CyberLex

CyberLex

Insights on cybersecurity, privacy and data protection law

Is There a Duty of Device Security? U.S. Regulator Fires Warning Shot Over Obligations of IoT Manufacturers

Posted in Internet of Things, Privacy
Douglas Judson

A complaint filed by the U.S. Federal Trade Commission (the “FTC”) against D-Link Corporation, a Taiwanese computer networking equipment manufacturer, and its U.S. subsidiary (collectively, “D-Link”) is raising questions about the extent of responsibility that networking equipment manufacturers may have for the security of their products, and how much of that responsibility rests with consumers and end users.

On January 5, the FTC filed a complaint in the U.S. District Court in the Northern District of California, alleging that D-Link failed to take reasonable steps to secure its routers and internet-based cameras. The mandate of the FTC is to promote competition and to protect and educate consumers. The agency may file a complaint when it has a reason to believe that the law has been or is being violated, and it appears that proceeding would be in the public interest. The FTC has used its broad mandate to protect consumers from unfair or deceptive practices in the marketplace to investigate privacy and security claims.

The FTC’s media release announcing the lawsuit indicates that the alleged failure on the part of D-Link compromised sensitive consumer information (such as providing live video and audio feeds from private D-Link cameras, or by redirecting a consumer to a fraudulent website). The FTC claims that despite D-Link’s promotional representations about the security of its routers (i.e., “Easy to Secure”, “Advanced Network Security”), the company failed to take steps to address widely known and easily preventable security issues. Security issues with a number of common routers used in businesses and homes have been widely reported in the media in recent months and years.

The FTC’s complaint comes at a formative stage in the development of regulations for the Internet of Things (“IoT”) – a matter we have blogged about before. The FTC has emphasized that the only way for the IoT to reach its full potential for innovation is with the trust of consumers. To that end, it has published guidance on device security protocols and standards for both corporations and consumers. Likewise, it is through FTC litigation such as that brought against D-Link, ASUS, and TRENDnet that the regulator seeks to give force and shape to the obligations of manufacturers over the security of their equipment. This comes at a time when breaches of privacy and security can have further-reaching consequences than ever before, and even the most mundane household products are gaining network-based functionality. With that functionality comes vulnerability.

Like the FTC, the Privacy Commissioner of Canada is tasked with protecting the privacy interests of consumers, albeit with different powers and jurisdiction. The Commissioner recently expressed that there is significant room for improvement with respect to how well companies explain to consumers how Internet-connected devices handle their personal information. It is unclear whether Canadian policymakers will unveil more particularized directives with respect to the IoT.

What is clear is that neither U.S. or Canadian privacy regulators are content to allow manufacturers to wash their hands of responsibility for providing a reasonable level of security and protection on their networked devices and products. The alleged failure of D-Link to address widely-reported and easily-addressed security flaws also points to the need for such manufacturers (and those looking to move into the IoT space) to stay abreast of new security threats and establish formal protocols for managing privacy risks and the legal liability which may follow. The D-Link litigation may serve as a cautionary tale for Canadian manufacturers seeking growth in the U.S. market.

McCarthy Tétrault Celebrates Data Privacy Day, 2017 With New Cybersecurity Risk Guide

Posted in Cybersecurity, Privacy

In celebration of Data Privacy Day, McCarthy Tétrault is pleased to launch the 2017 edition of our newly designed online Cybersecurity Risk Management Guide, to help clients manage data risks in a quickly evolving business environment. 

Risk

Data Privacy Day, celebrated on January 28, 2017, is an opportunity for businesses to review privacy and data protection policies, and to consider taking steps to reduce operational and legal exposures that relate to the data being used and accumulated as part of business activity.

Data Privacy Day, or Data Protection Day in Europe, was originally initiated by the Council of Europe. Data Privacy Day occurs each year on January 28th, the day on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature.

The purpose of Data Privacy Day is to raise awareness to the importance of data protection and data privacy, to educate about data related risks, and to inform individuals and organizations on their rights and obligations in connection with their data.

Data Privacy Day is an opportunity to give special attention to the specific data issues of the business, whether through review of existing data protection and privacy policies, creating awareness to privacy among employees and vendors, improving existing cybersecurity systems, or through the mitigation of data and privacy legal exposures.

Importance for Businesses

For businesses, there are many ways in which protection of data is a critical part of operations, including: compliance with applicable data protection laws and regulations; prevention of, and preparation for, data breaches; addressing rights of individuals whose data is held by the business; and managing exposure to legal actions in connection with data.

