if such access would reveal personal information about a third party (in this case, the Respondent argued that the complainant’s spouse’s consent was required); second, the Respondent argued that the Ombudsman’s services were not a “commercial activity” and therefore beyond the scope of PIPEDA (which applies to those organizations in respect of  personal information which the organization collects, uses or discloses in the course of commercial activities). Finally, the Respondent relied on paragraph 9(3)(d) of PIPEDA which exempts from disclosure information generated in the course of a “formal dispute resolution process”.

Finding

The Commissioner, in its Report of Findings #2016-006, found that the Respondent violated PIPEDA when it refused access to the complainant’s personal information.  The Commissioner rejected the Respondents arguments.

Regarding third party information, the OPC found that despite the fact that the home insurance policy was held jointly with the complainant’s spouse, the Respondent’s proper response would have been to remove the third party’s personal information (the complainant’s spouse) and to provide access to the rest.

With respect to the claim regarding commercial activity, the Respondent relied on the OPC’s past decision, which was the subject of judicial review in State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736, to argue that the Ombudsman’s activity was not a “commercial activity”.  In that decision, the Federal Court held that personal information collected by an insurer for the purpose of defending a claim against its insurer was not subject to PIPEDA.  The OPC distinguished State Farm from the facts at hand as the complainant in that case was not a client of State Farm, and thus, there was no commercial relationship between them.  However, the dominant purpose for the information collected by the Ombudsman in this dispute resolution process arose out of a direct commercial relationship between the complainant and the Respondent.

Formal dispute resolution process

The OPC spent a fair bit of time in its analysis of this aspect of the complaint. The Respondent had argued that the Bank’s Ombudsman role had all the hallmarks of a “formal” dispute resolution system:

  1. Legislatively required and governed

The Respondent advised that the Bank Act and the Insurance Companies Act both require federally regulated financial institutions and insurance companies to, among other things, establish formal procedures and processes for resolving customer complaints. It also advised that the Financial Consumer Agency of Canada Commissioner’s Guidance Document No. CG 12 states that all federally regulated financial institutions “are required by legislation to have dedicated procedures as well as personnel in place to deal with consumer complaints.” Finally, Respondent noted that the Financial Services Commission of Ontario (“FSCO”) General Insurance Bulletin No. G-02/03 states that customers must attempt to resolve their complaints directly with their insurer before accessing the Office of the Insurance Ombudsman. Moreover, the FSCO General Insurance Bulletin No. G-05/96 requires all insurance companies to have in place a “Consumer Complaint Handling Protocol” for dealing with consumer complaints and to appoint an Ombudsman Liaison Officer to liaise with the Office of the Insurance Ombudsman.

The OPC, however, was of the view that this regulatory structure did not speak to the formality of those processes; it simply required banks and insurance companies to have a process in place, but did not provide any framework of what this process must entail. Banks and insurance companies retained considerable flexibility as to the kind of internal processes adopted.

2. Independent and impartial

The Respondent submitted that the Ombudsman is an independent and impartial office which reports to the Deputy General Counsel of the Bank and is not associated with or aligned to any business line within the Bank. The Ombudsman has the mandate to independently review the concerns of the Bank customers that remain unresolved after the dispute has been addressed by the Bank’s internal complaints resolution process. The Respondent further advised that the role of the Ombudsman is primarily as a mediator and settlement facilitator between the Bank and its customers, who investigates and attempts to fairly and impartially resolve issues relating to customers’ concerns. The goal of the Ombudsman, according to the Respondent, is to apply principles of fairness to find an acceptable resolution, without any interference, direction or influence from the Bank.

The OPC found that despite the foregoing, the Ombudsman nonetheless “remains an internal function of the Bank and is led by an employee of the Bank, who reports to the Deputy General Counsel of the Bank. It is questionable whether the Ombudsman is capable of being perceived as independent of the Bank.”

