Insights on cybersecurity, privacy and data protection law

McCarthy Tétrault Acquires Wortzmans, Canada’s Leading e-Discovery Law Firm

Posted in E-Discovery

On January 4, 2017, McCarthy Tétrault announced it had acquired Wortzmans, Canada’s leading e-discovery law firm.

This acquisition marks another first for McCarthy Tétrault and solidifies its role as an innovative leader in the legal market. The Wortzman team will be integrated into McCarthy Tétrault and Susan Wortzman will join the firm as an equity partner. Wortzmans will continue to operate as a separate e-discovery and managed review service for its clients.

“This announcement is tremendously exciting for our firm,” said Matthew Peters, McCarthy Tétrault’s National Leader of Innovation. “By partnering with Wortzmans, McCarthy Tétrault is putting forward a clear vision for the future of e-discovery, information governance and legal technology strategies. This partnership is an exciting market differentiator – it increases our global reach and strengthens an already powerful platform and market position.”

“Our clients are at the root of what we do and how we do it,” said Dave Leonard, McCarthy Tétrault CEO. “By bringing Wortzmans to our firm, we will be able to focus even more on ensuring we deliver our clients the very best service, even more efficiently and with a greater focus on innovation, technology and results.”

“My team and I are thrilled to be joining McCarthy Tétrault,” said Susan Wortzman. “Together, we can deliver collaborative, innovative and high-quality client services and efficiencies. The future of information and data management in the legal industry in Canada is changing rapidly. With new technologies and more effective, efficient ways to serve clients, our new partnership continues McCarthy Tétrault’s history of cutting-edge innovation.”

About McCarthy Tétrault

McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in London, UK.

Built on an integrated approach to the practice of law and delivery of innovative client services, the firm brings its legal talent, industry insight and practice experience to help clients achieve the results that are important to them.

About Wortzmans

Wortzmans is one of the first law firms in North America to specialize in the complexities of technology and the law. Since 2007, the firm has provided clients with expert advice and guidance in the areas of e-discovery, information governance and technology strategies.

Susan Wortzman is one of Canada’s most respected e-discovery lawyers. Her practice focuses on providing e-discovery and information management advice to law firms and corporations. She works extensively with clients on litigation, tribunal and regulatory matters, including Competition Bureau matters. Susan Wortzman also advises on information governance and privacy issues.


Fintech Regulatory Developments: 2016 Year in Review

Posted in FinTech
Kirsten ThompsonAna BadourHeidi GordonLaure FouinJessica Firestone

This year was a tremendously active year for Fintech in Canada and internationally, and 2017 promises to be even more so.  In the Fall of 2016, we co-authored a comprehensive report together with the Digital Finance Institute, “FinTech in Canada: British Columbia Edition” on the state of the Canadian Fintech ecosystem, highlighting a number of the then-current industry and regulatory developments.  As we head into 2017, we provide a brief summary of some of last year’s Fintech regulatory developments in Canada and globally, and some developments to watch for in the upcoming year.

Canada – Federal

In May 2016, the Competition Bureau announced the launch of a market study on Fintech.  This study is intended to explore whether regulatory reform is necessary to promote innovation while also ensuring consumer confidence.  The Competition Bureau is expected to publish its report in the Spring of 2017.

On August 26, 2016, the Department of Finance Canada announced its launch of a two-stage consultation process on the federal financial sector legislative and regulatory framework.  It provided a consultation document containing an overview of the landscape of the Canadian financial sector and describing the current trends and regulatory environment in Canada.  The Department of Finance Canada asked stakeholders to provide those submissions by November 15, 2016 as part of the first stage of its consultation process.  Those submissions will shape the policy paper that it will publish in 2017 as part of the second stage of its consultation process.

A number of other developments also occurred that will affect or affected Fintech entities.  On the payments front, Payments Canada is currently undergoing a modernization project to modernize the Canadian payments system, as detailed further in its consultation paper issued in April 2016.  There were also a number of developments with respect to anti-money laundering (“AML”) requirements in Canada, including the issuance of amendments and new guidance with respect to identification requirements and dealing with politically exposed persons.  In addition, the Financial Action Task Force released its Mutual Evaluation Report for Canada in September 2016.  While the report indicated that Canada’s existing AML regime is generally strong, it noted that the quality of AML practices lag in a number of sectors, including in money services businesses.  It also identified open loop prepaid cards, white label ATMs and virtual currencies as inadequately covered by the AML regime and stated that upcoming amendments to the AML regime will be introduced to address these.

With the increase in electronic and digital payments, the Office of the Privacy Commissioner of Canada (the “OPC”) began to take an interest in this area as well, recently publishing a consumer guide to privacy considerations with respect to a number of different payment mechanisms.  The stakes could be higher in 2017 for companies using personal information, as it is widely expected that the draft regulations for the federal privacy legislation in respect of mandatory breach reporting, recordkeeping, and penalties will be published, and potentially implemented shortly thereafter.  Finally, subsequent to the OPC’s consultation and review of consent to the use of personal information (particularly in the context of data analytics and big data, both of which underlie many Fintech initiatives), we expect that the OPC will make recommendations to Parliament on this issue.  These issues will become increasingly important in the financial sector as both incumbents and newer entrants seek to share personal information, either on a proprietary basis or via an Open Application Program Interface (“API”) model.