Key issues to consider, in this regard:

  • The Digital Privacy Act: the Digital Privacy Act, passed into law on June 18, 2015, introduced requirements with respect to the requisite consent by individuals prior to collection of personal information, notification and reporting obligations in the event of data breach (not yet in force, pending approval of regulations), and fines of up to $100,000 per violation of these requirements. These requirements apply to any business which handles personal information in the course of its activity. In addition, under the Digital Privacy Act, the Privacy Commissioner of Canada may make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties.
  • EU Requirements: Canadian businesses that collect personal information of residents of the EU, may be caught by the EU Data Protection Directive. Adding to the complexity, the General Data Protection Regulation (GDPR) is set to overhaul the EU Data Protection Directive when it comes into force in the spring of 2018. The GDPR will impose significant new obligations on data processors including record keeping, data security, and breach notification obligations. Canadian businesses which offer (including through websites) goods and services to individuals in the EU, or who track user behavior of individuals in the EU, should consider compliance with the GDPR, especially in view of potential fines of up to € 20 M or 4% of annual global revenues.
  • Corporate Governance: the protection of privacy and data raises issues of corporate governance and exposure to legal actions by individuals and corporations (including class actions). Businesses should examine their data protection policies in view of best practices in the industry in which the business operates. In some cases, the relevant best practice applies through mandatory requirements that are applicable to certain types of businesses, or to businesses in certain jurisdictions (for examples, see mutual funds, public corporations and investment bodies).

McCarthy Tétrault’s Leadership in Privacy and Data Management

McCarthy Tétrault’s Cybersecurity, Privacy and Data Management Group is at the forefront of data protection and data incident response. We regularly advise clients from all industries, including energy, resources, power, banking, insurance, health, technology and retail. We have been lead counsel on numerous key public and private cybersecurity responses. We offer a seamless, integrated response through our close partnerships with insurers, IT forensics firms, PR firms and others.

We work with our clients on developing strategies and policies for compliance with applicable requirements, prevention of data breaches, and readiness and response to a breach. Our legal solutions and strategies are designed to drive value while mitigating risk. Whether it is Big Data, data analytics, FinTech, connected vehicles, we have done it.

Our recent acquisition of Wortzman’s, one of Canada’s most respected e-discovery firms, solidifies McCarthys as a leader in meeting its client’s needs in e-discovery, information governance and technology strategy. McCarthy Tétrault’s Information Technology group is ranked Band 1 on Chambers Canada, and we are the only firm in Canada to have more than one lawyer ranked in the area of Privacy & Data Protection.

McCarthy Tétrault Acquires Wortzmans, Canada’s Leading e-Discovery Law Firm

Posted in E-Discovery

On January 4, 2017, McCarthy Tétrault announced it had acquired Wortzmans, Canada’s leading e-discovery law firm.

This acquisition marks another first for McCarthy Tétrault and solidifies its role as an innovative leader in the legal market. The Wortzman team will be integrated into McCarthy Tétrault and Susan Wortzman will join the firm as an equity partner. Wortzmans will continue to operate as a separate e-discovery and managed review service for its clients.

“This announcement is tremendously exciting for our firm,” said Matthew Peters, McCarthy Tétrault’s National Leader of Innovation. “By partnering with Wortzmans, McCarthy Tétrault is putting forward a clear vision for the future of e-discovery, information governance and legal technology strategies. This partnership is an exciting market differentiator – it increases our global reach and strengthens an already powerful platform and market position.”

“Our clients are at the root of what we do and how we do it,” said Dave Leonard, McCarthy Tétrault CEO. “By bringing Wortzmans to our firm, we will be able to focus even more on ensuring we deliver our clients the very best service, even more efficiently and with a greater focus on innovation, technology and results.”

“My team and I are thrilled to be joining McCarthy Tétrault,” said Susan Wortzman. “Together, we can deliver collaborative, innovative and high-quality client services and efficiencies. The future of information and data management in the legal industry in Canada is changing rapidly. With new technologies and more effective, efficient ways to serve clients, our new partnership continues McCarthy Tétrault’s history of cutting-edge innovation.”

About McCarthy Tétrault

McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in London, UK.

Built on an integrated approach to the practice of law and delivery of innovative client services, the firm brings its legal talent, industry insight and practice experience to help clients achieve the results that are important to them.

About Wortzmans

Wortzmans is one of the first law firms in North America to specialize in the complexities of technology and the law. Since 2007, the firm has provided clients with expert advice and guidance in the areas of e-discovery, information governance and technology strategies.

Susan Wortzman is one of Canada’s most respected e-discovery lawyers. Her practice focuses on providing e-discovery and information management advice to law firms and corporations. She works extensively with clients on litigation, tribunal and regulatory matters, including Competition Bureau matters. Susan Wortzman also advises on information governance and privacy issues.