3. Generates information subject to settlement privilege

The Respondent argued that the information generated during the course of resolving a dispute is subject to settlement privilege. The Respondent indicated that one of the functions of the Ombudsman is to negotiate with both parties and recommend settlement terms. The current Ombudsman process requires that all communications with the Ombudsman are kept private and confidential between the customer, the Bank and the Ombudsman, meaning that the customer and the Bank agree not to seek to have the Ombudsman representative(s) produce its files and records, nor to testify or give evidence. According to the Respondent, the courts have consistently recognized the privilege surrounding settlement negotiations, including mediation.

The OPC, however, was of the opinion that the Respondent did not make out a case for the application of settlement privilege. The OPC went on to say that to the extent that PIPEDA may allow organizations to withhold information covered by settlement privilege, this issue would be more appropriately dealt with pursuant to paragraph 9(3)(a) of PIPEDA, which provides an exemption on the basis of information protected by solicitor-client and litigation privilege.

In the end, the OPC determined that the Respondent’s “formal dispute resolution process” was not formal for the purposes of PIPEDA. Noting the PIPEDA’s quasi-constitutional status, the OPC ultimately found that any interpretation of a restriction on the rights recognized under PIPEDA should be interpreted narrowly.  The OPC noted that a formal dispute resolution process required the presence of a framework, either legislated or agreed to by the parties to the dispute.  No such framework existed.

Company Disagrees with Finding

It is the practice of the OPC to issue a Preliminary Report of Investigation (“PRI”), to which an organization may respond. In the PRI, the OPC makes “recommendations” that the organization may or may not agree with. It is unusual for an organization to reject outright the OPC’s recommendation.

In this case, the OPC issued a PRI recommending that the Respondent provide the complainant with access to all information generated during her complaint to the Ombudsman, unless another exemption pursuant to PIPEDA applied to the information.

The Respondent respectfully disagreed with the OPC’s finding that the Ombudsman is not a “formal dispute resolution process” pursuant to paragraph 9(3)(d). However, notwithstanding this position and without prejudice to future matters, the Respondent did provide  the complainant with access to her personal information generated in the course of her complaint to the Ombudsman.

Guidance for Business

This decision highlights two important takeaways for organizations to consider when dealing with PIPEDA requests.

First, notwithstanding the fact that an organization may have an ombudsman or other sophisticated dispute resolution mechanism in place, it may nonetheless not qualify for an exemption from the access requirements under PIPEDA.   Organizations which have been relying on the protections that privilege may afford under such processes may be surprised to find that the same information is subject to disclosure under PIPEDA, particularly if privilege is overlooked as a ground of exemption from such disclosure.

Second, even if a request for personal information may disclose the personal information of a third party, the proper procedure is to redact and remove all references to the third party and to provide the complainant with access to the remainder.

Public Safety Canada calls for Submissions on New National Cybersecurity Strategy

Posted in Cybersecurity
Dan Doliner

On August 16, 2016, Public Safety Canada (“PSC”) issued a consultation paper, launching a public consultation as part of PSC’s development of an updated national cybersecurity strategy (the “Consultation Paper”). The consultation will close on October 15, 2016. Business may want to consider making submissions in respect of some key questions posed around possible regulation or standard-setting regarding Internet of Things and connected devices, certification for E-commerce activities, and information sharing (especially in respect of critical infrastructure).

Background

In 2010, PSC released the first Canadian national cyber security strategy – “Canada’s Cyber Security Strategy” (the “2010 Strategy”). The 2010 Strategy provided, for the first time, a governmental overview of cybersecurity threats to Canadian businesses, citizens, infrastructure and governmental agencies. The 2010 Strategy described the priorities of the Government of Canada in its efforts to secure against cyber threats and to develop cybersecurity technology.

The 2010 Strategy focused on three objectives: (1) Securing Government systems; (2) Partnering to secure vital cyber systems outside the federal Government; and (3) Helping Canadians to be secure online.

As means to implement the 2010 Strategy, PSC introduced the Action Plan 2010-2015 for Canada’s Cyber Security Strategy (the “2010 Action Plan”). The Action Plan outlines how the Government of Canada intends to implement the 2010 Strategy by advancing and funding a wide array of programs.

