Online proctoring report a must read for Ontario institutions

Online proctoring software was critical to higher education institutions during the heart of the pandemic. Though less signficant today, the report of findings issued by the Information and Privacy Commissioner/Ontario last week about McMaster University’s use of online proctoring is an important read for Ontario public sector institutions – with relevant guidance on IT contracting, the use of generative AI tools and even the public sector necessity test itself.

The necessity test

To be lawful, the collection of personal information by Ontario public sector institutions must be “necessary to the proper administration of a lawfully authorized activity.” The Court of Appeal for Ontario adopted the IPC’s interpretation of the test in Cash Converters in 2007. It is strict, requiring justification to collect each data element, and the necessity standard requires an institution to establish that a collection is more than “merely helpful.”

The strictness of the test leaves one to wonder whether institutions’ business judgment carries any weight. This is a particular concern for universities, whose judgement in academic matters has been given special deference by courts and administrative decision-makers and is protected by a FIPPA exclusion that carves out teaching and research records from the scope of the Act. It does not appear that McMaster argued that the teaching and research records exclusion limited the IPC’s jurisdiction to scrutinize its use of online proctoring, but McMaster did argue that it, “retains complete autonomy, authority, and discretion to employ proctored online exams, prioritizing administrative efficiency and commercial viability, irrespective of necessity.”

The IPC rejected this argument, but applied a form of deference nonetheless. Specifically, the IPC did not question whether the University’s use of online proctoring was necessary. It held that the University’s decision to employ online proctoring was lawfully authorized, and only considered whether the University’s online proctoring tool collected personal information that was necessary for the University to employ online proctoring.

This deferential approach to the Ontario necessity test is not self-evident, though it is the same point that the University of Western Ontario prevailed on in2022 in successfully defeating a challenge to its vaccination policy. In Hawke v Western University, the Court declined to scrutinize the necessity of the University’s vaccination policy itself; the only questions invited by FIPPA were (a) whether the the University’s chosen policy was a lawful exercise of its authority, and (b) whether the collection of vaccination status information to enforce the chosen and lawful policy was necessary.

To summarize, the authority now makes clear that Ontario institutions get to set their own “policy” within the scope of their legal mandates, even if the policy invites the collection of personal information. The necessity of the collection is then measured against the purposes of the chosen lawful policy.

IT contracting

It is common for IT service providers to reserve a right to use the information they process in providing services to institutions. Institutions should appreciate whether the right reserved is a right to use aggregate or de-identified information, or a right to use personal information.

The relevant term of use in McMaster’s case was as follows:

Random samples of video and/or audio recordings may be collected via Respondus Monitor and used by Respondus to improve the Respondus Monitor capabilities for institutions and students. The recordings may be shared with researchers under contract with Respondus to assist in such research. The researchers are consultants or contractors to Respondus and are under written obligation to maintain the video and/or audio recordings in confidence and under terms at least as strict as these Terms. The written agreements with the researchers also expressly limit their access and use of the data to work being done for Respondus and the researchers do not have the right to use the data for any other purposes. No personally identifiable information for students is provided with the video and/or audio recordings to researchers, such as the student’s name, course name, institution, grades, or student identification photos submitted as part of the Respondus Monitor exam session.

Despite the (dubious) last sentence of this text, the IPC held that this contemplated a use of test taker personal information was for a secondary purpose that was not a “consistent purpose.” It was therefore not authorized by FIPPA.

In recommending that the University secure a written undertaking from the service provider that it would cease to use student personal information for system improvement purposes without consent, the IPC carefully noted that the service provider had published information that indicated it refrains from this use in certain jurisdictions.

In addition to this finding and a number of related findings about the use of test taker personal information for the vendor’s secondary purposes, the IPC held:

the vendor contract was deficient because it did not require the vendor to notify the University in the event that it is required to disclose a test taker’s personal data to authorities; and
that the University should contractually require the vendor to delete audio and video recordings from its servers on, at minimum, an annual basis and that the vendor provide confirmation of this deletion.

The McMaster case adds to the body of IPC guidance on data protection terms. The IPC appears to be accepting of vendor de-identification rights, but not of vendor rights to use personal information.

Generative AI

While the IPC recognized that Ontario does not have law or binding policy specifically governing the use of artificial intelligence in the public sector, it nonetheless recommended that the University build in “guardrails” to protect its students from the risks of AI-enabled proctoring software. Specifically, the IPC recommended that the University:

conduct an algorithmic impact assessment and scritinize the source or provenance of the data used to train the vendors algorithms;
engage and consult with affected parties (including those from vulnerable or historically marginalized groups) and those with relevant expertise;
provide an opt out as a matter of accommodating students with disabilities and “students having serious apprehensions about the AI- enabled software and the significant impacts it can have on them and their personal information”;
reinforce human oversight of outcomes by formalizing and communicating about an informal process for challenging outcomes (separate and apart from formal academic appeal processes);
conduct greater scrutiny over how the vendor’s software was developed to ensure that any source data used to train its algorithms was obtained in compliance with Canadian laws and in keeping with Ontarians’ reasonable expectations; and
specifically prohibit the vendor from using students’ personal information for algorithmic training purposes without their consent.

