Cyber Risks and M&A Transactions

We have just posted all the content for our BLG series “Privacy & Cyber Risks, Trends & Opportunities for Business.” See here for some very good content by our privacy and data security team.

Here is a direct link to our most recent webinar, which I delivered together with my partner Patrice Martin. It was very rewarding to work with and learn from Patrice, a very well established technology industry and transactions lawyer.

Enjoy. Learn. Get in touch.

When it happens, will you be ready? How to excel in handling your next cyber incident

I like speaking about incident response because there are so many important practical points to convey. Every so often I re-consolidate my thinking on the topic and do up a new slide deck. Here is one such deck from this week’s presentation at Canadian Society of Association Executives Winter Summit. It includes an adjusted four step description of the response process that I’m content with.

We’ve been having some team discussions over here about how incident response plans can be horribly over-built and unusable. I made the point in presenting this that one could take the four step model asset out in this deck, add add a modest amount of “meat” to the process (starting with assigning responsibilities) and append some points on how specific scenarios might be handled based on simple discussion if not a bona fide tabletop exercise.

Preparing for a cyber incident isn’t and shouldn’t be hard, and simple guidance is often most useful for dealing with complex problems.

The current state of FOI

Here is a deck I just put together for the The Osgoode Certificate in Privacy & Cybersecurity Law that gives a high-level perspective on the state of FOI, in particular given (a) the free flow of information that can eviscerate practical obscurity and (b) the serious cyber threat that’s facing our public institutions. As I said in the webinar itself, I’m so pleased that Osgoode PDP has integrated an FOI unit into into its privacy and cyber program given it is such a driver of core “information law.”

For related content see this short paper, Threat Exchanges and Freedom of Information Legislation, 2019 CanLIIDocs 3716. And here’s a blog post from the archives that with some good principled discussion that I refer to – Principles endorsed in Arar secrecy decision.

Alberta OIPC finds Blackbaud incident gives rise to RROSH

Hat tip to my good colleague Francois Joli-Coeur, who let our group know yesterday that the OIPC Alberta has issued a number of breach notification decisions about the Blackbaud incident, finding in each one that it gave rise to a “real risk of significant harm” that warrants notification and reporting under Alberta PIPA.

Blackbaud is a cloud service provider to organizations engaged in fundraising who suffered a ransomware incident last spring in which hackers exfiltrated the personal information of donors and educational institution alumni. The true scope of the incident is unknown, but likely large, affecting millions of individuals across the globe.

Blackbaud issued notably strong communications that de-emphasized the risk of harm. It rested primarily on the payment of a ransom, assurances by the threat actors that they would delete all data in exchange for payment and its ongoing dark web searches. Most affected institutions (Blackbaud clients) notified anyway.

On my count the OIPC issued seven breach notification decisions about the incident late last year, each time finding a “real risk.” In a decision involving an American college with donors or alumni in Alberta, the OIPC said:

In my view, a reasonable person would consider the likelihood of significant harm resulting from this incident is increased because the personal information was compromised due to a deliberate unauthorized intrusion by a cybercriminal. The Organization reported that the cybercriminal both accessed and stole the personal information at issue. The Organization can only assume that cybercriminal did not or will not misuse, disseminate or otherwise make available publicly the personal information at issue.

This is not surprising, but tells us how the OIPC feels about the assurance gained from paying a ransom to recover stolen data.

See e.g. P2020-ND-201 (File #017205).

BCCA – Open courts principle does not provide for “automatic and immediate” access to court records

On December 9th, the Court of Appeal for British Columbia rejected a media challenge that alleged that the Court’s access policy violates section 2(b) of the Canadian Charter of Rights and Freedoms because it precludes wholly unfettered inspection of court records. The Court held that the Charter guarantees no such right, which would be inconsistent with a court’s responsibility for supervising the handling of its records.

The policy that the applicants challenged requires those seeking access to court records in criminal appeals to fill out of a form. Based on the content of completed forms, the Registrar may refer the request to the Chief Justice, who may seek input from the parties. In practice, if parties who are consulted don’t agree that the Court should provide access, those seeking access must file a formal application for access.

The media brought its application after the Court denied administrative access to records (filed in an application for bail pending appeal) that involved the investigation of a police officer for sexual misconduct. The media argued that the policy reverses the burden of justification provided for by Dagenais/Mentuck.

Chief Justice Bauman disagreed, stating:

Unfettered public access to court records is not the promise of the open court principle. That access is subject to supervision by the court, in recognition of the need to protect social values of superordinate importance. Judges have the discretion to order restrictions on access, exercised within the boundaries set by the principles of the Charter:

There is also nothing unlawful, Chief Justice Bauman held, in requiring requesters to confront a matter of administration (which was not associated with any proven material delay) in order to relieve the parties to a proceeding from preemptively seeking a sealing order.