Since the introduction of the 2010 Action Plan, the Government of Canada invested more than CAD 244 million, with most of the funds allocated to securing governmental systems.[1]

As part of the 2010 Action Plan, the government promoted a significant legislative development in the form of the Digital Privacy Act (Bill S-4), which amended the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (see our earlier blog post here).

The Current Consultation

Six years has passed since the introduction of the 2010 Strategy,  a period that saw extraordinary advancements in cyber-technology. PSC now wishes to renew and expand its cybersecurity strategy so that it reflects advances in technologies and positions Canada to better engage future technologic developments.

The Consultation Paper is comprised of three parts. The first part seeks input from the public on a variety of cybersecurity issues including cybercrime and cyber-policing, E-commerce, standardization, critical infrastructure, and growth and innovation.

The second part of the Consultation Paper establishes the five principles that will apply to the new cybersecurity strategy:

  1. Protect Canadians online and protection of Canada’s critical infrastructure.
  2. Promote and protect rights and freedoms online.
  3. Recognize the importance of cyber security for business and economic growth.
  4. Collaborate and coordinate across jurisdictions and sectors.
  5. Adapt to respond to emerging technologies and changing conditions.

The third part of the Consultation Paper identifies three Key Action Areas, providing insight into what may very well be the action plan that will follow the new cybersecurity strategy (similar to the 2010 Action Plan) and will be of particular interest to business:

  1. Resilience: This area focuses on prevention, mitigation, and response to cyberattacks, and increasing public engagement. Under this section PSC may promote certification of business, guidelines regarding corporate governance policies relating to cybersecurity, and increased public awareness.
  1. Cooperation and Capability:This area focuses on development of skills and resources for effective cyber security, including through educational and training programs, enabling information sharing within the private sector, and the creation of a national cybercrime coordination centre.
  1. Cyber Innovation: This area focuses on initiatives that will allow anticipation of, and adaptation to, new trends in cybersecurity. To this end, PSC is seeking to promote projects that will identify opportunities based on data analysis, support R&D in areas such as quantum computing, 3D printing, and virtual reality, and initiate private-public partnerships to create innovation hubs.

Takeaways for Business

While many of the questions posed in the Consultation Paper focus on public education and cybercrime prevention, there are some key questions for which business may wish to have input. Notably:

Protecting against advanced threats:

  • What do public and private sector organizations need to in order to protect themselves from advanced cyber threats (for example, tools, capacity, information)?
  • What are the constraints to information sharing on advanced cyber threats and associated vulnerabilities?

Strengthening Consumer Confidence in E-Commerce:

  • How can Canadian businesses be encouraged to adopt better cyber security regimes – particularly small and medium enterprises?

Embracing New Cyber-Secure Technologies:

  • What steps should be taken to ensure that networked and emerging technologies (like Internet of Things and apps) are cyber secure?

Protecting Critical Infrastructure:

  • What are the barriers to strengthening cyber systems in critical infrastructure (within and across sectors)?
  • What are the constraints to information sharing and engagement related to protecting cyber systems of Canada’s critical infrastructure?

Businesses working in these areas, or affected by developments (particularly potential regulatory developments) in these areas, may be interested in making submissions.

 

[1] Public Safety Canada, “Canada’s Approach to Cyber Security”, presentation to the Public Sector Chief Information Council, dated September 18, 2014 (online: http://www.iccs-isac.org/library/2014/08/TAB-4A-PSCIOC-New-FPT-Table-on-Cyber-Security.pdf)

When Loose Lips Will (or Will Not) Sink Ships: Privilege, Privacy and Wilfulness

Posted in Privacy, Privacy Act
Krupa Kotecha

The Background

On July 26th, 2016, the Supreme Court of British Columbia released an interesting decision that addresses questions regarding: (1) the scope of privilege that applies to work done by lawyers in relation to judicial proceedings; and (2)  the interpretation of BC’s Privacy Act with respect to the requirements of “wilfulness”

In Duncan v. Lessing, 2016 BCSC 1386, the issue centered on claims brought by an individual, Mr. Duncan, against Mr. Lessing, a lawyer that represented Duncan’s former wife in family litigation between the two parties. The plaintiff claimed that the defendant lawyer breached his privacy: (1) in the course of serving application materials; and (2) through the conveyance of information about the plaintiff in a casual conversation with another lawyer.