 

Fintech Regulatory Developments: 2016 Year in Review

Posted in FinTech
Kirsten ThompsonAna BadourHeidi GordonLaure FouinJessica Firestone

This year was a tremendously active year for Fintech in Canada and internationally, and 2017 promises to be even more so.  In the Fall of 2016, we co-authored a comprehensive report together with the Digital Finance Institute, “FinTech in Canada: British Columbia Edition” on the state of the Canadian Fintech ecosystem, highlighting a number of the then-current industry and regulatory developments.  As we head into 2017, we provide a brief summary of some of last year’s Fintech regulatory developments in Canada and globally, and some developments to watch for in the upcoming year.

Canada – Federal

In May 2016, the Competition Bureau announced the launch of a market study on Fintech.  This study is intended to explore whether regulatory reform is necessary to promote innovation while also ensuring consumer confidence.  The Competition Bureau is expected to publish its report in the Spring of 2017.

On August 26, 2016, the Department of Finance Canada announced its launch of a two-stage consultation process on the federal financial sector legislative and regulatory framework.  It provided a consultation document containing an overview of the landscape of the Canadian financial sector and describing the current trends and regulatory environment in Canada.  The Department of Finance Canada asked stakeholders to provide those submissions by November 15, 2016 as part of the first stage of its consultation process.  Those submissions will shape the policy paper that it will publish in 2017 as part of the second stage of its consultation process.

A number of other developments also occurred that will affect or affected Fintech entities.  On the payments front, Payments Canada is currently undergoing a modernization project to modernize the Canadian payments system, as detailed further in its consultation paper issued in April 2016.  There were also a number of developments with respect to anti-money laundering (“AML”) requirements in Canada, including the issuance of amendments and new guidance with respect to identification requirements and dealing with politically exposed persons.  In addition, the Financial Action Task Force released its Mutual Evaluation Report for Canada in September 2016.  While the report indicated that Canada’s existing AML regime is generally strong, it noted that the quality of AML practices lag in a number of sectors, including in money services businesses.  It also identified open loop prepaid cards, white label ATMs and virtual currencies as inadequately covered by the AML regime and stated that upcoming amendments to the AML regime will be introduced to address these.

With the increase in electronic and digital payments, the Office of the Privacy Commissioner of Canada (the “OPC”) began to take an interest in this area as well, recently publishing a consumer guide to privacy considerations with respect to a number of different payment mechanisms.  The stakes could be higher in 2017 for companies using personal information, as it is widely expected that the draft regulations for the federal privacy legislation in respect of mandatory breach reporting, recordkeeping, and penalties will be published, and potentially implemented shortly thereafter.  Finally, subsequent to the OPC’s consultation and review of consent to the use of personal information (particularly in the context of data analytics and big data, both of which underlie many Fintech initiatives), we expect that the OPC will make recommendations to Parliament on this issue.  These issues will become increasingly important in the financial sector as both incumbents and newer entrants seek to share personal information, either on a proprietary basis or via an Open Application Program Interface (“API”) model.

Ontario

In January 2016, a new equity crowdfunding regime came into effect in Ontario (with similar regimes introduced in Québec, Manitoba, New Brunswick and Nova Scotia).  It gave companies access to a bigger pool of investors by allowing them to raise money online through a registered crowdfunding portal from Canadians looking to make equity investments.  Under this regime, Ontario “everyday investors” can make crowdfunding investments of up to $2,500 per investment (capped at $10,000 annually) and Ontario accredited investors (i.e. those who meet certain asset and income thresholds) can make crowdfunding investments of up to $25,000 per investment (capped at $50,000 annually).

In October 2016, the Ontario Securities Commission (the “OSC”) launched OSC LaunchPad, the first Fintech hub for a Canadian securities regulator, seeking to engage with Fintech companies to help them navigate securities regulation and support them through the authorization process.  The OSC also announced it had signed an agreement with Australia’s financial regulator to allow Fintech companies based in Ontario and Australia to leverage the combined resources of the Ontario and Australian regulators as the companies look to operate in the other’s market.

The OSC also announced in November 2016 that it was seeking applications for a Fintech advisory committee.

Additionally, the OSC had an active year of working directly with Fintech companies to help pave the way for them to operate within the existing regulatory framework imposed by the OSC.  Vault Circle (a subsidiary of Lendified) became Canada’s first digital lending platform to receive an exempt market dealer license from a Canadian securities regulator.  That license enables Vault Circle to present lending opportunities to Ontario investors who qualify as accredited investors.  Lending Loop became registered as an exempt market dealer in Ontario (and all other Canadian provinces), enabling Lending Loop to operate a peer-to-peer lending platform that connects small businesses seeking financing with Canadian investors (who need not be accredited investors) looking for alternative investing opportunities.  AngelList received novel exemptive relief from the OSC, enabling it to operate (under a two-year trial program) a platform that brings together syndicates of investors with startup companies in need of financing, provided the investors and startups each meet certain criteria imposed by the OSC.