R. v. Moazami, 2020 BCCA 350 (CanLII).

Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students

I’ve had a long time interest in threat assessment and its application by educational institutions in managing the risk of catastrophic physical violence, though it has been a good ten years since the major advances in Canadian institutional policy. Here is a pointer to a journal article about an apparent new United States trend – automated monitoring of online and social media posts for threat assessment purposes.

Author Amy B. Cyphert starts with an illustrative scenario that’s worth quoting in full:

In 2011, a seventeen–year–old named Mishka,1 angry that his friends had recently been jumped in a fight, penned a Facebook post full of violence, including saying that his high school was “asking for a [expletive] shooting, or something.” Friends saw the post and alerted school officials, who contacted the police. By the time psychologist Dr. John Van Dreal, who ran the Safety and Risk Management Program for Mishka’s Oregon public school system, arrived, Mishka was in handcuffs.4 Mishka and his classmates were lucky: their school system employed a risk management program, and Dr. Van Dreal was able to help talk with Mishka about what caused him to write the post. Realizing that Mishka had no intention of harming anyone, Dr. Van Dreal helped Mishka avoid being charged with a criminal offense. Dr. Van Dreal also arranged for him to attend a smaller school, where he found mentors, graduated on time, and is today a twenty–five–year–old working for a security firm.

Had Mishka’s story happened today, just eight short years later, it might have looked very different. First, instead of his friends noticing his troubled Facebook post and alerting his school, it might have been flagged by a machine learning algorithm developed by a software company that Mishka’s school paid
tens of thousands of dollars to per year. Although Mishka’s post was clearly alarming and made obvious mention of possible violence, a post flagged by the algorithm might be seemingly innocuous and yet still contain terms or features that the algorithm had determined are statistically correlated with a higher likelihood of violence. An alert would be sent to school officials, though the algorithm would not necessarily explain what features about the post triggered it. Dr. Van Dreal and the risk management program? They might have been cut in order to pay for the third-party monitoring conducted by the software company. A school official would be left to decide whether Mishka’s post warranted some form of school discipline, or even a referral to the authorities.

Cyphert raises good questions about the problem of bias associated with algorithmic identification and about the impact of monitoring and identification on student expression, privacy and equality rights.

My views are quite simple.

I set aside algorithmic bias as a fundamental concern because the baseline (traditional threat assessment) is not devoid of its own problems of bias; technology could, at least in theory, lead to more fair and accurate assessments.

I also put my main concern on the matter of efficacy. Nobody disputes that schools and higher education institutions should passively receive threat reports from community members. My questions. Has the accepted form of surveillance failed? What is the risk passive surveillance will fail? How will it fail? To what degree? Does that risk call for a more aggressive, active monitoring solution? Is there an active monitoring solution that is likely to be effective, accounting concerns about bias?

If active internet monitoring cannot be shown to be reasonably necessary, however serious the problem of catastrophic physical violence, I question whether it can be either legally justifiable or required in order to meet the standard of care. Canadian schools and institutions who adopt new threat surveillance technology because it may be of benefit, without asking the critical questions above may invite a new standard of care with tenuous underpinnings.

Cyphert, Amy B. (2020) “Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students,” Nevada Law Journal: Vol. 20 : Iss. 2 , Article 4.
Available at: https://scholars.law.unlv.edu/nlj/vol20/iss2/4

The Five Whys, the discomfort of root cause analysis and the discipline of incident response

Here is a non-law post to pass on some ideas about root cause analysis, The Five Whys, and incident response.

This is inspired by having finished reading The Lean Startup by Eric Ries. It’s a good book end-to-end, but Ries’ chapter on adaptive organizations and The Five Whys was most interesting to me – inspiring even!

The Five Whys is a well-known analytical tool that supports root cause analysis. Taichii Ohno, the father of the Toyota Production System, described it as “the basis of Toyota’s scientific approach.” By asking why a problem has occurred five times – therefore probing five causes deep – Ohno says, “the nature of the problem as well as its solution becomes clear.” Pushing to deeper causes of a failure is plainly important; if only the surface causes of a failure are addressed, the failure is near certain to recur.

Reis, in a book geared to startups, explains how to use The Five Whys as an “automatic speed regulator” in businesses that face failures in driving rapidly to market. The outcome of The Five Whys process, according to Ries, is to make a “proportional” investment in corrections at each five layers of the causal analysis – proportional in relation to to the significance of the problem.

Of course, root cause analysis is part of security incident response. The National Institute of Standards and Technology suggests that taking steps to prevent recurrences is both part of eradication and recovery and the post-incident phase. My own experience is that root cause analysis in incident response is often done poorly – with remedial measures almost always targeted at surface level causes. What I did not understand until reading Ries, is that conducting the kind of good root cause analysis associated with The Five Whys is HARD.