The first alleged breach of privacy concerned prior litigation between the plaintiff and his former wife. In the course of bringing an action against the plaintiff, the defendant’s process server unintentionally served an unsealed notice of application and affidavit on several companies not party to the litigation. The plaintiff contended that these documents contained information of circumstances between the couple which were private, including tax returns and a pre-nuptial agreement.

Additionally, the plaintiff also alleged that a breach of privacy took place when the defendant lawyer and another lawyer were conversing over a break in an examination for discovery pertaining to an unrelated action. The defendant discussed the facts of the case without naming the parties and disclosed that he was representing a wife whose husband had previously sold a business in Alberta for $15 million. The other lawyer’s client, who was familiar with the fact that the defendant was acting for the plaintiff’s wife, was able to deduce the identity of the plaintiff from the information divulged.

In response to the plaintiff’s claims, the defendant lawyer raised several defences. With respect to the service of the companies, the defendant contended that, because the impugned actions were undertaken in furtherance of the lawyer’s duties to the plaintiff’s wife, the defence of absolute privilege provided the defendant with immunity from civil liability. The defence also asserted that neither the service of the companies, nor the disclosure arising from the “casual conversation”, resulted in violations of the Privacy Act.

The Decision

Defence of Absolute Privilege Applicable to Breach of Privacy Claim

In handing down the decision, Justice Griffin rejected the plaintiff’s claims relating to the first alleged breach of privacy, first confirming that the defence of absolute privilege was applicable:

The absolute privilege that applies to lawyers working for a client in the context of an ongoing judicial proceeding provides a defence to intentional misconduct such as defamation. It clearly also must apply to an error in service of court documents, for all the same policy reasons. Here [the lawyer’s] only purpose for service was in furtherance of the Family Action.

The fact that the defendant’s actions were undertaken for the sole purpose of furthering his client’s interests thus served to shield the defendant from civil liability. Furthermore, Justice Griffin noted that nothing in the Rules of Civil Procedure required a party effectuating service to place the documents in a sealed enveloped marked “confidential” or otherwise. The Court noted that, despite the fact that “serving court documents within a sealed envelope could be a good practice”, it was nonetheless the case that “[n]o evidence was called to suggest that service within a sealed envelope is standard practice when a law firm hires a third party to effect service.” As a result, the defendant’s failure to use sealed envelopes did not bring service of the application outside the scope of absolute privilege.

Information Not Embarrassing or Particularly Unique Won’t Support a Finding of “Wilful” Privacy Violation

Furthermore, the Court also held that no breach of privacy arose from the “casual conversation” incident involving the defendant. This was determined on the basis of the Court’s finding that the sale of the plaintiff’s business was not private. In setting out the rationale for this finding, Justice Griffin noted that:

The plaintiff’s evidence failed to prove that Mr. Lessing could only have learned this information from private information disclosed by Mr. Duncan in the Family Action, as opposed to learning it from his own client or general investigations […] [T]here is no obvious inference here that the sale price in relation to a past business transaction involving several parties was information about which a person involved in the transaction could in the circumstances reasonably be entitled to privacy.

Concluding that the plaintiff could not establish a reasonable entitlement to privacy with respect to the disclosed information, Justice Griffin rejected the basis for the plaintiff’s second claim. Of particular interest is the Justice’s obiter commentary dealing with the question of  whether the defendant’s disclosure was a “wilful” violation of the plaintiff’s privacy. This discussion included the assertion that subsections 1(1) and (3) of the Privacy Act must be read together to determine whether a breach of an individual’s privacy occurred, and that “[t]he act must be wilful, without a claim of right, and the nature, incidence and occasion of the act and the relationship between the parties must be considered.” As the information relating to the sale was not embarrassing or particularly unique, the Court determined that the defendant did not willfully reveal private information about the plaintiff or intend to pursue any other malicious intention. In this sense, Justice Griffin distinguished the case at bar from instances involving the disclosure of a medical condition (Hollinsworth (1998), 59 BCLR (3d) 121), something to which shame attaches (Watts v Klaemt, 2007 BCSC 662), or that is deeply personal (Griffin v Sullivan, 2008 BCSC 827).

