Good quotes on the impossibility of “ensuring” security and achieving zero risk

I blogged about Arbitrator Sudykowski’s decision in Providence Health when it was released in 2011 for its ratio – employers are entitled to more than a bare medical certification when an employee is absent from work.

I had occasion to use the case in a matter I argued yesterday, and was pleasantly surprised to re-read what Arbitrator Surdykowski said about data security and the impossibility of “ensuring” data security. The union had made an argument for minimizing the collection of health information that rested on data security risk, to which Mr. Surkyowski replied:

I agree with the Union’s assertion that there is always a possibility that private and confidential medical information may be inadvertently released or used inappropriately.  Try as they might, it is impossible for anyone to absolutely guarantee information security.  All that anyone can do in that respect is the best they can.  There is nothing before me that suggests the extent to which the inadvertent (or intentional) release or misuse of confidential information occurs, either generally or at the workplaces operated by this Employer.  More specifically, there is no indication of how often it happens, if at all, or that best efforts are demonstrably “not good enough”.

In a perfect world, the security and proper use of confidential private medical (or other) information could and would be guaranteed.  But to be perfect the world would have to be populated by perfect human beings.

This is a nice quote to bring forward in this blog, of course, because it’s always a good to remind ourselves (and others) that the mere happening of a security incident doesn’t mean fault!

It’s a hard point to argue when hindsight bears heavily on a decision-maker, but is indisputable. I once defended on employer in a charge that followed a rather serious industrial accident in which an employee at truck dealership was run over by a tractor. The Court of Appeal held that the tractor wasn’t a “vehicle” for the purposes of the Occupational Health and Safety Act and entered an acquittal. In examining the context for this finding Justice Cronk made the same point as Arbitrator Surdykowski:

That said, consideration of the protective purposes of the legislative scheme is not the only consideration when attempting to ascertain the scope of s. 56 of the Regulation. The Act seeks to achieve “a reasonable level of protection” (emphasis added) for workers in the workplace. For obvious reasons, neither the Act nor the Regulation mandate or seek to achieve the impossible — entirely risk-free work environments.

Every security incident is an opportunity to tell a story about pre-incident due diligence that highlights this basic truth. (If your defence rests our horrendously vague privacy law you’re in trouble, I say.) It’s also reason to hold our tongues and not judge organizations who are victimized, at least before learning ALL the facts. Security incidents are complex. Data security is hard.

Organization stumbles into BYOD nightmare

Hat tip to investigation firm Rubin Thomlinson for bringing an illustrative British Columbia arbitration decision to my attention. The remarkable April 2019 case involves an iPhone wiped by an employee’s wife mid-investigation!

The iPhone was owned by the employer, but it set it up using the employee’s personal Apple ID. That is not uncommon, but the employer apparently did not use any mobile device management software. To enforce its rights, the employer relied solely on its mobile device (administrative) policy, which disclaimed all employee privacy rights and stipulated that all data on employer devices is employer-owned.

Problems arose after the employer received a complaint that the employee was watching his female colleagues. The complainants said the employee “might also be taking pictures” with his phone.

The employer met with the employee to investigate, and took custody of the phone. The employee gave the employer the PIN to unlock the phone, but then asked for the phone back because it contained personal information. The employer excluded the employee and proceeded to examine the phone, but did not finish its examination before the employee’s wife (who the employee had phoned) remotely wiped the phone and refused to restore it with backup data.

The employer terminated the employee for watching the complainants (though not necessarily taking their pictures) and for insubordination.

The arbitrator held that the employer did not prove either voyeurism or insubordination. In doing so, he held that the employer had sufficient justification to search the phone but that it could not rely on its mobile device policy to justify excluding the employee from the examination process and demanding the recovery of the lost data. Somewhat charitably, the arbitrator held that the employee ought to be held “accountable for failing to make an adequate effort to encourage his wife to allow for recovery of the data” and reserved his decision on the appropriate penalty.

The employer took far too much comfort from its ownership of the device. Given the phone was enabled by the employee’s personal Apple ID, the employer was faced with all the awkwardness, compromise and risks of any BYOD arrangement. Those risks can be partially mitigated by the use of mobile device management software. Policy should also clearly authorize device searches that are to be conducted with a view to the (quite obvious) privacy interest at stake.

District of Houston v Canadian Union of Public Employees, Local 2086, 2019 CanLII 104260 (BC LA).

For Rubin Thomlinson’s more detailed summary of the case, please see here.

 

 

Broutzas narrowed, privacy action certified, uncertainty abounds

On January 6th, Justice Morgan certified a class proceeding that was based on a nurse’s unauthorized access to very basic personal health information – patient status and allergy information – so she could obtain prescription drugs.