In January 2016, a new equity crowdfunding regime came into effect in Ontario (with similar regimes introduced in Québec, Manitoba, New Brunswick and Nova Scotia).  It gave companies access to a bigger pool of investors by allowing them to raise money online through a registered crowdfunding portal from Canadians looking to make equity investments.  Under this regime, Ontario “everyday investors” can make crowdfunding investments of up to $2,500 per investment (capped at $10,000 annually) and Ontario accredited investors (i.e. those who meet certain asset and income thresholds) can make crowdfunding investments of up to $25,000 per investment (capped at $50,000 annually).

In October 2016, the Ontario Securities Commission (the “OSC”) launched OSC LaunchPad, the first Fintech hub for a Canadian securities regulator, seeking to engage with Fintech companies to help them navigate securities regulation and support them through the authorization process.  The OSC also announced it had signed an agreement with Australia’s financial regulator to allow Fintech companies based in Ontario and Australia to leverage the combined resources of the Ontario and Australian regulators as the companies look to operate in the other’s market.

The OSC also announced in November 2016 that it was seeking applications for a Fintech advisory committee.

Additionally, the OSC had an active year of working directly with Fintech companies to help pave the way for them to operate within the existing regulatory framework imposed by the OSC.  Vault Circle (a subsidiary of Lendified) became Canada’s first digital lending platform to receive an exempt market dealer license from a Canadian securities regulator.  That license enables Vault Circle to present lending opportunities to Ontario investors who qualify as accredited investors.  Lending Loop became registered as an exempt market dealer in Ontario (and all other Canadian provinces), enabling Lending Loop to operate a peer-to-peer lending platform that connects small businesses seeking financing with Canadian investors (who need not be accredited investors) looking for alternative investing opportunities.  AngelList received novel exemptive relief from the OSC, enabling it to operate (under a two-year trial program) a platform that brings together syndicates of investors with startup companies in need of financing, provided the investors and startups each meet certain criteria imposed by the OSC.

In addition, Ontario reiterated its intention to proceed with a new provincial financial services regulator, the Financial Services Regulatory Authority of Ontario, which will replace and consolidate existing regulators in the financial services space.  It announced consultations to identify any “unclear, outdated, redundant or unnecessarily costly” financial services or insurance regulation in Ontario.  The consultation process will remain open until January 31, 2017, and the Ontario Government will publish its findings on July 31, 2017.


In June 2016, the Québec Autorité des marchés financiers (“AMF”) announced that it created a Fintech working group mandated with analyzing technological innovations in the financial sector and anticipating regulatory, market efficiency and consumer protection issues.  Québec follows an integrated regulator model, thus the AMF oversees insurance, deposit institutions, securities, derivatives, distribution of financial products and services, as well as the financial planning sectors.  The AMF Fintech working group can examine how Fintech impacts all of these sectors individually and as a whole.  The AMF announced the eleven members of the AMF Fintech working group in December 2016; in line with the group’s focus on engaging with the industry, most of the members represent industry stakeholders involved in financial sector technological innovations.


Globally, the major development in 2016 was the increasing popularity of “regulatory sandboxes”, which seek to create a regulatory “safe space” in which businesses that qualify can test innovative products and services without immediately incurring all the normal regulatory consequences of engaging in such activity.  The United Kingdom’s Project Innovate for example features a regulatory sandbox, as well as an advice unit and an innovation hub.  A number of other jurisdictions also moved forward with regulatory sandboxes, including Australia, Switzerland, Singapore and Hong Kong.

There were a number of important developments in the United States in 2016 as well.  In particular, on December 2, 2016, the Office of the Comptroller of the Currency (the “OCC”) announced that it would move forward with considering applications from Fintech companies to become special purpose national banks.  The OCC published a paper discussing the issues and conditions that it will consider in connection with such applications.  Comments on the paper are due on January 15, 2017.  In addition, the Consumer Financial Protection Bureau (the “CFPB”) also has in place its Project Catalyst aiming to promote consumer-friendly innovation and is engaging with key stakeholders and other government agencies and hosting “office hours” as outreach for the Fintech community.  The Director of the CFPB also made headlines at Money20/20 when he endorsed the concept of “open data” in the financial context and stated that the CFPB is “gravely concerned” that financial institutions are limiting or shutting off access to financial data, rather than “exploring ways to make sure that such access…is safe and secure.”

What to Watch for in 2017

  • The Competition Bureau is expected to publish the results of its market study in the Spring of 2017.
  • The Department of Finance is expected to release its policy paper on the federal financial sector legislative and regulatory framework in 2017.
  • Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”) may be introduced in 2017 in respect of, among other things, open loop prepaid cards and virtual currencies. In particular, the PCMLTFA was previously amended in 2014 to specifically extend the definition of “money services businesses” to include “persons dealing in virtual currencies”, but the regulations implementing this change remain outstanding, even as virtual currencies have become more popular.
  • In Europe, the first real steps toward implementing the Directive on Payment Services (“PSD2”) Access-to-the-Account provisions will occur in 2017. The provisions will require banks to provide standardized API access to third parties under the auspices of the European Banking Authority.  This is a significant shift toward the creation of an Open Banking ecosystem.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

Blockchain And Privacy: Transparency And Innovation Pose Challenges for Data Protection

Posted in FinTech, Privacy
Anaïs GalpinCharles Morgan

A blockchain is a peer network of nodes that use a distributed ledger that can be used to track transactions involving value including money, votes, property, etc. The most well-known application of blockchain technology is bitcoin. Transactions on a blockchain are not regulated by any central counterparty: the individuals involved in a given transaction provide their information (including personal information), a record is created that can be verified by nodes in the network. In this sense, the users forming the community act as their own regulators.