The IPC’s approach suggests that it expects institutions to employ a higher level of due diligence in approaching AI-enabled tools given their inherent risks.

Privacy Complaint Report PI21-00001.

Notable quote from recent EWCA freedom of information judgement

On November 22, 2023, the Court of Appeal (England and Wales) held that the Freedom of Information Act 2000 permits the public interest in maintaining non-absolute exemptions to be weighed in the aggregate against the public interest in disclosure.

This decision is technical, and about the unique structure of the United Kingdom’s freedom of information statute. Lady Justice Andrews even remarked, “I anticipate that it will rarely be the case that the issue of statutory construction that we have been asked to resolve would make a practical difference to the outcome of an application for disclosure under FOIA.” The ICO is apparently appealing nonetheless.

I am blogging about the decision because Lord Justice Lewis provides us with this good quote that challenges the idea that a purposive interpretation of an access statute necessarily favours access. He says:

…it is too simplistic to say, as the Upper Tribunal did and as the respondents do, that aggregation of the different public interests in non-disclosure would lead to less disclosure of information and so run counter to the purpose of FOIA which is to promote openness. Similarly, it is unduly simplistic to take the view that FOIA is to be interpreted in as liberal a manner as possible in order to promote the right to information. As Lord Hope recognised in the Common Services Agency case, the right to information is qualified in significant respects and appropriate weight must be given to those qualifications as the “scope and nature of the various exemptions plays a key role within the Act’s complex analytical framework” (see paragraph 34 above). A similar approach to FOIA has been recognised by Lord Walker in BBC v Sugar (No.2) [2012] UKSC 4, [2012] 1 WLR 439, especially at paragraphs 76 to 84 and in Kennedy by Lord Mance and Lord Sumption (with whom Lord Neuberger and Lord Clarke agreed) in the quotations set out at paragraphs 35 and 36 above. Rather, the wording of section 2(2) should be considered, in the light of the statutory context, to determine how Parliament intended the system of exempting information from disclosure to operate.

Bear in mind that the purpose sections in Ontario’s freedom of information statutes expressly state that statutory “exemptions” from the public right of access should be “limited and specific.” The Divisional Court, however, has also held that the statutory purpose of FIPPA and MFIPPA weights in favour of narrowly construing exclusions – the provisions that remove certain records entirely from the scope of the right of access. I question that approach for the reasons articulated by Lord Justice Lewis; it is too simplistic an approach to discerning legislative intent.

Dept for Business and Trade v IC and Montague [2023] EWCA Civ 1378.

BCSC addresses university possession and control of research records

On November 6th, the Supreme Court of British Columbia affirmed a British Columbia OIPC finding that a university was in possession and control of e-mails sent and received by a faculty member that the University claimed related to research. The Court nonetheless quashed the OIPC’s order to issue a decision in respect of the e-mails on the basis that they were not excluded from the public right of access.

The request was for e-mail correspondence between a faculty member and his research collaborator in Japan over a lengthy time period. The University denied the request based on the statutory exclusion for “research information” in British Columbia FIPPA – an exclusion meant to safeguard academic freedom.

On appeal to the OIPC, the University relied on an affidavit from the targeted professor that stated all of the requested communications were related to ongoing research. The affidavit also described the general nature of the communciations, but did not include an index.

The requester responded that the faculty member and his colleague from Japan “have collaborated on numerous formal complaints to TRU about Dr. Pyne’s professional work and behavior” and indicated that they were seeking correspondence that established an improper leak of related information by the faculty member to the colleague – an act of “professional activism.” The OPIC held that the records were under the University’s possession and control and that the University failed to meet its onus of establishing that they were excluded. It ordered it to make a decision as to their release under FIPPA.

The Court affirmed the OIPC’s possession and control finding, dismissing the University’s argument that academic freedom rendered the e-mails beyond its possession and control. The Court said:

[49] Much of TRU’s argument on both arms of the custody and control issue is an attempt to characterize the academic university setting as one in which ordinary analysis does not apply. The argument is that academic faculty members are special: they have academic freedom, which is to say, a protected sphere of individual autonomy, within which they are free from oversight and direction by the university, and their email correspondence within that sphere should be no more subject to disclosure under FIPPA than would be purely personal correspondence.

[50] Counsel for OIPC submits that both arms of TRU’s argument are analytically misplaced because, while FIPPA recognizes the importance of academic freedom, it does so under the aegis of the research information (or research materials) exception in s. 3(1)(e) (now s. 3(3)(i)). I agree with this submission. The research information exception makes room for TRU’s argument. It is unhelpful to have to deal with it separately as an argument about custody or control.

The suggestion in the last sentence above is that the existence of the statutory exclusion lends support to institutional possession and control – i.e., that academic freedom is protected by the exclusion but does not restrict a University’s ability to handle faculty records in processing requests.

The Court nonetheless quashed the OIPC’s order. It held that the University’s evidence established that at least some of the responsive e-mails were excluded, and that the resulting order to issue a decision in respect of all responsive records was over-broad. In making this finding, it held that the OPIC had a reasonable basis for doubting the faculty member’s “blanket assertion” given the competing evidence about “professional activism.”