Ries explains that conducting root cause analysis without a strong culture of mutual trust can devolve into The Five Blames. He gives some good tips on how to implement The Five Whys despite this challenge: establishing norms around accepting the first mistake, starting with less than the full analytical process and using a “master” from the executive ranks to sponsor root cause analysis.

From my perspective, I’ll now expect a little less insight out of clients who are in the heat of crises. It may be okay to go a couple levels deep while an incident is still live and while some process owners are not even apprised of the incident – just deep enough to find some meaningful resolutions to communicate to regulators and other stakeholders. It may be okay to tell these stakeholders “we will [also] look into our processes and make appropriate improvements to prevent a recurrence” – text frequently proposed by clients for notification letters and reports.

What clients should do, however is commit to conducting good root cause analysis as part of the post-incident phase:

*Write The Five Whys into your incident response policy.

*Stipulate that a meeting will be held.

*Stipulate that everyone with a share of the problem will be invited.

*Commit to making a proportional investment to address each identified cause.

Ries would lead us to believe that this will be both unenjoyable yet invaluable – good reason to use your incident response policy to help it become part of your organization’s discipline.

Federal Court of Appeal – litigation database privileged, no production based on balancing

On October 20th, the Federal Court of Appeal set aside an order that required the federal Crown to disclose the field names it had used in its litigation database along with the rules used to populate the fields. It held the order infringed the Crown’s litigation privilege.

The case management judge made the order in a residential schools abuse class action. The Crown had produced approximately 50,000 documents, with many more to come. The plaintiffs sought the fields and rules (and not the data in the fields) to facilitate their review. The case management judge, though acknowledging litigation privilege, judged the fields and rules as less revealing than the data in the fields and ordered production in the name of efficient procedure.

The Court of Appeal held that the case management judge erred because they “subordinated the Crown’s substantive right to litigation privilege to procedural rules and practice principles.” It also held, “a party attempting to defeat litigation privilege must identify an exception to litigation privilege and not simply urge the Court to engage in a balancing exercise on a case-by-case basis.”

Canada v. Tk’emlúps te Secwépemc First Nation, 2020 FCA 179 (CanLII).

Sask QB addresses willfulness requirement in a privacy claim

You might be surprised how often lawyers get sued for invading others’ privacy. On October 5th, the Saskatchewan Court of Queen’s Bench struck such a claim on the basis it disclosed no reasonable cause of action.

The defendant lawyer delivered a divorce petition and related documents to another law firm that had represented the plaintiff in the past, but the law firm was not authorized to receive the documents, and the applicable procedural rules called for personal service. The plaintiff pleaded a failure – i.e. that “the defendants failed to do their due diligence in ensuring McKercher LLP represented the plaintiff on the divorce matter.” The plaintiff said this failure caused a privacy violation given the documents contained information about the plaintiff’s income, property and the grounds for divorce.

Notwithstanding the disclosure of this information, the Court held that the the information disclosed by the plaintiff “was not the plaintiff’s to protect.” This is best viewed a finding based on context. The court punctuated the finding nicely by stating:

The point is this. Service of his wife’s petition on counsel who, as the plaintiff states, is a member of a firm with whom he has a solicitor-client relationship cannot reasonably be perceived to be a violation of his privacy.

The Court also held that the disclosure was not “willful,” as required by the Saskatchewan Privacy Act. Justice Klatt reviewed the law and said:

It is fair to say that there is no firm agreement across the country as to what “willfully” entails in the context of privacy legislation (see, for example, Agnew-Americano v Equifax Canada Co., 2019 ONSC 7110). However, I agree with Halvorson J.’s comments in Peters-Brown that “willfully” requires something more than the intentional commission of an act that has the result of violating privacy. In my view, it is more than recklessness, inadvertence or accident.

This narrow view is an authoritative statement on the law of Saskatchewan, though as noted, the requirement varies across Canada. In Ontario, privacy claims can be based on alleged recklessness (a concept with boundaries in the civil context that are still up for debate).

Kumar v Korpan, 2020 SKQB 256 (CanLII).

Cyber defence basics – Maritime Connections

I was pleased to do a cyber defence basics presentation to privacy professionals attending the Public Service Information Community Connection “Maritime Connections” event yesterday. The presentation (below) is based off of recent publications by the New York Department of Financial Services and the Information Commissioner’s Office (UK) as as the (significant) Coveware Q3 ransomware report.

As I said to the attendees, I am not a technical expert and no substitute for one, but those of us outside of IT and IT security who work in this space (along with the predominantly non-technical management teams we serve) must engage with the key technical concepts underpinning IT security if we are to succeed at cyber defence.

I’ll do an updated version next week at Saskatchewan Connections next week. Join us!