In its openness, blockchain technology is full of new opportunities to transact in different ways. However, in the case of a public blockchain, in order to allow security and certainty, every transaction is recorded on a publicly available ledger and the disclosed transaction information is unalterable. This latter rule is one of the most fundamental in the functioning of blockchain. Indeed, data can only be added to blockchain, rather than removed (as each node contains a replication of the blockchain). If a change is applied to a node, such change would be rejected by the other nodes in the network. It provides a great certainty over the time within the chain of transactions. Altering a node would be like activating a time machine: it is impossible not to change the present if you alter the past, the entire chain of information is thus modified.

Although the above is justifiable from a technological standpoint (an can even facilitate anti-money laundering measures), blockchain’s inalterability can raise issues for individuals who wish to protect their privacy (including as regards the nascent and evolving “right to be forgotten”, which is recognized in some jurisdictions). For example, what is an individual supposed to do if the publicly disclosed information she provided in order to complete a transaction becomes inaccurate or if the publicity of her information one day creates an important risk to her safety? Changes in people’s lives could trigger this individual need for an alteration of the information stored in blockchain ledgers, such as insolvency, criminal records, change of name, change of gender, etc. As such, given the decentralized nature of blockchain, how could a court order a change in blockchain the same way it would order a web page to disappear from Google search results?

In this regard, a distinction should be made between anonymity and privacy. Some have argued that bitcoin, even though not private, is anonymous. Indeed, the email address provided when registering for a Bitcoin transaction may be any email address and as such, the link to personal information of the user, such as his name or birth date, may be avoided. However, bitcoin is more accurately described as as pseudo-anonymous. As the Office of the Privacy Commissioner explained in one of its few publications on the topic of digital payments and privacy:

…some people suggest virtual currencies can be used to make purchases anonymously. This isn’t necessarily true because the digital trail associated with these currencies can still be tied to an individual, although the trail usually consists only of transaction records rather than personal information. To set up an account in order to use these virtual currencies, however, you may be required to provide some personal information, such as your name, credit card information, banking information, driver’s licence, utility bill or even passport information. While the anonymity of digital currencies may limit the exposure of details related to your payment information, retailers can still combine your purchase information with other information they have such as your name, email address, purchase history or rewards/loyalty points you have with the store.

Even though some technological solutions are under consideration to address privacy challenges with respect to the use of blockchains and to design blockchains that are protective of privacy—such as data encryption or the use of timestamps for information held elsewhere, there could still be a potential benefit to regulatory guidance on privacy matters relating to blockchain technology.

Regulatory developments in respect of digital currencies in Canada have to date mostly been limited to anti-money laundering and taxation matters.  However, there is a growing interest in blockchain technology in Canada  by various industries including major financial institutions and the Bank of Canada, which is running experiments on interbank payment systems “to build a proof of concept wholesale interbank payment system using a distributed ledger”, as stated by Deputy Governor Carolyn Wilkins.

In addition, certain securities regulators (such as the OSC and the AMF) are in the process of forming committees to consider Fintech matters.  In this context, ensuring data protection in connection with the use of blockchain technology could become an important regulatory consideration going forward.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

Transport Canada Launches Online “Drone Incident” Reporting Tool

Posted in Regulatory Compliance, UAVs
Kirsten Thompson

Transport Canada has announced the launch of a new incident-reporting tool “to keep Canadians safe from reckless drone use.”

The new online reporting tool will allow people to report drone “incidents” from their mobile phones and will help Transport Canada “gather valuable information that will assist inspectors with investigations.” It serves as a single-entry-point for drone incident reporting but is not intended to replace the existing official aviation incident reporting systems, such as the Civil Aviation Daily Occurrence Reporting System (CADORS).

Along with basic information such as date and location of the incident, the online form asks the following questions:

  • Was the drone flying near an aircraft?
  • Was the drone flying at a high altitude?
  • Was the drone flying close to an airport/aerodrome (helipad, heliport, seaplane base, etc.)? and
  • Did the drone fly close to or over the following zones? (such as a populated area; home/private property; crowd (sporting event, concert, festival); forest fire; moving vehicles, highways, busy streets, bridges, etc.)

Complaints are also asked to provide a description of the drone (helpful drone silhouettes are provided) and a description of the operator. The form also asks the complainant whether they have “gathered evidence” such as photos or video. Complainants have the option of reporting anonymously.