The Takeaway

While the outcome of the case is a lawyer-friendly decision, the factual situation giving rise to the claim serves as a stark reminder to counsel with a tendency to engage in idle inter-discovery chit chat. Although the information disclosed by the defendant (in this instance) was not “private” per se, a situation involving the communication of potentially embarrassing or personal information could very well leave a lawyer on the wrong side of privacy law (at least in BC) and susceptible to ensuing liability and litigation. The term “wilful” appears in most provincial privacy legislation.

Lawyers will also be relieved to know that the defence of absolute privilege has been confirmed to be available to them in the context of a breach of privacy action.

 

 

 

 

Cybersecurity Best Practices for Connected Cars Released

Posted in Cybersecurity, Internet of Things, Standards, Telematics
Kirsten Thompson

It has been predicted that by 2020, there will be a quarter billion connected vehicles on the road with connected capabilities; Tesla founder Elon Musk is even more aggressive, predicting fully autonomous vehicles on the roads within two years.  However, some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC)  by a group of US automakers  in July of 2014 (see our previous blog post on the subject).  The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. The Best Practices expand on the Framework for Automotive Cybersecurity published in January 2016 by the Alliance of Automobile Manufacturers (“Auto Alliance”) and the Association of Global Automakers (“Global Automakers”).

Previously, the Auto Alliance and the Global Automakers had published a set of “Consumer Privacy Protection Principles” to address vehicle technologies, but the document in many respects fell short of what was required by Canadian privacy laws.

Best Practice Framework

The framework covers seven major topic areas and is designed to help those engineering connected vehicles to create vehicles that are not only resistant to attack but also fail-safe (in other words, it an attack does succeed, the vehicle fails in a way that is safe i.e. coming to a slow stop versus a sudden halt). The topic areas are:

  • Governance:  Effective governance practices include defined executive oversight for security, defined roles and responsibilities for cybersecurity within the organization,  dedication of appropriate resources to cybersecurity and the establishment of governance processes to ensure compliance.
  • Risk Assessment and Management:  In order to mitigate the impact of cybersecurity vulnerabilities, organizations are expected to standardize their processes to identify  and manage risks and to monitor compliance by relevant stakeholders.
  • Security by Design:  Cybersecurity features should be integrated into the design process by including security reviews in the development process, vulnerability testing,  and validation of software updates.
  • Threat Detection and Protection:  In order to proactively detect threats, automakers are expected to use consistent processes to identify vulnerabilities, use a risk-based approach to threat monitoring, and have a plan in place for vulnerability disclosure and updates.
  • Incident Response and Recovery:  Automakers are expected to have an incident response plan with a dedicated incident response team that is periodically tested  and evaluated to promote timely and appropriate action.
  • Training and Awareness:  In order to create a culture of security automakers are expected to establish training programs to stakeholders and educate employees on their security roles and responsibilities.
  • Collaboration ad Engagement with Appropriate Third Parties: Since the connected car will involve interaction between the original equipment manufacturer and external vendors, having a policy in place for third parties that is regularly reviewed is an industry best practice.

Where the Rubber Meets the Road: Key Implications and Canadian Business

The release of the Auto ISAC best practices is a welcome step, but also raises several issues.  The primary concern is the enforceability of the standards.   Membership in the Auto Alliance which runs the Auto  ISAC  is voluntary, meaning there is no easy way to hold automakers accountable for implementing best practices.  If an automaker believes the cost of implementing cybersecurity best practices exceeds the benefit from being part of the Auto Alliance, they can simply leave the Auto Alliance.  The best practices are also limited in scope to “refer primarily to US light-duty, on-road vehicles” which raises questions about whether they will be observed in Canada and other countries.

