Experts, privilege and security incident response

26 Sep

I’d encourage you to read David Fraser’s blog post from last weekend – The value of legal privilege: Your diligent privacy consultant may become your worst enemy.

David’s basic point is sound: structuring a security or privacy expert retainer to support a privilege claim can prevent your own expert’s advice from being used against you. Most often this is done by having legal counsel retain an expert in anticipation of litigation and for the dominant purpose of litigation, with instructions and conclusions going strictly between counsel and expert.

David explains a scenario in which an organization retained an expert to advise on some form of due diligence connected to a subsequent security incident. The expert was apparently quite candid in its written advice, outlining a security problem that amounted to what David compares to a “dumpster fire.” The organization responded partly but not wholly to the expert’s recommendations. That expert’s report will therefore become, as David says, the plaintiff’s Exhibit A.

Being faced with your own expert’s advice is very bad, hence the soundness of David’s point. My additional point: legal privilege is no solution to a bad client-counsel-expert relationship.

The views on what is a reasonable investigation or remediation in the data security context can vary widely between equally qualified experts. Too often, perhaps driven by conflicting interests, security experts recommend what’s possible and rather than what is “due.” A breach coach can help address this problem, identifying trusted experts and working with them to reach a shared and acceptable understanding of the due diligence required in responding to a security incident. With such a relationship, departing from an expert’s recommendations (even though they are privileged) represents a real and meaningful risk. The facts – i.e., the things done based on an expert’s recommendations – are never privileged. If litigation ensues those facts will be picked apart by other experts, and you want the good ones to view the facts the same way as you and your trusted advisor.

Experts that are prone to floating long lists of options need to be retained under privilege because they are dangerous, but even under privilege their advice is worth little. The prescription: do everything you can to build a great client-counsel-expert relationship. Use a breach coach. Keep a roster of trusted experts on retainer. Don’t use experts retained for due diligence advice to do the very remedial work they recommend.

Advertisements

Ont CA says doctor gross revenue information is not personal information

4 Aug

As reported widely, yesterday the Court of Appeal for Ontario affirmed an IPC/Ontario finding that gross revenue earned by Ontario’s top earning doctors was not their personal information.

There’s not much to the decision. (A number of the grounds for appeal were “optimistic.”) The decision illustrates that information must reveal something of a personal nature about an individual (in the relevant context) to be the individual’s personal information. In the doctors’ case, the link between gross income and the personal finances was not strong, as noted by the Court:

The information sought was the affected physicians’ gross revenue before allowable business expenses such as office, personnel, lab equipment, facility and hospital expenses. The evidence before the Adjudicator indicated, however, that, in the case of these 100 top billing physicians, those expenses were variable and considerable.

In another context, gross revenue information could be personal information. What is and is not personal information is a VERY contextual matter.

Ontario Medical Association v. Ontario (Information and Privacy Commissioner), 2018 ONCA 673.

OCA says Children’s Lawyer records not under MAG’s custody or control

23 Jun

On June 18th the Court of Appeal for Ontario held that the Ministry of the Attorney General is not in custody or control of records in a Children’s Lawyer litigation file even though the Children’s Lawyer, for administrative purposes, is part of MAG. The finding turns on the Children’s Lawyer’s independence and the privacy interests of the children it represents. These kind of contextual factors are important to the custody or control analysis. As stated by the Court, “an organization’s administrative structure is not determinative of custody or control for purposes of FIPPA.”

This decision is consistent with other law that suggests records within an institution are not always in custody or control of an institution – e.g., certain faculty records and personal e-mails. Custody or control is therefore no simple concept to administer and is prone to dispute. At least for now IPC decisions will be subject to judicial review on the correctness standard, another (surprising) finding the Court of Appeal made in rendering its decision.

Ontario (Children’s Lawyer) v. Ontario (Information and Privacy Commissioner), 2018 ONCA 559 (CanLII).

 

Sask CA says Commissioner’s request for privileged communications unnecessary

18 May

On May 16th the Court of Appeal for Saskatchewan held that the Office of the Information and Privacy Commissioner, Saskatchewan should not have required the University of Saskatchewan to produce communications that it claimed were subject to solicitor-client privilege.

The Commissioner began by inviting the University to provide evidence that supported its privilege claim. The University filed an affidavit from a non-lawyer stating that legal counsel had advised that “some” of the withheld documents are subject to solicitor-client privilege. It did not file an index of records.