In the last twelve months, Transport Canada has increased its scrutiny and supervision of drones (also known as unmanned air vehicles (UAVs)) and, according to its backgrounder on the issue, has focused on a number of key areas, including:

Revising and/or increasing regulations for drone operators: In spring 2017, Transport Canada will publish proposed regulations in Canada Gazette, Part I, for small drones (25 kilograms or less) that are operated within visual line-of-sight. This category of drone was previously exempt from specific regulation. Transport Canada has said that the proposed changes will introduce more flexible and clear rules for all drone operators. The public will have the opportunity to comment on the proposed regulations before they come into force. Proposed changes include:

  • new flight rules
  • aircraft marking and registration requirements
  • knowledge testing
  • minimum age limits
  • pilot permits for certain UAV operations

Simplifying rules for commercial operators with two new exemptions:  Commercial and research drones were already subject to regulations, but Transport Canada will issue two new UAV exemptions for non-recreational operators that will replace the existing exemptions, which expired on December 21, 2016. These new exemptions will allow UAV operators flying for work or research to conduct lower-risk operations without having to apply for a Special Flight Operations Certificate (SFOC). The new exemptions will allow operators to fly closer to built-up areas and smaller aerodromes as long as they comply with strict safety conditions and notify Transport Canada before flying. Detailed information regarding the new exemptions will be available on TC’s drone safety webpage when the exemptions come into effect on December 22, 2016;

Announcing a new commercial drone test site in Alberta: On November 3, 2016, the Minister announced that the Village of Foremost, Alberta together with the  Canadian Centre for Unmanned Vehicle Systems (CCUVS) in Lethbridge, Alberta had established the Foremost Centre for Unmanned Systems based out of the Foremost Aerodrome. The site will support research and development and provide the industry with dedicated, restricted airspace where they can test UAVs beyond visual line of sight;

Partnering with retailers to provide safety information at the point-of-sale: Participating manufacturers have agreed to include a Transport Canada safety card with every drone they sell. Participating retailers have agreed to provide a link to the department’s drone safety webpage on their respective websites; and

Launching a “No Drone Zone” public awareness campaign: In June, 2016 the Ministry launched a No Drone Zone public awareness campaign that focused on partnering with airports and other organizations to educate Canadians about drone safety. Transport Canada also introduced “No Drone Zone” signs and has worked with 20 organizations to install over 100 of these signs in and around airports, the backgrounder said.


According to Transport Canada, anyone who operates a drone in a reckless and negligent manner, violates controlled or restricted airspace, or endangers the safety of manned aircraft could face fines of up to $25,000 and/or jail time. If an operator does not follow the requirements of their SFOC, Transport Canada can issue fines of up to $3,000 for an individual and $15,000 for a business.


Document Discovery and Native Documents – Document Production Must be “Usable”

Posted in E-Discovery
Nolan Hurlburt

The recent Alberta case of Bard v. Canadian Natural Resources, 2016 ABQB 267 provides a road map for compelling the production of native electronic documents in “usable” form.

In the underlying claim, the plaintiffs alleged that the defendants (“CNRL”) had improperly accounted for credits and debits deposited to an account, which determined the plaintiffs’ (“Devon”) share of the proceeds from a joint oil sands project.

In court, Devon sought the native production of a number of categories of documents including, spreadsheets, electronic financial database records, certain financial records and other documents requested by Devon’s expert.

CNRL resisted the production on the basis of materiality and relevance. CNRL also argued that the documents had already been produced in a “usable” TIFF format and, importantly, CNRL had complied with the agreed upon document production protocol.

Devon countered that one-thousand-page-long TIFF representations of spreadsheets were not capable of being manipulated and analyzed efficiently and omitted relevant metadata and formulas present in the native files.

In granting Devon’s requested order, the Court held that document production must be meaningful in the circumstances. In the age of dynamic multi-dimensional electronic documents, this will often mean in native format. With respect to the Excel spreadsheets, the underlying formulae with their mathematical formulas intact was “the only way to be certain as to how certain cells were calculated. These formulas would help to significantly prove facts directly in issue, e.g. that certain costs were or were not indirectly charged to the Carried Account and/or that those costs were miscalculated.”

The potential requirement to produce native documents should be kept in mind when considering the preservation of dynamic documents in connection with litigation, particularly where changes to metadata or programmatic information could occur.
The decision provides a number of takeaways for litigants advancing or opposing the production of native documents:

  • Documents in native format may be compellable, notwithstanding that they have been produced in a different format (e.g. PDF or TIFF) and/or in compliance with an agreed upon document production protocol.
  • Full databases such as financial databases may be compellable, even where summaries of the relevant data have been produced.
  • A party seeking the production of native documents should provide evidence of the necessity of the documents and the deficiencies of the existing production.
  • A party defending the production of native documents should provide non-speculative evidence of the costs of producing the documents being sought.
  • An independent expert’s opinion with respect to documents required for their analysis is compelling.

Whether advancing or defending such an application, Principle 2 of the Sedona Canada Principles provides a useful structure for such applications. The principle sets out that document production should be proportionate, taking into account:

  • the importance and complexity of the issues and interests at stake and the amounts in controversy;
  • the relevance of the available electronically stored information;
  • the importance of the electronically stored information to the Court’s adjudication in a given case; and
  • the costs, burden and delay that the discovery of the electronically stored information may impose on the parties.

No Right to Compel Predictive Coding/Technology Assisted Review (TAR)

Posted in E-Discovery
Nolan Hurlburt

A recent decision of the United States District Court, Northern District of California affirmed that a litigant has no right to compel the other party to use technology assisted review (“TAR”) or predictive coding* to identify relevant documents.  (See also Hyles v. New York City, 2016 WL 4077114, at *2-3 (S.D.N.Y. Aug. 1, 2016); and In re Biomet M2a Magnum Hip Implant Prod. Liab. Litig., 2013 WL 1729682, at *2-3 (N.D. Ind. Apr. 18, 2013)).