In addition, Ontario reiterated its intention to proceed with a new provincial financial services regulator, the Financial Services Regulatory Authority of Ontario, which will replace and consolidate existing regulators in the financial services space.  It announced consultations to identify any “unclear, outdated, redundant or unnecessarily costly” financial services or insurance regulation in Ontario.  The consultation process will remain open until January 31, 2017, and the Ontario Government will publish its findings on July 31, 2017.

Québec

In June 2016, the Québec Autorité des marchés financiers (“AMF”) announced that it created a Fintech working group mandated with analyzing technological innovations in the financial sector and anticipating regulatory, market efficiency and consumer protection issues.  Québec follows an integrated regulator model, thus the AMF oversees insurance, deposit institutions, securities, derivatives, distribution of financial products and services, as well as the financial planning sectors.  The AMF Fintech working group can examine how Fintech impacts all of these sectors individually and as a whole.  The AMF announced the eleven members of the AMF Fintech working group in December 2016; in line with the group’s focus on engaging with the industry, most of the members represent industry stakeholders involved in financial sector technological innovations.

International

Globally, the major development in 2016 was the increasing popularity of “regulatory sandboxes”, which seek to create a regulatory “safe space” in which businesses that qualify can test innovative products and services without immediately incurring all the normal regulatory consequences of engaging in such activity.  The United Kingdom’s Project Innovate for example features a regulatory sandbox, as well as an advice unit and an innovation hub.  A number of other jurisdictions also moved forward with regulatory sandboxes, including Australia, Switzerland, Singapore and Hong Kong.

There were a number of important developments in the United States in 2016 as well.  In particular, on December 2, 2016, the Office of the Comptroller of the Currency (the “OCC”) announced that it would move forward with considering applications from Fintech companies to become special purpose national banks.  The OCC published a paper discussing the issues and conditions that it will consider in connection with such applications.  Comments on the paper are due on January 15, 2017.  In addition, the Consumer Financial Protection Bureau (the “CFPB”) also has in place its Project Catalyst aiming to promote consumer-friendly innovation and is engaging with key stakeholders and other government agencies and hosting “office hours” as outreach for the Fintech community.  The Director of the CFPB also made headlines at Money20/20 when he endorsed the concept of “open data” in the financial context and stated that the CFPB is “gravely concerned” that financial institutions are limiting or shutting off access to financial data, rather than “exploring ways to make sure that such access…is safe and secure.”

What to Watch for in 2017

  • The Competition Bureau is expected to publish the results of its market study in the Spring of 2017.
  • The Department of Finance is expected to release its policy paper on the federal financial sector legislative and regulatory framework in 2017.
  • Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”) may be introduced in 2017 in respect of, among other things, open loop prepaid cards and virtual currencies. In particular, the PCMLTFA was previously amended in 2014 to specifically extend the definition of “money services businesses” to include “persons dealing in virtual currencies”, but the regulations implementing this change remain outstanding, even as virtual currencies have become more popular.
  • In Europe, the first real steps toward implementing the Directive on Payment Services (“PSD2”) Access-to-the-Account provisions will occur in 2017. The provisions will require banks to provide standardized API access to third parties under the auspices of the European Banking Authority.  This is a significant shift toward the creation of an Open Banking ecosystem.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

Blockchain And Privacy: Transparency And Innovation Pose Challenges for Data Protection

Posted in FinTech, Privacy
Anaïs GalpinCharles Morgan

A blockchain is a peer network of nodes that use a distributed ledger that can be used to track transactions involving value including money, votes, property, etc. The most well-known application of blockchain technology is bitcoin. Transactions on a blockchain are not regulated by any central counterparty: the individuals involved in a given transaction provide their information (including personal information), a record is created that can be verified by nodes in the network. In this sense, the users forming the community act as their own regulators.

In its openness, blockchain technology is full of new opportunities to transact in different ways. However, in the case of a public blockchain, in order to allow security and certainty, every transaction is recorded on a publicly available ledger and the disclosed transaction information is unalterable. This latter rule is one of the most fundamental in the functioning of blockchain. Indeed, data can only be added to blockchain, rather than removed (as each node contains a replication of the blockchain). If a change is applied to a node, such change would be rejected by the other nodes in the network. It provides a great certainty over the time within the chain of transactions. Altering a node would be like activating a time machine: it is impossible not to change the present if you alter the past, the entire chain of information is thus modified.

Although the above is justifiable from a technological standpoint (an can even facilitate anti-money laundering measures), blockchain’s inalterability can raise issues for individuals who wish to protect their privacy (including as regards the nascent and evolving “right to be forgotten”, which is recognized in some jurisdictions). For example, what is an individual supposed to do if the publicly disclosed information she provided in order to complete a transaction becomes inaccurate or if the publicity of her information one day creates an important risk to her safety? Changes in people’s lives could trigger this individual need for an alteration of the information stored in blockchain ledgers, such as insolvency, criminal records, change of name, change of gender, etc. As such, given the decentralized nature of blockchain, how could a court order a change in blockchain the same way it would order a web page to disappear from Google search results?