This led the Commissioner to immediately request the records. Although the Commissioner had asked the University for a index of records, it did not ask again – an omission that the Court held to breach the principle that demands an adjudicator only review solicitor-client communications when absolutely necessary to assess a privilege claim.

This fact-specific decision illustrates how strictly the absolute necessity principle will be enforced. The Court also spoke about what privilege claimants ought to be required to present in support of their claims. In doing so, it suggested that an index that identifies records will ordinarily provide an adequate basis for assessing a privilege claim in the absence of any evidence suggesting a claim is “ill founded”.

University of Saskatchewan v Saskatchewan (Information privacy Commissioner), 2018 SKCA 34.

Ontario Court says FOI statute fails in providing access to administrative tribunal records

29 Apr

Yesterday the Ontario Superior Court of Justice held that the Ontario Freedom of Information and Protection of Privacy Act violates section 2(b) of the Charter because it goes too far to protect the privacy of parties, witnesses and others in matters heard by the Ontario Human Rights Tribunal, Ontario Labour Relations Boards and other statutory tribunals.

The Toronto Star brought the Charter application. It argued that the access regime created by FIPPA is too restrictive and too slow to meet its Charter-based right of access to “adjudicative records” – records of things filed before tribunals like pleadings and exhibits as well as tribunal decisions. A number of Ontario tribunals process requests for adjudicative records formally under FIPPA while others provide access more informally. The Star argued that the informal process must be the norm.

Justice Morgan allowed the application and declared that FIPPA violates the Charter by imposing a presumption of non-disclosure of “personal information” in adjudicative records. It is a puzzling decision for two reasons.

First, there is virtually no discussion about whether the open courts principle ought to apply to administrative tribunals. The Court’s application of the open courts principle appears to be derived from a provision requiring openness in the Statutory Powers Procedure Act:

All parties acknowledge that administrative hearings governed by the Statutory Powers Procedure Act (“SPPA”) are required to be open to the public. In principle, therefore, it is uncontroversial that “[t]he ‘open court’ principle” – at least in some version – “is a cornerstone of accountability for decision-making tribunals and courts.”

One might argue that the Court elevates a statutory presumption (which ought to be read in harmony with FIPPA) into a constitutional right. One might also argue that there are policy imperatives for administrative justice that weigh against recognition, in respect of tribunals, of the same level of openness that applies to courts – expediency and ease of access, for example. These two imperatives in particular are likely to suffer if administrative tribunal records are treated similarly to court records.

Second, the Court’s decision rests on what it says is a flawed “presumption of non-disclosure” – one that makes personal information in adjudicative records presumptively inaccessible. According to the Court this presumption arises out of the framing of FIPPA’s section 21 “unjustified invasion of privacy exemption,” which states that personal information shall be withheld unless its disclosure would not constitute an “unjustified invasion of privacy.”

It is too strong to call this a presumption, particularly in light of section 53 of FIPPA, which states, “Where a head refuses access to a record or a part of a record, the burden of proof that the record or the part falls within one of the specified exemptions in this Act lies upon the head.” To the contrary, all records in an institution’s custody or control are presumptively accessible under FIPPA, with limitations on the right of access dictated to be “limited and specific” as stipulated FIPPA’s purpose provision.

It’s quite arguable that FIPPA grants a right of access subject to a balancing of interests that has been carefully calibrated by the legislature and ultimately governed by an expert tribunal – the Information Privacy Commissioner/Ontario. Justice Morgan did not hide his views about the IPC, stating “In terms of the expertise of the institution heads and, in particular, the IPC, it is fair to say that the jury is still out. ”

 Toronto Star v. AG Ontario, 2018 ONSC 2586.

BCCA addresses public right of access to “a record of a question”

21 Apr

On April 13th, the Court of Appeal for British Columbia held that a rubric for an undergraduate admissions test administered by UBC was excluded from British Columbia’s public sector access and privacy act as a “record of a question.” It interpreted this phrase purposely, as encompassing “anything that is inregral to the question such that disclosure would defeat the purpose of the question for future use.”

University of British Columbia v. Lister, 2018 BCCA 139 (CanLII).

Financial institution compliance presentation – privacy, data security and anti-spam

31 Mar

I’ve been doing a survey presentation in the Osgoode PDP program on financial institution compliance for the last five years now. Here’s this year’s deck.

What’s new? The V-Tech security measures report by the Office of the Privacy Commissioner of Canada, the Canadian Securities Administrators Staff Notice 33-321 (and some much more meaty guidance by the CSA) and the reduction of the Compufinder fine under CASL. See below for more.