Although there were no damages to support a negligence claim, Justice Morgan held that the cause of action criterion for certification of a privacy breach claim was met because, “an infringement of privacy can be ‘highly offensive’ without being otherwise harmful in the sense of leading to substantial damages.” (IMHO, this is correct.)

In otherwise assessing the quality the nurse’s infringement, Justice Morgan distinguished Broutzas, in which Justice Perell declined to certify an action, in part, because the theft of address information from patients who had given birth at a hospital was not “highly offensive.” Justice Morgan said:

Counsel for the Plaintiff takes issue with this analysis. In the first place, he points out that the factual context of the Rouge Valley case is distinguishable from the case at bar in one important way: the patients/claimants in [Broutzas] were all in the hospital for the birth of a baby, which is perhaps the least confidential of reasons. Indeed, Perell J. recited the factual background of each patient making a claim in that case, and observed that one had announced their child’s birth and circulated photos of the new baby on social media, while another had done a Facebook posting in celebration of the birth of their new baby at the defendant hospital: Ibid, paras. 97, 106. As Plaintiff’s counsel here points out, the expectation of privacy in such circumstances is negligible.

Fair enough, but it’s nonetheless quite clear that not all judges value privacy the same way. The uncertainty in judge-made privacy law is palpable.

Stewart v. Demme, 2020 ONSC 83 (CanLII).

Notable snippet about the personal information concept in recent Ont CA search case

On January 13th, the Court of Appeal for Ontario held that a convicted appellant did not have a reasonable expectation of privacy in “what could be seen and heard on [his] property from his neighbour’s [property].”

The police trespassed on an neighbour’s rural property to conduct surveillance, and they heard gunshots and saw two individuals with rifles outside of the appellant’s house. Based on these observations, the police obtained a warrant to search the appellant’s house. They ultimately secured one or more convictions on drug and weapons charges.

The Court held, that in the context, it did not matter that the police were trespassing. (The gunshots were loud, and the appellant’s property was abutted by a public road in any event.) It also held that the police did not obtain “personal information,” reasoning as follows:

What triggered the application for the first warrant was the sound of the discharge of a firearm – something that could scarcely be concealed – coupled with visual observations of persons outdoors either firing a rifle or holding a rifle. These were bare observations of physical acts. There was no personal information obtained.

This illustrates how the personal information concept is not as simple, and perhaps not as broad, as one might think. The facts observed clearly allowed the police to infer what was in the house and obtain, on the reasonable and probable grounds standard, a search warrant. Nonetheless, the Court held that the observations did not invite a collection of personal information.

R v Roy, 2020 ONCA 18 (CanLII).

ONSC applies false light privacy tort, awards $300,000 in damages

Justice Kristjanson of the Ontario Superior Court of Justice has applied the tort of publicly placing a person in a false light in ordering an abusive husband to pay $300,000 in damages to his estranged spouse.

The defendant waged a campaign against the plaintiff in which, contrary to court orders, he published photos and videos of the couple’s two children to allege the plaintiff was a child abuser and criminal. He also targeted the plaintiff by e-mailing community members links to his content and directing various real-world publications via pamphleting and postering in the UK, where the plaintiff had sought shelter. The campaign was extreme, causing the plaintiff to become ill and fear for her safety.

Justice Kristjanson awarded $150,000 in punitive damages, $50,000 for intentional infliction of mental suffering and $100,000 for breach of privacy. The breach of privacy damages were based jointly on the public disclosure of embarrassing private facts tort and the tort that applies to publicity that places one in a false light. On the false light tort, Justice Kristjanson explained:

170      With these three torts all recognized in Ontario law, the remaining item in the “four-tort catalogue” of causes of action for invasion of privacy is the third, that is, publicity placing the plaintiff in a false light. I hold that this is the case in which this cause of action should be recognized. It is described in § 652E of the Restatement as follows:
Publicity Placing Person in False Light
One who gives publicity to a matter concerning another that places the other before the public in a false light is subject to liability to the other for invasion of his privacy, if
(a) the false light in which the other was placed would be highly offensive to a reasonable person, and
(b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed.
171      I adopt this statement of the elements of the tort. I also note the clarification in the Restatement‘s commentary on this passage to the effect that, while the publicity giving rise to this cause of action will often be defamatory, defamation is not required. It is enough for the plaintiff to show that a reasonable person would find it highly offensive to be publicly misrepresented as they have been. The wrong is in publicly representing someone, not as worse than they are, but as other than they are. The value at stake is respect for a person’s privacy right to control the way they present themselves to the world.
172      It also bears noting this cause of action has much in common with the tort of public disclosure of private facts. They share the common elements of 1) publicity, which is 2) highly offensive to a reasonable person. The principal difference between the two is that public disclosure of private facts involves true statements, while “false light” publicity involves false or misleading claims. (Two further elements also distinguish the two causes of action: “false light” invasion of privacy requires that the defendant know or be reckless to the falsity of the information, while public disclosure of private facts involves a requirement that there be no legitimate public concern justifying the disclosure.)
173      It follows that one who subjects another to highly offensive publicity can be held responsible whether the publicity is true or false. This indeed, is precisely why the tort of publicity placing a person a false light should be recognized. It would be absurd if a defendant could escape liability for invasion of privacy simply because the statements they have made about another person are false.
174      Moreover, it is likely that in the course of creating publicity placing a person in a false light, the wrongdoer will happen to include true, but private, facts about the person whose privacy is invaded. In this case, for instance, the defendant has publicized falsehoods about the plaintiff, but he has also publicly aired private facts about her present living situation with the children and her parents (including videos of their home) and details of access visits which is a true, but private matter.

This is the first time the false light tort has been recognized in Canada. Justice Kristjanson said the $20,000 cap on damages recognized in Jones v Tsige “may not apply” to it, though also suggested a larger award was warranted on the facts.

Justice Kristjanson also issued a 33 paragraph order that provided for broad-ranging permanent injunctive relief and made the defendant’s right of access to his children dependent on compliance. (The trial of the plaintiff’s action proceeded together with a family law trial.)

Yenovkian v Gulian, 2019 CarswellOnt 21614, 2019 ONSC 7279.

Ont CA articulates detriment requirement for a breach of confidence claim

On December 24th, the Court of Appeal for Ontario affirmed the dismissal of a breach of confidence claim because the plaintiff did not make out a “detriment.” Despite its affirmation, the Court held that the trial judge erroneously said that a breach of confidence plaintiff must prove “financial loss.” It explained, “The concept of detriment is not tied to only financial loss, but is afforded a broad definition, including emotional or psychological distress, loss of bargaining advantage, and loss of potential profits.”

CTT Pharmaceutical Holdings, Inc. v. Rapid Dose Therapeutics Inc., 2019 ONCA 1018 (CanLII).

Ont CA quashes decision to close police board meeting for failure to consider the Charter

On December 27th, the Court of Appeal for Ontario issued a significant decision about the openness of meetings conducted by the governors of public bodies.

The matter involved a decision to go in camera made by a delegate of the Thunder Bay Police Service so it could deal with a police disciplinary matter – to be precise, a decision to extend the time limit for serving a notice of disciplinary hearing on several police officers for their suspect handling of an indigenous man’s death. The delegate applied the statutory test for closing a meeting as set out in section 35(4) of the Police Services Act. He rejected an argument that the more strict Dagenais/Mentuck test applied, reasoning that he was not charged with conducting a judicial or quasi-judicial proceeding.

The Court of Appeal agreed that Dagenais/Mentuck did not apply. It nonetheless held that the delegate erred by not accounting for section 2(b) of the Charter, which it had recently held governs access to police board meetings in a case called Lagenfeld. Justice Sharpe said:

In my view, that statutory test and not the Dagenais/Mentuck test governed the exercise of his discretion. However, the s. 2(b) right recognized in Langenfeld has a direct bearing on the exercise of that discretion. Through no fault of his own, the decision maker did not consider Langenfeld. The “principle that proceedings be open to the public”, recognized by s. 35(4), is considerably fortified by the s. 2(b) Charter right recognized by Langenfeld in relation to police services board meetings.

Doré, at para. 56, explains that the administrative decision maker is “to ask how the Charter value at issue will best be protected in view of the statutory objectives” and that the core of this “proportionality exercise” will require the decision maker “to balance the severity of the interference of the Charter protection with the statutory objectives.” As Doré explains, at para. 57, this proportionality exercise “calls for integrating the spirit of [the Charter’s s. 1 reasonable limits scrutiny] into judicial review”.

The Court remitted the matter to the delegate for reconsideration, stressing various contextual factors to weigh in the balance.

The overlay of the Charter on top of statutory criteria for closing a meeting is significant. Also significantly, the Court read the Police Services Act to empower the Board to make confidentiality orders incidental to a decision about whether to close a meeting in order to achieve proportionality – a reading it said flowed from the ability to close a meeting “in part.”

The Court creates a new (and ambiguous) requirement for closing meetings that likely applies to a wide number of Ontario public bodies.

Canadian Broadcasting Corporation v. Ferrier, 2019 ONCA 1025.