In this regard, a distinction should be made between anonymity and privacy. Some have argued that bitcoin, even though not private, is anonymous. Indeed, the email address provided when registering for a Bitcoin transaction may be any email address and as such, the link to personal information of the user, such as his name or birth date, may be avoided. However, bitcoin is more accurately described as as pseudo-anonymous. As the Office of the Privacy Commissioner explained in one of its few publications on the topic of digital payments and privacy:

…some people suggest virtual currencies can be used to make purchases anonymously. This isn’t necessarily true because the digital trail associated with these currencies can still be tied to an individual, although the trail usually consists only of transaction records rather than personal information. To set up an account in order to use these virtual currencies, however, you may be required to provide some personal information, such as your name, credit card information, banking information, driver’s licence, utility bill or even passport information. While the anonymity of digital currencies may limit the exposure of details related to your payment information, retailers can still combine your purchase information with other information they have such as your name, email address, purchase history or rewards/loyalty points you have with the store.

Even though some technological solutions are under consideration to address privacy challenges with respect to the use of blockchains and to design blockchains that are protective of privacy—such as data encryption or the use of timestamps for information held elsewhere, there could still be a potential benefit to regulatory guidance on privacy matters relating to blockchain technology.

Regulatory developments in respect of digital currencies in Canada have to date mostly been limited to anti-money laundering and taxation matters.  However, there is a growing interest in blockchain technology in Canada  by various industries including major financial institutions and the Bank of Canada, which is running experiments on interbank payment systems “to build a proof of concept wholesale interbank payment system using a distributed ledger”, as stated by Deputy Governor Carolyn Wilkins.

In addition, certain securities regulators (such as the OSC and the AMF) are in the process of forming committees to consider Fintech matters.  In this context, ensuring data protection in connection with the use of blockchain technology could become an important regulatory consideration going forward.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.

Transport Canada Launches Online “Drone Incident” Reporting Tool

Posted in Regulatory Compliance, UAVs
Kirsten Thompson

Transport Canada has announced the launch of a new incident-reporting tool “to keep Canadians safe from reckless drone use.”

The new online reporting tool will allow people to report drone “incidents” from their mobile phones and will help Transport Canada “gather valuable information that will assist inspectors with investigations.” It serves as a single-entry-point for drone incident reporting but is not intended to replace the existing official aviation incident reporting systems, such as the Civil Aviation Daily Occurrence Reporting System (CADORS).

Along with basic information such as date and location of the incident, the online form asks the following questions:

  • Was the drone flying near an aircraft?
  • Was the drone flying at a high altitude?
  • Was the drone flying close to an airport/aerodrome (helipad, heliport, seaplane base, etc.)? and
  • Did the drone fly close to or over the following zones? (such as a populated area; home/private property; crowd (sporting event, concert, festival); forest fire; moving vehicles, highways, busy streets, bridges, etc.)

Complaints are also asked to provide a description of the drone (helpful drone silhouettes are provided) and a description of the operator. The form also asks the complainant whether they have “gathered evidence” such as photos or video. Complainants have the option of reporting anonymously.

In the last twelve months, Transport Canada has increased its scrutiny and supervision of drones (also known as unmanned air vehicles (UAVs)) and, according to its backgrounder on the issue, has focused on a number of key areas, including:

Revising and/or increasing regulations for drone operators: In spring 2017, Transport Canada will publish proposed regulations in Canada Gazette, Part I, for small drones (25 kilograms or less) that are operated within visual line-of-sight. This category of drone was previously exempt from specific regulation. Transport Canada has said that the proposed changes will introduce more flexible and clear rules for all drone operators. The public will have the opportunity to comment on the proposed regulations before they come into force. Proposed changes include:

  • new flight rules
  • aircraft marking and registration requirements
  • knowledge testing
  • minimum age limits
  • pilot permits for certain UAV operations

Simplifying rules for commercial operators with two new exemptions:  Commercial and research drones were already subject to regulations, but Transport Canada will issue two new UAV exemptions for non-recreational operators that will replace the existing exemptions, which expired on December 21, 2016. These new exemptions will allow UAV operators flying for work or research to conduct lower-risk operations without having to apply for a Special Flight Operations Certificate (SFOC). The new exemptions will allow operators to fly closer to built-up areas and smaller aerodromes as long as they comply with strict safety conditions and notify Transport Canada before flying. Detailed information regarding the new exemptions will be available on TC’s drone safety webpage when the exemptions come into effect on December 22, 2016;