IMHO the University’s affidavit ought to have carried the day. It may make sense to require better, more particular evidence to support an exclusion claim when the claimant’s evidence is rebutted, but I don’t believe it was rebutted in this case. The only assertion by the requester is that the set of responsive e-mails likely contained information about a research misconduct matter, and research misconduct is typically treated as within the scope of academic freedom and subject to academic self governance and freedom.

Thompson Rivers University v British Columbia (Information and Privacy Commissioner), 2023 BCSC 1933 (CanLII).

Threat information sharing: why you can do what’s right

It was an honour and pleasure to speak today at the Canadian SecuR&E Forum, a research and education community-building event event hosted by CANARIE. My object was to spread the gospel of threat information sharing and debunk some myths about legal privilege as a barrier to it. Here are my slides, and I’ve also included the text of my address below.

Slide one

I am here today as a representative of my profession – the legal profession.

I’m an incident response lawyer or so-called “breach coach.” Lawyers like me are often used in an advisory capacity on major cyber incidents. Insurers encourage this. They feel we add consistency of approach mitigate downside risk.

I’ve done some very difficult and rewarding things with IT leaders in responding to incidents, and genuinely believe in the value of using an incident response lawyer. But I am also aware of a discomfort with the lawyer’s role, and the discomfort is typically expressed in relation to the topic of threat information sharing.

We often hear organizations say, “The lawyer told us not to share.”

I’m here as a lawyer who is an ally to IT leadership, and to reinforce the very premise of CanSSOC – that no single institution can tackle cybersecurity issues alone.

Here’s my five-part argument in favour of threat information sharing:

Organizations must communicate to manage
The art is in communicating well
Working within a zone of privilege is important
But privilege does not protect fact
And threat information is fact

My plan is to walk you through this argument, taking a little detour along the way to teach you about the concept of privilege.

Slide 2

Let’s first define what we are talking about – define “threat information.”

NIST is the National Institute for Standards and Technology, an agency of the US Department of Commerce whose cybersecurity framework is something many of your institutions use.

NIST says threat information is, “Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor.”

Indicators (of compromise) are pieces of evidence that indicate a network has been attacked: traffic from malicious IP addresses and malware signatures, for example.

“TTPs” are threat actor “tactics, techniques and procedures.” These are behaviours, processes, actions, and strategies used by a threat actor. Of course, if one knows threat actor measures, one can employ countermeasures.

Beyond indicators and TTPs, we have more contextualized information about an incident, information that connects the pieces together and helps give it meaning. It all fits within this definition, however.

Slide 3

Argument 1 – we must communicate to manage

Let’s start with the object of incident response. Sure we want to contain and eradicate quickly. Sure we want to restore services as fast as possible. Without making light of it, I’ll say that there is lots of “drama” associated with most major cyber incidents today,

Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You’ll have many, many stakeholders descending on you from time zero, and every one of them wants one thing – information. You don’t have a lot of that to give them, in the early days at least, but you’ve got to give them what you can.

In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what’s happened and what you’re doing about it. It means reporting to law enforcement. And it means sharing threat information with peers.

We’re stronger together is the CanSSOC tag line, and it’s bang on. NIST says that Tier 4 or “adaptive” organizations – the most mature in its framework – understand their part in the cyber ecosystem share threat information with external collaborators. There’s no debate: sharing threat information is part of a widely accepted cybersecurity standard.

Slide 4

Argument 2 – the art is in communicating well

People have a broad right to remain silent under our law.

And anything they say can be used as evidence against them in a court of law.

These are plain truths that are taught to lawyers first year constitutional and criminal law classes across the country.

And the right to remain silent ought to be to be adhered to strictly in some scenarios – when one faces criminal jeopardy, for example

Incident scenarios are far, far from that.

The most realistic downside scenario in most incidents is getting sued.

In theory, you can avoid civil liability by not being transparent about your bad facts.

In reality, hiding your bad facts is almost always an unwise approach.

This is because bad facts will come out:

because you’ll notify individuals affected by a privacy breach in accordance with norms or because it’s legally required; or
because you’re a public body subject to FOI legislation.

So you’ve got to do what the communications pros say: get ahead of it the issue, control the message and communicate well.

Slide 5

Let’s detour from the argument for a moment to do some important background learning.

What is legal privilege?

Short answer – It is a very helpful tool for incident responders.

It’s a helpful tool because it shields communications from pretty much everyone. Adversaries in litigation are the main concern, but also the public – who, again, has a presumptive right of access to every record in the custody or control of a university.

There are two types of privilege.

Solicitor-client. This is the strongest form of privilege. You see the definition here. Invoking privilege is not as simple as copying your lawyer on a communication. But if you send a communication to a lawyer and your decision-making team at the same time, and your lawyer is a legal advisor to the team, the communication is privileged.

Litigation privilege works a little differently, and is quite important. I specify in engagement letters that my engagement is both as an advisor and “in contemplation of litigation” so reports produced by the investigators we hire are more likely to survive a privilege challenge.

Invoking privilege is why you want to call your incident response counsel at the outset. If the investigator comes in first, you can always have a late-arriving lawyer say that the investigation is now for their purpose and in contemplation of litigation, but that assertion could be questioned given the timing. In other words, the investigation will look operational and routine and not for the very special purposes that support a privilege claim.