In seeking an order compelling the Defendant Pfizer, Inc. (“Pfizer”) to use predictive coding/TAR, the Plaintiff argued that predictive coding/TAR is a more sophisticated tool than the traditional application of keyword search terms and sought to have representatives of both parties involved in the process of developing the search process.  The Plaintiff said this would save time and money for both sides.

Pfizer proposed an alternative method, which involved the iterative application of search terms and “rigorous sampling” to verify results.  Pfizer agreed to share proposed search terms with the Plaintiff in advance, to apply search terms agreed upon by both sides and to consider the inclusion of any other search terms proposed by the Plaintiff.

In refusing to compel Pfizer to participate in the Plaintiff’s TAR-based process, the Court noted that there is no precedent for ordering a party to engage in technology assisted review and that the party itself is best situated to decide how to search for and produce information responsive to discovery requests.

As the court reasoned in Hyles, the responding party is the one best situated to decide how to search for and produce electronically stored information  responsive to discovery requests. As such, the responding party (citations omitted):

can use the search method of its choice. If [the propounding party] later demonstrates deficiencies in the . . . production, the [responding party] may have to re-do its search. But that is not a basis for Court intervention at this stage of the case.” Id. “[I]t is not up to the Court, or the requesting party . . ., to force the . . . responding party to use TAR when it prefers to use keyword searching. While [the propounding party] may well be correct that production using keywords may not be as complete as it would be if TAR were used . . ., the standard is not perfection, or using the “best” tool . . ., but whether the search results are reasonable and proportional.

Although predictive coding and other forms of technology assisted review are firmly established in the jurisprudence as acceptable processes of identifying responsive electronically stored information (ESI) (See Da Silva Moore v. Publicis Groupe, 2012 U.S. Dist. LEXIS 23350 (SDNY, Feb. 24, 2012)), the Court noted the absence of any basis on which it could make the order sought in absence of any evidence that Pfizer’s preferred method would produce or has produced insufficient discovery responses.

In short, litigants seeking  a cooperative predictive coding/TA-based discovery process will need the agreement of the other party – at least in the US. Alternatively, organizations must be prepared to present evidence as to why the other party’s preferred process will produce inadequate results.  Expert evidence relating to the nature of the document set and fallibility of keyword search terms in the specific circumstances may be useful in this regard.

*TAR, or predictive coding, is the use of keyword search, filtering and sampling to automate (usually via machine learning) portions of an e-discovery document review. The goal of predictive coding is to reduce the number of irrelevant and non-responsive documents that need to be reviewed manually.

Supreme Court Renders Landmark Privacy decision in Royal Bank of Canada v. Trang

Posted in Privacy
Daniel G.C. GloverKirsten ThompsonBarry SookmanRenee ReicheltCharles Morgan

The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), should be interpreted. In Royal Bank of Canada v. Trang, 2016 SCC 50, the Court ruled that courts can use their inherent jurisdiction to make orders permitting disclosures of personal information, including personal information contained in mortgage discharge statements. The Court also ruled that disclosures of personal information in such statements are permitted based on the implied consent of the mortgagor. Further, the Court held that while PIPEDA is consumer protection legislation for the digital age, it must be interpreted in a balanced way to facilitate the collection, use and disclosure of personal information by businesses. Continue Reading

Chatbots, Open Data and Sandboxes: Trending Topics from the 2016 Money20/20 Conference

Posted in AI and Machine Learning, Financial, FinTech, Mobile Payments, Privacy
Kirsten ThompsonAna BadourMatthew FlynnClaire Gowdy

With 10,000+ attendees, including more than three thousand companies from seventy-five countries, Money20/20 is the largest annual global event focusing on payments and financial services innovation. The 2016 conference in Las Vegas this October featured a packed agenda of talks by industry and thought leaders on a broad range of current and emerging Fintech issues, as well as an exhibition area featuring Fintech companies, investors, incubators, venture capitalists, consultants, regulators and lawyers. A team of McCarthy lawyers attended again this year and report back on some of the hottest topics of the 2016 conference: machine learning and artificial intelligence (AI), open data and regulatory sandboxes/innovation hubs.

  1. Machine Learning and AI. One of the next ‘next things’ creating a buzz at the conference was the integration of machine learning and artificial intelligence tools in the provision of financial services. “What will banking be in two, three or four years? It’s going to be this,” asserted Michelle Moore, head of digital banking for Bank of America, as she introduced BofA’s new chatbot named Erica at Money20/20. Ms. Moore was not alone at Money20/20 in her obvious excitement about the promise of financial chatbots – tools that will permit the bank to interact with its customers through text messages or services such as Facebook Messenger and Amazon’s Echo. MasterCard also announced MasterCard KAI, a bot for banks that will put the company’s services on messaging platforms and enable consumers in the United States to inquire about their accounts, review banking history, monitor spending levels, learn about MasterCard cardholder benefits, receive contextual offers through integration with MasterCard Priceless experiences, and get help with financial literacy. Thinking Capital, the Montreal-based online lender to small businesses has also launched a financial chatbot named Lucy. Thinking Capital says Lucy was the first chatbot among Fintechs in North America.Chatbots are automated chat programs that use artificial intelligence to draw in data and translate it into understandable responses, akin to Siri, Apple’s interactive voice tool. Although the technology is not restricted to financial services, it’s clear that many financial industry stalwarts and startups alike are placing big bets on it. The customer-centric expression of this technological promise is that machine learning will, as described in the Money20/20 session Machine Learning & AI Powering Next Gen CX in Financial Services, “…raise the customer experience benchmark in financial services.” But it’s not all about the customer; another promising aspect of chatbots for financial institutions is reducing the cost of customer support.