Announcing a new commercial drone test site in Alberta: On November 3, 2016, the Minister announced that the Village of Foremost, Alberta together with the  Canadian Centre for Unmanned Vehicle Systems (CCUVS) in Lethbridge, Alberta had established the Foremost Centre for Unmanned Systems based out of the Foremost Aerodrome. The site will support research and development and provide the industry with dedicated, restricted airspace where they can test UAVs beyond visual line of sight;

Partnering with retailers to provide safety information at the point-of-sale: Participating manufacturers have agreed to include a Transport Canada safety card with every drone they sell. Participating retailers have agreed to provide a link to the department’s drone safety webpage on their respective websites; and

Launching a “No Drone Zone” public awareness campaign: In June, 2016 the Ministry launched a No Drone Zone public awareness campaign that focused on partnering with airports and other organizations to educate Canadians about drone safety. Transport Canada also introduced “No Drone Zone” signs and has worked with 20 organizations to install over 100 of these signs in and around airports, the backgrounder said.

no-drone-zone

According to Transport Canada, anyone who operates a drone in a reckless and negligent manner, violates controlled or restricted airspace, or endangers the safety of manned aircraft could face fines of up to $25,000 and/or jail time. If an operator does not follow the requirements of their SFOC, Transport Canada can issue fines of up to $3,000 for an individual and $15,000 for a business.

 

Document Discovery and Native Documents – Document Production Must be “Usable”

Posted in E-Discovery
Nolan Hurlburt

The recent Alberta case of Bard v. Canadian Natural Resources, 2016 ABQB 267 provides a road map for compelling the production of native electronic documents in “usable” form.

In the underlying claim, the plaintiffs alleged that the defendants (“CNRL”) had improperly accounted for credits and debits deposited to an account, which determined the plaintiffs’ (“Devon”) share of the proceeds from a joint oil sands project.

In court, Devon sought the native production of a number of categories of documents including, spreadsheets, electronic financial database records, certain financial records and other documents requested by Devon’s expert.

CNRL resisted the production on the basis of materiality and relevance. CNRL also argued that the documents had already been produced in a “usable” TIFF format and, importantly, CNRL had complied with the agreed upon document production protocol.

Devon countered that one-thousand-page-long TIFF representations of spreadsheets were not capable of being manipulated and analyzed efficiently and omitted relevant metadata and formulas present in the native files.

In granting Devon’s requested order, the Court held that document production must be meaningful in the circumstances. In the age of dynamic multi-dimensional electronic documents, this will often mean in native format. With respect to the Excel spreadsheets, the underlying formulae with their mathematical formulas intact was “the only way to be certain as to how certain cells were calculated. These formulas would help to significantly prove facts directly in issue, e.g. that certain costs were or were not indirectly charged to the Carried Account and/or that those costs were miscalculated.”

The potential requirement to produce native documents should be kept in mind when considering the preservation of dynamic documents in connection with litigation, particularly where changes to metadata or programmatic information could occur.
The decision provides a number of takeaways for litigants advancing or opposing the production of native documents:

  • Documents in native format may be compellable, notwithstanding that they have been produced in a different format (e.g. PDF or TIFF) and/or in compliance with an agreed upon document production protocol.
  • Full databases such as financial databases may be compellable, even where summaries of the relevant data have been produced.
  • A party seeking the production of native documents should provide evidence of the necessity of the documents and the deficiencies of the existing production.
  • A party defending the production of native documents should provide non-speculative evidence of the costs of producing the documents being sought.
  • An independent expert’s opinion with respect to documents required for their analysis is compelling.

Whether advancing or defending such an application, Principle 2 of the Sedona Canada Principles provides a useful structure for such applications. The principle sets out that document production should be proportionate, taking into account:

  • the importance and complexity of the issues and interests at stake and the amounts in controversy;
  • the relevance of the available electronically stored information;
  • the importance of the electronically stored information to the Court’s adjudication in a given case; and
  • the costs, burden and delay that the discovery of the electronically stored information may impose on the parties.

No Right to Compel Predictive Coding/Technology Assisted Review (TAR)

Posted in E-Discovery
Nolan Hurlburt

A recent decision of the United States District Court, Northern District of California affirmed that a litigant has no right to compel the other party to use technology assisted review (“TAR”) or predictive coding* to identify relevant documents.  (See also Hyles v. New York City, 2016 WL 4077114, at *2-3 (S.D.N.Y. Aug. 1, 2016); and In re Biomet M2a Magnum Hip Implant Prod. Liab. Litig., 2013 WL 1729682, at *2-3 (N.D. Ind. Apr. 18, 2013)).

In seeking an order compelling the Defendant Pfizer, Inc. (“Pfizer”) to use predictive coding/TAR, the Plaintiff argued that predictive coding/TAR is a more sophisticated tool than the traditional application of keyword search terms and sought to have representatives of both parties involved in the process of developing the search process.  The Plaintiff said this would save time and money for both sides.