Slide 6

Back to the argument

Argument 3 – Working within a zone of privilege is important

Here’s an illustration of the power of privilege and why you want to establish it.

The left-hand column is within the zone of privilege. I’m in that zone. The experts I retain for you are in that zone. And you’re in that zone along with other key decision-makers. We keep the team small so our confidential communication is more secure.

And we can speak freely within the zone. Have a look at the nuanced situation set out in the left-hand column. The forensic investigator can present evidence gathered over hours and hours of work in one clear and cogent report. We can deal with fine points about what that evidence may or may not prove and what you ought to do about it. I’ll tell you where you can and should go, but I’ll also tell you about the frailties in those directions and other options you shouldn’t and won’t take.

None of that need ever see the light of day, and in the right-hand column, in public, you can tell your story in the clearest, plainest and most favorable way possible: “We do not believe there has been any unauthorized access to student and employee personal information.” If plaintiff counsel or anyone else wishes to disprove that, they can’t go to your forensic report for a road map to the evidence and for something to mine for facts that might seal your fate in court. They must gather all the evidence gathered by your investigator themselves, re-do the analysis and then figure out on their own what it means.

Privilege is of powerful benefit.

Slide 7

Argument 4 – privilege doesn’t protect facts

I often hear, “We need to keep things confidential because of privilege.” Let me tell you what that means.

The privilege belongs to the client, not the lawyer. Clients can waive privilege, so they need to keep their privileged communications and documents confidential. Institutions do this all the time, but it’s risky to say, “We’re doing this because our lawyer said so.” That’s arguably an implicit waiver.

The easy rule is, “Don’t publish anything you’ve said to your lawyer or that your lawyer has said to you.” Don’t state it directly. Don’t even hint at it!

The same goes for your forensic investigator. Saying “Our forensic investigator told us this.” is also a risk. Just say that you’ve done your investigation, and these are the facts, or you that you believe this to be the case.

If you do that. If you talk about the facts, you won’t waive privilege. You’ll be using the privilege to derive the facts you publish, and will be safe.

This is what your lawyer is working so hard on in an incident. One of our main roles is to work within that zone of privilege on the evidence and to determine what is and isn’t fact. If it really is fact, and you are in transparency mode, you will get the fact out whether it’s a good fact or a bad fact. And I’ll agonize with you about what that right hand column should say and make sure it is safe. I’ll ask myself continuously, “If my client gets into a fight later, will that be what is ultimately proven to be the truth?”

Slide 8

Argument 5 – threat information is fact

It is. And if you can convey facts without waiving privilege, you can convey threat information without waiving privilege.

So don’t listen to anyone that tells you that you can’t share threat information because it will waive privilege. It’s not a valid argument.

You’ll have a very clear view of indicators of compromise fairly early into an incident and should share them immediately because their value is time limited.

It takes longer to identify TTPs, but they are safe to share too because they are factual.

That’s my argument. I’ve been talking tough, but will end with a qualification – a qualification and a challenge!

The qualification. You should be wary of the unstructured sharing of information with context, particularly early on in an incident: CISOs call CISOs, Presidents call Presidents, I understand. I get it, and think that the risk of oral conversations with trusted individuals can be low. Nonetheless, this kind of informal sharing is not visible, and does represent a risk that is unknown and unmanaged. I’d rather you bring it into the formal incident response process and do it right. For example, I was part of an incident last year in which CanSSOC took an unprecedented and and creative step in brining together two universities who were simultaneously under attack by the same threat actor so they could compare notes.

This is the, challenge, then: how do we – IT, leaders, lawyers and CANSSOC together – enable better sharing in a safe manner. There’s a real opportunity to lead the nation on this point, and I welcome it.

Nova Scotia arbitrator admits audio recording over union objection

On April 17, Nova Scotia labour arbitrator Augustus Richardson admitted audio recording evidence that a union objected to even though the employer failed to give proper notice of recording.

The grievors were correctional officers discharged for behaving offensively and unprofessionally in transporting an inmate to a hospital. A hospital social worker complained of misconduct that occurred in the hospital. This led the employer to speak with the inmate, who did not provide a statement, but said something – it’s unclear what – that led the employer to download and review audio-visual recordings from the vehicle the grievors used to transport the inmate.

The vehicle had visible cameras that faced its two inmate compartments, but the union and the grievors claimed they were unaware the cameras recorded audio. The employer had issued a bulletin about the cameras that explained that they recoded audio, but didn’t have a policy or post signage. Arbitrator Richardson heard evidence, and accepted that the grievors and the union were unaware.

Arbitrator Richardson nonetheless admitted the evidence. Relying on the Supreme Court of Canada decision in Syndicat des employé professionnels de l’Université du Québec à Trois-Rivières v. Université du Québec à Trois-Rivières and Alain Larocque 1993 CanLII 162 (SCC), [1993] 1 SCR 471, he held that declining to admit such central evidence would invite a breach of natural justice. Arbitrator Richardson also held that the employer’s access to and use of the evidence was not unreasonable, and was separate from the employer’s recording of the evidence (which the union had not grieved).

There are two points of significance in this case.

First, recording audio with video is risky because it captures private communications. Providing clear notice is important to protect against potential criminal liability (for breach of the Criminal Code wiretap prohibition), and also to avoid disputes like the one adjudicated by Arbitrator Richardson.