    Notwithstanding the promising aspects of the technology, as financial chatbots scale in number and functionality, associated legal and regulatory issues will certainly likewise scale. For example, a text messaging platform may not be secure enough to handle the sensitive nature of consumers’ financial information, giving rise to consumer privacy and protection issues. Consumer protection and competition concerns may also arise with chatbots that are affiliated with certain financial institutions, preventing them from giving unbiased advice about financial products and entities, and helping them to lock in customers using – and hoarding – accumulated data.

  2. Open Data. Another major theme emerging from Money20/20 2016 was the concept of ‘open data’ and ‘open banking’. Open Banking is an emerging term in financial services / financial technology that refers to, among other things, the use of open application programming interfaces (or “APIs”) that enable third party developers to build applications and services for the financial institution. It is predicated on the principle that personal information of customers (such as account and transaction information) should, with consumer consent, be made freely available to third parties, who can then use this data to create new tools to increase consumer financial data access as well as competition among participants in the financial ecosystem.The Director of the US Consumer Financial Protection Bureau (“CPFB”) made headlines when he endorsed open data in the financial context. In his Money 20/20 remarks, The Director stated that the CFPB is “gravely concerned” that financial institutions are limiting or shutting off access to financial data, rather than “exploring ways to make sure that such access…is safe and secure.” He concluded with the point: “Let me state the matter as clearly as I can here: We believe consumers should be able to access this information and give their permission for third-party companies to access this information as well.” These comments reflect a similar push (mandated by legislation) in the EU (the adoption by the European Parliament of the revised Directive on Payment Services or “PSD2”) and the UK (Open Banking Working Group) to require Open Banking.

    The financial services sector has been traditionally a data-intensive industry and the advent of ‘big data’ analytic techniques has created a new landscape for businesses based on data technologies: equity platforms based on crowdfunding, new platforms that match lenders with borrowers in innovative ways, data visualisations tools to follow companies, suppliers and clients, and a whole range of new payment systems based on mobile and cloud technologies. These transformative players include early innovators as well as established financial institutions which provide big data-related services that are shaking up the traditional financial markets.

  3. Regulatory Sandboxes, Innovation Hubs and the Fintech Charter. The issue of how regulators should respond to Fintech innovation, and to what extent they can encourage innovation, was the final hot topic of the conference. Regulatory approaches to Fintech were discussed in depth at a panel featuring the Director of the CPFB and by the Head of Project Innovate from the UK’s Financial Conduct Authority (FCA).The Head of Project Innovate described the nature and status of the UK’s Project Innovate, which features a regulatory sandbox (which seeks to create a regulatory “safe space” in which businesses that qualify can test innovative products and services without immediately incurring all the normal regulatory consequences of engaging in such activity), as well as an advice unit and an innovation hub. The FCA accepted 24 applications to the regulatory sandbox (out of a total of 69 applications) as part of the first cohort of applicants and this first cohort is expected to begin testing shortly. More detail on the first cohort is available here.

    In the US, the CFPB has launched Project Catalyst aiming to promoting consumer-friendly innovation. Project Catalyst involves the CFPB engaging with key stakeholders, coordinating with other government agencies and an “office hours” program of outreach to the Fintech community. In addition, the Office of the Comptroller of the Currency (OCC) has been considering the creation of a national limited purpose Fintech charter. While the approach has drawn praise from some within the Fintech community, some state regulators and consumer protection groups have been critical of the national Fintech charter concept, suggesting that a federal charter would likely preempt state laws on interest rates and impair the ability of states to protect less sophisticated retail consumers. The OCC has also recently issued a white paper outlining its recommendations for a responsible innovation framework.  However, the recent US election could impact these various initiatives, given statements made by President-Elect Donald Trump during the presidential campaign, in particular in respect of the role of the CFPB.

    In Canada, as in the US, legislative authority over financial services lies with both the federal and provincial governments.  The mix of federal and provincial jurisdiction over Fintech matters in Canada and in the US adds to the regulatory complexity of regulating and fostering Fintech in these jurisdictions. Notably, in Canada, the OSC recently announced that it will be taking steps to help Fintech entities navigate the regulatory framework, through its innovation hub called “OSC Launchpad”, which was unveiled on October 24, 2016. Read more about the OSC Launchpad here.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

Privilege and Privacy in the Context of Company Email: Recent Canada vs US Cases

Posted in E-Discovery
Krupa Kotecha

Peerenboom v Marvel Entertainment (2016 NY Slip Op 31957(U))  is drama-driven case in which the New York County Supreme Court afforded Toronto businessman Harold Peerenboom the right to obtain the private emails of Isaac Perlmutter, the CEO of Marvel Entertainment Inc (“Marvel”). Perlmutter had claimed privilege over the emails; Peerenboom – who ultimately prevailed – argued that Permutter had sent them via his work email server and in doing so, had thereby waived privilege.

The Factual Background

The dispute between the two men centered on the management of the tennis club at the individuals’ exclusive compound in Palm Beach, Florida, where both men vacation over the winter. Following the dispute, anonymous letters defaming Peerenboom (and falsely accusing him of child molestation and murder) were sent to persons living and working at the luxury condominium complex where the two men reside.