Pfizer proposed an alternative method, which involved the iterative application of search terms and “rigorous sampling” to verify results.  Pfizer agreed to share proposed search terms with the Plaintiff in advance, to apply search terms agreed upon by both sides and to consider the inclusion of any other search terms proposed by the Plaintiff.

In refusing to compel Pfizer to participate in the Plaintiff’s TAR-based process, the Court noted that there is no precedent for ordering a party to engage in technology assisted review and that the party itself is best situated to decide how to search for and produce information responsive to discovery requests.

As the court reasoned in Hyles, the responding party is the one best situated to decide how to search for and produce electronically stored information  responsive to discovery requests. As such, the responding party (citations omitted):

can use the search method of its choice. If [the propounding party] later demonstrates deficiencies in the . . . production, the [responding party] may have to re-do its search. But that is not a basis for Court intervention at this stage of the case.” Id. “[I]t is not up to the Court, or the requesting party . . ., to force the . . . responding party to use TAR when it prefers to use keyword searching. While [the propounding party] may well be correct that production using keywords may not be as complete as it would be if TAR were used . . ., the standard is not perfection, or using the “best” tool . . ., but whether the search results are reasonable and proportional.

Although predictive coding and other forms of technology assisted review are firmly established in the jurisprudence as acceptable processes of identifying responsive electronically stored information (ESI) (See Da Silva Moore v. Publicis Groupe, 2012 U.S. Dist. LEXIS 23350 (SDNY, Feb. 24, 2012)), the Court noted the absence of any basis on which it could make the order sought in absence of any evidence that Pfizer’s preferred method would produce or has produced insufficient discovery responses.

In short, litigants seeking  a cooperative predictive coding/TA-based discovery process will need the agreement of the other party – at least in the US. Alternatively, organizations must be prepared to present evidence as to why the other party’s preferred process will produce inadequate results.  Expert evidence relating to the nature of the document set and fallibility of keyword search terms in the specific circumstances may be useful in this regard.

*TAR, or predictive coding, is the use of keyword search, filtering and sampling to automate (usually via machine learning) portions of an e-discovery document review. The goal of predictive coding is to reduce the number of irrelevant and non-responsive documents that need to be reviewed manually.

Supreme Court Renders Landmark Privacy decision in Royal Bank of Canada v. Trang

Posted in Privacy
Daniel G.C. GloverKirsten ThompsonBarry SookmanRenee ReicheltCharles Morgan

The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), should be interpreted. In Royal Bank of Canada v. Trang, 2016 SCC 50, the Court ruled that courts can use their inherent jurisdiction to make orders permitting disclosures of personal information, including personal information contained in mortgage discharge statements. The Court also ruled that disclosures of personal information in such statements are permitted based on the implied consent of the mortgagor. Further, the Court held that while PIPEDA is consumer protection legislation for the digital age, it must be interpreted in a balanced way to facilitate the collection, use and disclosure of personal information by businesses. Continue Reading

Chatbots, Open Data and Sandboxes: Trending Topics from the 2016 Money20/20 Conference

Posted in AI and Machine Learning, Financial, FinTech, Mobile Payments, Privacy
Kirsten ThompsonAna BadourMatthew FlynnClaire Gowdy

With 10,000+ attendees, including more than three thousand companies from seventy-five countries, Money20/20 is the largest annual global event focusing on payments and financial services innovation. The 2016 conference in Las Vegas this October featured a packed agenda of talks by industry and thought leaders on a broad range of current and emerging Fintech issues, as well as an exhibition area featuring Fintech companies, investors, incubators, venture capitalists, consultants, regulators and lawyers. A team of McCarthy lawyers attended again this year and report back on some of the hottest topics of the 2016 conference: machine learning and artificial intelligence (AI), open data and regulatory sandboxes/innovation hubs.

  1. Machine Learning and AI. One of the next ‘next things’ creating a buzz at the conference was the integration of machine learning and artificial intelligence tools in the provision of financial services. “What will banking be in two, three or four years? It’s going to be this,” asserted Michelle Moore, head of digital banking for Bank of America, as she introduced BofA’s new chatbot named Erica at Money20/20. Ms. Moore was not alone at Money20/20 in her obvious excitement about the promise of financial chatbots – tools that will permit the bank to interact with its customers through text messages or services such as Facebook Messenger and Amazon’s Echo. MasterCard also announced MasterCard KAI, a bot for banks that will put the company’s services on messaging platforms and enable consumers in the United States to inquire about their accounts, review banking history, monitor spending levels, learn about MasterCard cardholder benefits, receive contextual offers through integration with MasterCard Priceless experiences, and get help with financial literacy. Thinking Capital, the Montreal-based online lender to small businesses has also launched a financial chatbot named Lucy. Thinking Capital says Lucy was the first chatbot among Fintechs in North America.Chatbots are automated chat programs that use artificial intelligence to draw in data and translate it into understandable responses, akin to Siri, Apple’s interactive voice tool. Although the technology is not restricted to financial services, it’s clear that many financial industry stalwarts and startups alike are placing big bets on it. The customer-centric expression of this technological promise is that machine learning will, as described in the Money20/20 session Machine Learning & AI Powering Next Gen CX in Financial Services, “…raise the customer experience benchmark in financial services.” But it’s not all about the customer; another promising aspect of chatbots for financial institutions is reducing the cost of customer support.