Second, Arbitrator Richardson’s approach to the union’s objection is to be preferred to any approach to the exclusion of evidence that does not consider and weigh the impact of exclusion on hearing fairness. He does not a say that a labour arbitrator has no jurisdiction to exclude evidence obtained in breach of privacy but, rather, says that such exclusion must be “appropriate” – i.e., not work an unfairness or bring the administration of (arbitral) justice into disrepute [my words].

Nova Scotia Government and General Employees’ Union v Department of Justice (Correctional Services), 2023 CanLII 31524 (NS LA).

Apply The Emergency Mind to cyber incident response

My BLG teammates and I take the privilege of guiding clients through the perils of cyber incidents seriously. To honour the privilege, we think deeply about various aspects of our performance, including how we can perform better under pressure. Dr. Dan Dworkis’s book, The Emergency Mind: Wiring Your Brain for Performance Under Pressure is now required reading.

Dr. Dworkis is a professor of medicine and an emergency physician. His book, published in 2021, is part of a project that includes a website, podcast and other supports for individuals and teams striving to perform better under pressure. Dr. Dworkis calls The Emergency Mind a “mental toolkit.” It’s comprised of 25 prescriptions for how to think and act in high pressure situations.

When I picked up The Emergency Mind and started in, I was immediately excited. For me, there’s no greater measure of a text than its relevance, and The Emergency Mind was packed with relevant ideas. I connected with them as a lawyer and an athlete, but drew most insight in respect of my role as a cyber incident coach and team lead. I took some notes while reading, and have turned them into the table below. The left hand column summarizes some key ideas from The Emergency Mind. The Right hand column are my notes (now edited) on their application to cyber incident response.

Practice the discipline of “suboptimal”
Idea: Bad outcomes and mistakes will happen. Identify (label) and accept the mistake, rapidly pivot to face the new reality, and learn from the event. Quote: “Personally, when I perform the labeling part of a response, I begin by saying, ‘Well, this is suboptimal.’ Labelling something as ‘suboptimal’ acknowledges the challenging nature of what is happening without pulling me or my team off-line the way that calling it ‘horrible’ or ‘hopeless’ might.”	Labelling thoughts and emotions is a well-known and effective mindfulness technique. To use it in incident response, one must first acknowledge that incident response can provoke emotion. This is true, especially when things go wrong. Evidence is sometimes deleted, information is leaked or conveyed to third parties prematurely, threat actors do not do what is predicted, and so on. When faced with these problems, the team must resist the urge to dwell on the matter of fault and continue to look forward. Learning comes later in the incident response process, at least after the acute phase has passed. I also appreciate Dr. Dworkis’s use of the term “suboptimal” because it mirrors the typical objective we set in guiding clients through an incident – to “optimize” the course of action in light of business, reputational and legal risks. Use of the terms “optimal” and “suboptimal” highlights the fluid nature of incident response. There are always multiple paths to the end.
Combine action and analysis
Idea: Have and foster an ability to apply the right mode of thinking and action – be it fast or slow. Quote: “When you are not forced to act, jumping into a response without further analysis of the emergency is sometimes a bit like throwing darts without looking at the dartboard. You might hit the board, but because you don’t understand where you are aiming, you’re much more likely to miss the target entirely and waste your darts.”	This is reminiscent of an idea I have shared with associates about practicing law fast and slow, adapted from Daniel Khaneman’s text Thinking Fast and Slow. We need to know when a legal problem deserves a quick handling – enabled by assumptions and qualifications – and when we must buy time for more robust analysis. In incident response, we are primarily in fast thinking, “action mode.” There are moments on calls when you need to pause, draw deep on experience and instinct, and declare how best to proceed. The qualification is implicit, though sometimes we explain that we are making a decision based on “gut.” At the same time, slowing the pace of decision making down is a major responsibility of a cyber incident coach. Dr. Dworkis’s dart board metaphor can illustrate the tendency of many inexperienced incident response teams to rush at the outset of a cyber incident. I’m not counselling inaction, but most teams will benefit from a pause and emotions check at the outset. There is more time available than you feel.
Favour praxis over theory