There are also questions about how feasible implementation of the best practices is.  The Auto ISAC report gives no timeline for implementation and recognizes that there could be variations between different automakers.  For example, one of the best practices identified is the creation of an incident response and recovery strategy although many auto executives acknowledge that they have not considered how they would respond if their vehicles were hacked.

Automakers operating in Canada should be aware that the adoption of  industry-specific cybersecurity standards does not mean that Personal Information and Protection of Electronic Documents Act (PIPEDA) does not apply, or that adoption of such best practices translates into compliance with PIPEDA.  Industry codes, while helpful, cannot be used to substitute for  compliance with Canada’s privacy legislation.  Differences between PIPEDA and the Privacy Principles of the US Alliance of Automobile Manufacturers suggest  that  adopting the latter and applying a blanket approach to Canada may not be in the best interest of automakers or others in the auto industry.  A tailored privacy management program to stay abreast of legal developments impacting automotive products is a more prudent approach.

* Arie van Wijngaarden is a JD/MBA student in McCarthy Tetrault’s Toronto office.

Payments Association Adopts Biometric Verification Specification

Posted in Authentication
Kirsten ThompsonMeghan S. Bridges

The Payments Association of South Africa (“PASA”), the payments system management body of that country, recently announced a new biometric verification specification, which is set to become the standard for biometric payments throughout South Africa. The new specification will facilitate biometric authentication on payment cards. Visa and Mastercard are partners in the initiative.

Typically, biometric authentication standards are particularized to the company or financial institution facilitating payment. The biometric standard accepted for authenticating payment at one vendor would not necessarily, or even generally, be the same as the standard accepted at another vendor. The PASA standard is designed to eliminate or at least minimize these discrepancies and permit authentication of a payment via the same biometric standard at any vendor.

Biometrics in Canada

Biometric authentication is not unique to South Africa. Closer to home, Tangerine recently re-released its mobile app for iOS, which includes biometric authentication features allowing users to protect their accounts via iris scan or vocal password. In the first quarter of 2016, the Bank of Montreal released a biometric corporate credit card in partnership with Mastercard, which relies on facial recognition and fingerprint biometrics.

Financial institutions are not the only groups interested in biometrics—the Canadian Border Services Agency is running a trial project with the federal Immigration Department to use biometric technology to catch individuals traveling with fraudulent documents. A waterpark in Ontario, realizing their swimsuit-clad patrons had few places in which to carry a wallet, employs cashless fingerprint payments.

Finally, as noted in recent CyberLex blog posts (here and here), provincial governments in British Columbia and Manitoba are investing in all-in-one identification technologies also targeted at improving identification and authentication for payments.

Considerations for Business

Biometric measures are appealing to businesses because they are convenient (no need to remember a PIN, or enter a code) and they automatically identify people or verify their identity. However, biometric characteristics (such as fingerprints, voiceprints, retina scans and so on) are personal information under provincial and federal privacy laws and as such, must be treated in accordance with those privacy laws. One of the chief concerns is that biometric information collected for one purpose (e.g. payment account identity verification) will be employed for another (e.g. routine surveillance, stored to be matched against future samples, targeted advertising, etc. ).

In biometrics, the potential for multiple uses originates from the fact that they are relatively permanent and highly distinctive, making them a convenient identifier that is both constant and universal. These characteristics are difficult, if not impossible, to change – which heightens the need to protect this type of information. While the breach of a database of PIN numbers is problematic, at the end of the day, the PIN numbers can be changed; a breach of a database of DNA or fingerprints does not permit such risk mitigation.

The Privacy Commissioner of Canada has suggested businesses ask themselves four questions before undertaking a biometric system:

  1. Is the measure demonstrably necessary to meet a specific need?
  2. Is it likely to be effective in meeting that need?
  3. Would the loss of privacy be proportionate to the benefit gained?
  4. Is there a less privacy-invasive way of achieving the same end?

Companies have run into difficulties where they have deployed biometrics in the context of identification for exams and facial recognition for surveillance or marketing.

 

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.