    Notwithstanding the promising aspects of the technology, as financial chatbots scale in number and functionality, associated legal and regulatory issues will certainly likewise scale. For example, a text messaging platform may not be secure enough to handle the sensitive nature of consumers’ financial information, giving rise to consumer privacy and protection issues. Consumer protection and competition concerns may also arise with chatbots that are affiliated with certain financial institutions, preventing them from giving unbiased advice about financial products and entities, and helping them to lock in customers using – and hoarding – accumulated data.

  2. Open Data. Another major theme emerging from Money20/20 2016 was the concept of ‘open data’ and ‘open banking’. Open Banking is an emerging term in financial services / financial technology that refers to, among other things, the use of open application programming interfaces (or “APIs”) that enable third party developers to build applications and services for the financial institution. It is predicated on the principle that personal information of customers (such as account and transaction information) should, with consumer consent, be made freely available to third parties, who can then use this data to create new tools to increase consumer financial data access as well as competition among participants in the financial ecosystem.The Director of the US Consumer Financial Protection Bureau (“CPFB”) made headlines when he endorsed open data in the financial context. In his Money 20/20 remarks, The Director stated that the CFPB is “gravely concerned” that financial institutions are limiting or shutting off access to financial data, rather than “exploring ways to make sure that such access…is safe and secure.” He concluded with the point: “Let me state the matter as clearly as I can here: We believe consumers should be able to access this information and give their permission for third-party companies to access this information as well.” These comments reflect a similar push (mandated by legislation) in the EU (the adoption by the European Parliament of the revised Directive on Payment Services or “PSD2”) and the UK (Open Banking Working Group) to require Open Banking.

    The financial services sector has been traditionally a data-intensive industry and the advent of ‘big data’ analytic techniques has created a new landscape for businesses based on data technologies: equity platforms based on crowdfunding, new platforms that match lenders with borrowers in innovative ways, data visualisations tools to follow companies, suppliers and clients, and a whole range of new payment systems based on mobile and cloud technologies. These transformative players include early innovators as well as established financial institutions which provide big data-related services that are shaking up the traditional financial markets.

  3. Regulatory Sandboxes, Innovation Hubs and the Fintech Charter. The issue of how regulators should respond to Fintech innovation, and to what extent they can encourage innovation, was the final hot topic of the conference. Regulatory approaches to Fintech were discussed in depth at a panel featuring the Director of the CPFB and by the Head of Project Innovate from the UK’s Financial Conduct Authority (FCA).The Head of Project Innovate described the nature and status of the UK’s Project Innovate, which features a regulatory sandbox (which seeks to create a regulatory “safe space” in which businesses that qualify can test innovative products and services without immediately incurring all the normal regulatory consequences of engaging in such activity), as well as an advice unit and an innovation hub. The FCA accepted 24 applications to the regulatory sandbox (out of a total of 69 applications) as part of the first cohort of applicants and this first cohort is expected to begin testing shortly. More detail on the first cohort is available here.

    In the US, the CFPB has launched Project Catalyst aiming to promoting consumer-friendly innovation. Project Catalyst involves the CFPB engaging with key stakeholders, coordinating with other government agencies and an “office hours” program of outreach to the Fintech community. In addition, the Office of the Comptroller of the Currency (OCC) has been considering the creation of a national limited purpose Fintech charter. While the approach has drawn praise from some within the Fintech community, some state regulators and consumer protection groups have been critical of the national Fintech charter concept, suggesting that a federal charter would likely preempt state laws on interest rates and impair the ability of states to protect less sophisticated retail consumers. The OCC has also recently issued a white paper outlining its recommendations for a responsible innovation framework.  However, the recent US election could impact these various initiatives, given statements made by President-Elect Donald Trump during the presidential campaign, in particular in respect of the role of the CFPB.

    In Canada, as in the US, legislative authority over financial services lies with both the federal and provincial governments.  The mix of federal and provincial jurisdiction over Fintech matters in Canada and in the US adds to the regulatory complexity of regulating and fostering Fintech in these jurisdictions. Notably, in Canada, the OSC recently announced that it will be taking steps to help Fintech entities navigate the regulatory framework, through its innovation hub called “OSC Launchpad”, which was unveiled on October 24, 2016. Read more about the OSC Launchpad here.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.