Idea: Identify solutions that can actually be applied in the moment whether or not they represent theoretical best practice. Favour praxis – the application of knowledge to real life. Quote: “One of the best ways you can start to consider the details of praxis and theory in your field is to explore deeply the actual mechanisms that must function correctly for you to deliver your skill. Get curious about how the sausage is made, so to speak. Lean into learning both deeply in your chosen skills, and laterally into the adjacent skills that help you and your team succeed.”	This is a good one for me, particularly as it pertains to the challenge of analyzing large, stolen data sets. Doing a proper analysis based on e-discovery is plainly the ideal, but e-discovery is expensive and time consuming, and time-to-notify is a very visible fact. Burning weeks and months on e-discovery can spoil an excellent early-stage response, leaving an organization who has spent the time and money to “do the job right” the subject of overwhelmingly negative judgement and outcry. So, before engaging in e-discovery, we build the best possible informal view of the data set, we build towards reasonable assumptions, and we see if classes of individuals can be notified without e-discovery. We help clients weigh the risk of “over notification” against the risk of delay. These solutions are neither precise nor pretty, but can be defensible.
Decide not to decide
Idea: Do not waste your decision-making resources. Devote them to the most important and difficult decisions. Quote: “During an emergency, the most critical decisions are those that irreversibly (or at least strongly) commit your team to a particular mental model or course of action.”	No cyber incident coach is happy to be brought into a matter and paired with an incident response forensics vendor who has already been retained. That single decision bears more on the outcome of an incident than any other in my view. This is because we must trust the chosen vendor, especially regarding the scope and depth of the investigation. There is a limited ability to consider and discuss the scope of forensic evidence collection, and deference to a vendor’s standard practice is the norm. These practices vary, and over and under scoping an investigation can have highly negative consequences.
Practice Wabi-sabi
Idea: Employ the Japanese concept of wabi-sabi, which emphasizes the values of simplicity, imperfection, and transience. Quote: “… if you deny that situations change, you create a potentially dangerous schism in your universe and the reality around you. As this gap increases, the solutions and plans you had generated before reality changed will be rapidly ineffective.”	My strong preference is to contact a threat actor early because it is a fast way to gather reliable information and because it is a means of enhancing control and keeping the primary adversary in view. Threat actors – perhaps frustrated by repeated engagement with organizations who are more interested in investigation than payment – have adopted countermeasures, becoming very stingy with their information. We also recently provided counsel on an incident in which our client had reliable intelligence that a threat actor would be slow to publish in the absence of contact, which meant it could delay a reach out while remaining in control. This perfectly illustrates Dr. Dworkis’s point. The Wabi-sabi way demands detachment from a tactic we have so often helped clients deploy to a successful end.
See the forest and the leaf
Idea: Default to an attention span that is zoomed in, but don’t lose sight of the whole field. Quote: “… emergency medical providers often find themselves handling multiple sick patients simultaneously. In these circumstances, it might not be possible, or desirable, to completely restrict your focus to a single patient. Here, communication and delegation are key, and cognitively offloading some of your thinking to skilled team members helps you deploy your focus where you need it most.”	At any given time, we will be working with ten to twenty clients who are responding to incidents – our patients. As a team lead, my attention is drawn most to those clients with incidents in the acute phase, which lasts from one to three weeks. Beyond that, incidents move into a slower phase that involves e-discovery, notification and reporting. We delegate much of the work in that phase to an excellent team of associates. These associates have a greater degree of technical knowledge about the latter phase of incident response than the partners who act as leads. Given the money spent on e-discovery and notification, the latter phase of incident response is not low risk, but it does move slower, and tasks can be delegated effectively with good communication. Good communication requires a lead to “run the board” regularly – re-building a view of all cases – and making course corrections before small latter phase problems grow.
Harness the wisdom of the room
Idea: To the extent possible, rely on information and knowledge from every individual on the team. Quote: “As a leader, you will frequently feel tension between your need to process multiple points of view and to move forward rapidly with a plan. At some points during a crisis, your emphasis should be on action and execution of your plan. At others, the emphasis might be on unifying your team’s vision through open discussion.”	Dr. Dworkis recommends asking the team, “What are we missing? What have we not tried yet?” I’ve done more of this questioning at his urging, and like how it affects the team dynamic. It’s an acknowledgement that incident response is complex, that there are few clear answers and that the perspective of the team matters. It’s an invitation to humility, and a humble crises leader is a good crises leader.