Peerenboom commenced an action in the Circuit Court of Palm Beach County, Florida, alleging that Perlmutter and his wife were the persons responsible for sending the defamatory letters. Since Perlmutter allegedly utilized Marvel’s email server for his electronic communications (in his capacity as CEO of the company) Peerenboom issued subpoenas in a Florida action and addressed these subpoenas to Marvel to obtain any communications sent and received by Perlmutter or his wife through Marvel’s email server that were referable to Peerenboom and others involved in the dispute.

As Marvel’s principal office is in New York, Peerenboom thereafter commenced the proceeding against Marvel to enforce the subpoenas in the New York County. Despite not being named as a party to the proceeding, Perlmutter submitted three separate motions for a protective order, alleging that the emails sought by Peerenboom were protected from disclosure by various privileges, such as: the attorney-client privilege, the work-conduct privilege, the common-interest privilege, a purported accountant-client privilege, a limited principal-agent privilege, and the marital privilege.

Peerenboom opposed the motions, contending that Perlmutter waived all privileges, inasmuch as Perlmutter sent or received the emails on Marvel’s server. Marvel’s written computer usage handbook includes the following provision:

“[H]ardware, software, email, voicemail, intranet, and Internet access, computer files and programs—including any information that you create, send, receive, download, or store on Company assets—are Company property and [the Company] reserve[s] the right to monitor their use, where permitted by law to do so” [emphasis added].

The Decision

Justice Nancy Bannon, writing for the New York Supreme Court, held that Perlmutter had not satisfied the burden imposed on a person asserting any form of privilege, mainly that the information sought was immune from disclosure. Furthermore, the Court held that, “since privileges shield from disclosure pertinent information, and therefore constitute obstacles to the truth-finding process, they must be narrowly construed.”

In particular, Justice Bannon held that Perlmutter did not have a reasonable expectation of privacy in connection with electronic messages sent and received on Marvel’s server, and consequently waived the attorney-client and work-product privileges in connection with them. The Court agreed with Peerenboom that the use of a proprietary email system, subject to a computer usage policy such as that adopted by Marvel, constituted a waiver of any privilege that would otherwise be unilaterally asserted in instances of otherwise confidential communication.

Consequently, Perlmutter’s claims pertaining to attorney-client privilege and work-conduct privilege were dismissed.

As a consequence of having waived the attorney-client and work-product privileges with respect to all communications on Marvel’s server, the Court concluded he must necessarily have also waived the privileges in connection with communications that may have been relayed through an intermediary.

The Court also rejected Perlmutter’s contention that the common-interest privilege prevented the disclosure of communications between himself and Stephen Raphael, who assisted him in financing the Florida litigation. For this privilege to apply, the communication sought to be protected must relate to actual or anticipated litigation. Perlmutter did not show that the communication he sought to protect was relevant to the matter,  “in furtherance of a common legal interest”, and or that he and Raphael had a reasonable expectation of confidentiality (in respect of these communications).

With respect to marital privilege, the Court concluded that all electronic communications between Perlmutter and his wife on the Marvel server that were confidential in nature were protected by the marital privilege, unless knowingly shared. Conversely, all electronic communications between Perlmutter and his wife on the Marvel server that were not confidential in nature, but requested in the course of the litigation, were required to be turned over to Peerenboom.

The Takeaway

Peerenboom v Marvel is an informative case for companies with cross-border operations in the United States (and in particular, those with headquarters in the New York County). It sheds light on instances where employees will not be successful in evoking privilege over communications sought to be included in relevant litigation, particularly where a company’s policy specifically excludes the possibility of privacy in such circumstances. It remains to be seen if the decision will be appealed.

The Perenboom decision stands in sharp contrast to a similar recent decision of the Ontario Superior Court of Justice in Narusis v. Bullion Management Group (see our previous blog post here). In Narusis, the company had engaged a contractor to deliver certain services, and in this context, provided the contractor with a corporate e-mail account. The contractor used this corporate e-mail account to exchange e-mails with his lawyer about a legal dispute he had with the company.

With respect to a motion claiming Narusis had waived privilege over these emails, the court concluded that the facts of the case indicated that Narusis had not, implicitly or explicitly, waived his solicitor-client privilege over the e-mails. However, in its analysis, the court suggested that had Narusis been an employee (instead of a contractor), and/or signed the company policy governing such things and/or had personal e-mails been forbidden, the outcome may have been different

The Court in Narusis also went on to distinguish an employee’s right to privacy from the protection afforded to communications under solicitor-client privilege, noting the two concepts are very different, and serve very different purposes.

Companies working across the border should mindful of the interpretation of their policies and actions by courts in Canada and the US.

US Federal Regulators Propose Binding Rules to Enhance Banks’ Cybersecurity Practices

Posted in Cybersecurity
Taha Qureshi

On October 19, 2016, three US financial regulators – the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation (collectively, the “Agencies”) – issued a joint Advance Notice of Proposed Rulemaking (“ANPR”) seeking comments by all stakeholders on enhanced cyber risk management standards. Historically, US regulators have provided non-mandatory guidelines for cybersecurity best practices for voluntary compliance by financial institutions to ensure preparedness in face of cyber threats. For the first time, the ANPR outlines proposals for minimum binding standards that would be applicable to some of the largest regulated institutions in the US with consolidated assets of US$50 billion or more on an enterprise-wide basis. These binding standards indicate a shift in the approach adopted by US regulators from a lenient oversight to one that is more prescriptive.