Preparation and performance under pressure go hand in hand, and we all know that preparation for cyber incidents is a critical best practice. My urging to cyber responders (lawyers and non-lawyers alike) is to expand your scope of preparation to encompass performance under pressure. This will help you develop fundamental skills and behaviors to that will have an impact on your and your teams’ performance. Reading The Emergency Mind would be a great start.

Court of Appeal for Saskatchewan reformulates guidance for ownership of lawyers’ files

On August 10th, the Court of Appeal for Saskatchewan held that the Saskatchewan Court of Queen’s Bench erroneously ordered “solicitor’s notes and inter-office memoranda” to be produced to a client because this categorization was over-broad. It reviewed the Canadian law and held that the authoritative text from Cordery’s Law relating to Solicitors is often misunderstood and unquestionably applied to provide lawyers ownership of their “working file.” It re-stated the test as follows:

Documents in existence prior to the retainer and provided by the client to the lawyer remain, in the absence of some proof to the contrary, the property of the client.
Documents prepared by a lawyer for the benefit of the client belong to the client. This would include, for instance: legal research memoranda; pleadings, briefs and other documents filed in court; witness statements; and notes of conversations with the client, other counsel or third parties concerning matters that relate to the substance of the file or to the business of advancing the file toward a conclusion.
Documents prepared by a lawyer for their own benefit or protection belong to the lawyer. This would include, by way of example, things such as accounting records, conflict searches, time entry records, and financial administration records like draft statements of account and cheque requisitions. Internal communications and notes concerning administrative matters such as the role that various lawyers and staff will play on the file may also fall into this category.
That said, documents will often be prepared for, or will serve, more than one purpose. For example, a file note setting out instructions received from a client will both benefit the client by helping to ensure that their wishes are clearly understood and benefit the lawyer by memorializing the mandate received from the client. In such circumstances, the predominant purpose should be controlling. Any doubt about the predominant purpose should be resolved in favour of the client with the result being that “documents prepared for the benefit of the lawyer” is likely to be quite a narrow class of material in most files. In this regard, one helpful way to assess if a document belongs to the client may be to ask whether, when it was created, a new lawyer taking over the file at that time would have wanted to have had the document in order to properly and efficiently manage the file and advance the client’s interests. If the answer is “yes”, and particularly if the client paid for the time involved in generating the document, then it should be seen as belonging to the client.
The fact that the client has been billed for the time involved in preparing a document will be a significant factor, but not necessarily a decisive one, weighing in favour of the conclusion that the document belongs to the client. In this regard, it is difficult to see how a document prepared for the benefit of the client and for which the client was billed would not be the property of the client. However, that said, I doubt that the same is true with respect to documents prepared for the benefit or protection of the lawyer. For example, and without endorsing this sort of billing practice, if the lawyer happens to record and charge out the time involved in doing a conflict of interest check to confirm that they can act for the client, the document reflecting the result of that conflict of interest check would nonetheless belong to the lawyer.
The burden of showing that a document in a file is the property of the lawyer should rest with the lawyer. They will understand the circumstances in which the document came to be created and will be in possession of the information about who it was intended to benefit.

Note the imposition of a predominant purpose test and a form of presumption in the fourth bullet above, which is at the crux of the Court’s decision.

CPC Networks Corp. v McDougall Gauley LLP, 2023 SKCA 90 (CanLII).

Federal Court of Appeal modifies test for application of open courts principle to administrative tribunals

On July 27th, the Federal Court of Appeal held that the Parole Board of Canada erred in denying the media access to recordings of its hearings.

The matter was about an application for copies of recordings of parole hearings involving notorious convicted criminals Paul Bernardo, William Shrubsall and Craig Monro. The Corrections and Conditional Release Act provides for parole hearings that the Supreme Court of Canada has said are inquisitorial in that the Board is bound to consider all evidence put before it in conducting a form of risk assessment. The Act also gives the public a presumptive right to attend hearings. The media can therefore (presumptively) attend and report on hearings, though the Act deems personal information in the recordings (and other documents on the record) not to be publicly available for for the purpose of the Access to Information Act and the Privacy Act.

The CBC relied on the open courts principle, though the Court ultimately determined the matter on administrative law grounds. It held the Board unreasonably reckoned with the odd scenario – that the media had already heard and reported on everything recorded even though it was deemed not to be publicly available – and erroneously refused to disclose the recordings “outright” based on an unreasonable amplification of the privacy risk. It suggested that there may be some privacy risks in providing access, but that they could be satisficed by imposing conditions on storage and republication.

As for the open courts principle, the Court accepted the following Board argument against application:

The Board says that it is not because its proceedings are inquisitorial – not adversarial – in that the Board is engaged in a risk assessment process in the course of which it receives information from Corrections Canada and submissions from the offender and victims. The offender is not opposed by a representative of the state, as is the case, for example, in a sentencing hearing. Similarly, the offender’s counsel, if they have one, has a limited role in Board hearings.

It also, however, modified and expanded the test for application, noting that the test should focus on the degree to which a tribunal presides over an adversarial proceeding rather than the procedural trappings of the proceeding. It explained:

It appears that, whatever other distinctions may exist between different kinds of administrative tribunals, the fact that a tribunal presides over adversarial proceedings as an adjudicative body is a reliable indicator that the tribunal is subject to the open court principle. It is the fact of adjudicating competing interests that imposes the duty of fairness and impartiality which gave rise to the description of some tribunals as quasi-judicial. In Toronto Star Newspapers Ltd. v. Ontario (Attorney General), 2018 ONSC 2586, 142 O.R. (3d) 266, such tribunals were described as adjudicative tribunals. The characteristic that gives rise to the application of the open court principle to an administrative tribunal is the presence of an adversarial process, as opposed to the formalities by which that adversarial process is conducted. In short, the open court principle applies to adjudicative tribunals.

The Court ordered the matter to be returned to the Board for reconsideration.

Canadian Broadcasting Corporation v. Canada (Parole Board), 2023 FCA 166 (CanLII).

Manitoba Law Reform Commission comes out against NDA legislation

On June 29th, the Manitoba Law Reform Commission issued its final report on its study of the use of non-disclosure agreements in the settlement of misconduct claims. The Commission “strongly recommended” that legislation governing the the content and use of NDAs in claims of misconduct should not be enacted in Manitoba at this time because such legislation “could cause serious, unintended consequences and negatively impact complainants.”

The Commission is established under a Manitoba statute to “inquire into and consider any matter relating to law in Manitoba with a view to making recommendations for the improvement, modernization and reform of law.” The Commission is currently comprised of two judges, two law professors and three practitioners, five of whom are female. It reached its conclusion after issuing a consultation paper last year and engaging in public consultation.

The Commission acknowledged that the issue is complex and subject to divergent views. It concluded that the model of legislation first implemented in Prince Edward Island and now reflected in numerous Canadian bills amounts to a virtual prohibition on the use of NDAs. The Prince Edward Island Non Disclosure Agreements Act, for example, deems an NDA to be unenforceable if it adversely affects the health and safety of a third-party or the public interest, a provision a reform advocate argued to the Commission rendered all NDAs unenforceable. Likewise, the Commission concluded that a requirement that permits survivors to walk away from a previously agreed to undertaking of confidentiality would preclude the use of NDAs altogether.