Notably, the proposals are also applicable to certain nonbank financial institutions (“NBFI”), as well as third-party service providers used by regulated financial institutions. NBFIs include non-licensed financial institutions that facilitate financial services such as online brokerages and third-party service providers include those entities that provide payments processing, core banking and other financial technology services. The expansive nature of the ANPR’s scope further indicates the Agencies’ vision for more detailed regulation of the financial sector’s cybersecurity preparedness than previously.

While the enhanced standards will be baseline minimums applicable to all covered entities, the ANPR proposes an additional higher set of standards for those financial institutions with “sector-critical systems.” The Agencies define critical elements of the US financial system to include markets for commercial paper, corporate debt and equity, and US government bonds. Financial institutions that will be held to the additional set of standards are then defined as those that play a role in critical markets with sufficient market share such that their failure to settle their own or their customers’ material pending transactions by the end of business day could present systemic risk.

The ANPR divides the minimum proposed standards into five categories:

Cyber-Risk Governance

  • Refers to maintaining a formal cyber risk strategy integrated into risk governance structures; requires board of directors to develop written, enterprise-wide cyber risk strategy, approve cyber risk appetite and tolerances, and oversee and hold senior management accountable for implementing policies; proposal would require members of the board of directors to have adequate expertise in cybersecurity to be able to credibly carry out their role.

Cyber-Risk Management

  • Proposal would require business units responsible for day-to-day operations to frequently assess the cyber risks associated with their activities, comply with the entity’s own cyber risk management framework, and report vulnerabilities and threats to senior management.
  • Proposal recommends establishment of an independent risk management function within the entity to analyze, respond and promptly notify issues related to cyber risk at the enterprise level; an additional audit function is also proposed to frequently evaluate the efficacy of established policies and protocols.

Internal Dependency Management

  • Refers to the cyber risks associated with an entity’s own business assets e.g. insider threats, data storage policies and use of legacy systems acquired through acquisitions; the internal dependency strategy would form part of the broader cyber risk management plan implemented by the entity to ensure risks from internal dependencies are minimized by keeping inventory and mapping all vulnerable assets to ensure monitoring and adequate levels of incident response.

External Dependency Management

  • Refers to cyber risks associated with an entity’s relationships with outside vendors, suppliers, customers and other service providers; similar to internal dependency mechanisms requiring awareness of all possible external risk sources, as well as defined policies to ensure effective monitoring and incident response.

Incident Response, Cyber Resilience and Situational Awareness

  • Refers to an entity’s ability to maintain critical functionality in the event of cyber security incidents or disruptions; the proposals require establishing recovery time objectives, as well as developing protocols for secure, immutable off-line preservation of critical records in the event of a significant cyber event.

Impact of Proposed US Regulations on Canadian Financial Institutions

In light of the proposed enhanced standards, Canadian financial institutions should carefully consider any potential consequences and liabilities arising out of recent or future acquisition activity in the US. The Agencies are considering applying the enhanced standards on the US operations of foreign banking organizations with total US assets of US$50 billion or more. Canadian financial institutions expanding their footprint in the US run the risk of being subject to these mandatory minimum standards in the future, if their US asset base does not already exceed the threshold.

The binding nature of the proposed US Regulations will also likely catch the attention of Canadian regulators. In 2013, the Office of the Superintendent of Financial Institutions (“OSFI”) introduced a voluntary Cybersecurity Self-Assessment Guideline (the “Guideline”) and allowed federally regulated financial institutions (“FRFIs”) to assess their own levels of preparedness and respond to any perceived gaps or weaknesses.

Notably, OSFI stated at the time that while it encouraged FRFIs to utilize the Guideline, it did not plan to establish specific guidance for the control and management of cyber risk. OSFI did however reserve the right to specifically request completion of the otherwise voluntary self-assessment, or emphasize certain best practices in future supervisory circumstances. Since 2013, OSFI has made no substantial changes to the Guideline, limiting its updates to improved guidance in light of an evolving understanding of the cybersecurity threat. (By way of contrast, the New York Department of Financial Services (“NYDFS”) recently announced its first State-level regulations for cybersecurity applicable to financial institutions – see our blog post here.)

The existing Guideline prescribed by OSFI touch upon most, if not all, of the key priority areas identified by the ANPR. Ins far as the difference between a voluntary and mandatory system goes, the OSFI self-assessment template leaves it to FRFIs to devise mechanisms and methods of achieving the stated diligence goals. The ANPR recommends specific methods and procedures.

Despite the differences in policy mechanisms between Canada and the US, it is not inconceivable that Canadian regulators could eventually shift towards binding standards in the future, though there is nothing right now to indicate such a move is being considered. However, the risks posed by cyber threats to the financial system are evolving rapidly and Canadian regulators may prefer to share the burden of ensuring steadfastness in face of these risks with all participants of the financial system. The Bank of Canada has also touted the mirror-like similarities of the Canadian approach to cybersecurity policy guidance and stress testing as compared to other jurisdictions like the US and UK. If these and other countries decide to embark on a trend of binding standards, Canadian regulators may start examining a similar direction could follow suit to ensure they are in line with accepted global regulatory thinking.