This effective ban, according to the Commission, goes too far given NDAs can serve the public interest and the interests of survivors. It underscored its position by presenting a lengthy quote from a childhood sexual abuse survivor, a quote also worthy of including here in full:

Given my past, I tend to focus first on the victim, on what’s best for the victim. That focus is so absolute that the only possible submission I could make here is that NDAs in these circumstances must be eliminated, right?

Wrong.

Because even though I live daily with my experience as a victim of the worst serial sexual abuse imaginable, I can’t shut down the other part of me that knows that I benefitted from an arrangement that involved an NDA that may not have been possible had there been a law preventing an NDA in my circumstances.

In short, there is no right answer, for as strong as all of the reasons why NDAs can be harmful and dangerous for victims are, things just might end up even worse for victims if NDAs are not allowed in these circumstances.

My submission would undoubtedly be different if we lived in a world where as much money and other resources is dedicated to rehabilitating victims as is made available for incarcerating and attempting to rehabilitate those who commit the crimes against these victims. But we don’t live in that world. Things are getting better, but we still don’t focus enough on making sure victims are rehabilitated. That can leave a victim desperate for whatever help and support he or she can get, financial or otherwise.

Unfortunately, NDAs are one side of a commercial transaction. It’s ugly to think of them that way, but that’s what is most often taking place. Silence is being traded for money. It’s awful, it’s disgusting. But it’s the reality. And, it’s an undeniable fact that without an NDA and the corresponding secrecy parties would have less incentive to enter into agreements with victims.

As bad as being constrained by an NDA might be, it isn’t for me to ever say that a victim would be better off being free from that burden if it meant having to give up a financial settlement that could possibly provide life-sustaining support. The unfortunate reality is that there would be fewer settlements available for victims if NDAs were not permitted in these instances.

I know what I want to write. I know what people want to hear from a victim like me. I want to be able to write that NDAs in these circumstances are reprehensible and should be precluded. And they are reprehensible. But just because they are reprehensible doesn’t mean that the alternative wouldn’t be worse. Eliminating NDAs would skew incentives in a way that would likely have an even worse impact on victims. And, I don’t think there is any meaningful way to legislate a way out of this basic conundrum.

We want to do good things, we want to better our world. We are angry that bad things happen to good people, that bad people get away with bad things. We want to change that. We are motivated for all of the right reasons. So we try to do something, anything, to try to make things better. NDAs seem bad, they feel bad, so they must be bad, we must enact a new law precluding them or limiting them.

But NDAs can facilitate what a victim needs. NDAs, as abhorrent as they may be, actually develop out of a process that tries to make things better for the victim. So I urge caution before any steps are taken that would potentially interfere with this unpalatable yet important part of our legal system involving victims.

Currently, aside from PEI, Ontario has enacted legislation meant to protect students at post-secondary educational instructions. There is now a broader private members bill at first reading in Ontario and bills before the legislatures British Columbia and Nova Scotia and before Federal Parliament. The Commission’s report is important because it features a view that is not popular and very difficult to convey, though it also raises a critical concern about the clear legislative trend.

BCSC quashes FOI decision about risk of harm to Airbnb hosts

On July 4th, the Supreme Court of British Columbia quashed a British Columbia OIPC order to provide an FOI requester with access to information about Airbnbs operating in the City of Vancouver.

The City licenses short term rentals. It publicly discloses license information, presumably to enable renter inquires. However, the City stopped publishing host names and rental addresses with license information in 2018 based on credible reports of safety risks. Evidence of the safety risks was on the record before the OIPC – general evidence about “concerned vigilante activity” and harassment, evidence about a particular stalking episode in 2019 and evidence that raised a concern about enabling criminals to determine when renters likely to be out of the country.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home adresses.

It was common ground that the above information could be readily linked to hosts by using publicly available information, rendering the order upsetting to Airbnb’s means of protecting its hosts. Airbnb only discloses the general area of rentals on its platform, which allows hosts to screen renters before disclosing their address.

The evidence affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

First, the Court held that the OIPC unreasonably held that home address information was contact information rather than personal information. It failed to consider the context in making a simplistic finding that home address information was “contact information” because the home address was used as a place of business. The disclosure of the home address information, in the context, had a significant privacy impact that the OIPC ought to have considered.

Second, the Court held that the OIPC erred in not giving notice to the affected hosts – who numbered at least 20,000 – and for not providing reasons for its failure. The Court said this was a breach of procedural fairness, a breach punctuated by the evidence of a stalking and harassment risk that the OIPC acknowledged but held did not meet the Merck threshold.

This is a wonderful case that illustrates how judicial review works. In my view, the evidence about the risk of harm drove the outcome despite the Court’s affirmation of the OIPC finding. The Court simply found an easier way to address the problem with the OIPC’s outcome – a procedural fairness finding. The notice obligation is no small obligation in cases like this, but cannot be rightly ignored.

Airbnb Ireland UC v Vancouver City, 2023 BCSC 1137.