On employees and home computers

Here is a good law.com article that raises the question, “Just when should an employer have access to a departed employee’s home computer or personal e-mail account?”

Consider a disability claim where an employer (as disability benefits insurer and defendant) seeks information about the time a departed employee who is claiming he has a total disability spends surfing the internet. Assume that seeking production of the employee’s home computer is a rational request because the employee has given evidence in discovery that he lives alone and is the sole user of his home computer. Is production of the home computer for forensic analysis justified or is this a just fishing expedition?

In Canada, there is a trio of British Columbia cases with facts not unlike this scenario: see Park v. Mullin, 2005 BCSC 1813, Ireland v. Low, 2006 BCSC 383 and Desgane v. Yuen, 2006 BCSC 955. In all three cases the British Columbia Supreme Court declined to order production of hardware after weighing the evidentiary value of the proposed production against the plaintiffs’ privacy rights.

It’s one thing, however, to fish for an employee’s personal information because it might be assistive. It’s another to seek production of evidence that’s not particularly personal or sensitive and that is central to the claim.

Now consider an employer who sues a departing employee for breach of confidence. An employee who takes business records needs to put them somewhere. The most obvious receptacle is his or her home computer.

Assuming the claim has merit, should the employer be entitled to know for sure whether the employee has (or has ever had) custody of its records? Is the probative value of the proposed production not very high given the difficulty in proving misuse of confidential information? In the context, is production of the actual computer warranted despite all the personal information it is likely to contain? I’m not aware off-hand of any Canadian breach of confidence cases in which production of a departed employee’s home computer has been ordered, but in the Ameriwood case cited in the law.com article a Missouri court answered these questions in the affirmative.

Case Report – RAM preservation order affirmed

On August 24th, the United States District Court for the Central District of California affirmed a magistrate’s order that required the defendant in a copyright infringement action to preserve and produce data stored temporarily in a computer’s Random Access Memory or “RAM.”

The defendant operates a website that allows users to download files that are used to search and download video files. It did not log individuals’ IP addresses or instruct its third-party service provider to log IP addresses but these addresses, which can be used to identify users, were stored temporarily in RAM. The plaintiffs sued the defendant for contributing to and inducing copyright infringement and requested production of IP address logs.

In May, a magistrate ordered the defendant to start logging IP addresses and to routinely produce them in masked form and in a manner that would allow the plaintiffs to identify the regular users of the defendant’s service. In affirming the magistrate’s award, the Court simply reasoned that data stored in RAM is “stored” within the meaning of the United States Federal Rules of Civil Procedure. On the burden of preserving data from RAM, it made this somewhat comforting yet non-committal statement:

In response to amici’s concerns over the potentially devastating impact of this decision on the record-keeping obligations of businesses and individuals, the Court notes that this decision does not impose an additional burden on any website operator or party outside of this case. It simply requires that the defendants in this case, as part of this litigation, after the issuance of a court order, and following a careful evaluation of the burden to these defendants of preserving and producing the specific information requested in light of its relevance and the lack of other available means to obtain it, begin preserving and subsequently produce a particular subset of the data in RAM under Defendants’ control.

The Court also rejected a number of the defendant’s arguments related to its users’ privacy.

Columbia Pictures Industries Inc. v. Bunnel (24 August 2007, Dist. Ct. California).

Case Report – Implementation of biometric timekeeping system upheld

On August 7th, Arbitrator David Murray dismissed a grievance that challenged the implementation of a biometric timekeeping system. According to Mr. Murray, when an employer proves the general superiority of a new technology, the standard for invasiveness that would justify restricting its implementation is high. He said:

The union grounded its case squarely on the claim that Kronos violated the management rights clause of the collective agreement. No evidence was brought that it did. Instead the union pointed out that the evidence of Erskine could be interpreted to justify the view that if there was anything wrong with the old ITR system (and the union said, correctly, there had been no evidence of time stealing or buddy punching) it could be rectified with a system less technologically advanced than Kronos. That line of reasoning is not only not persuasive, it is positively Luddite. If the employer believed that Kronos was state-of-the-art and met its needs why should it have to put up with second best absent any evidence that employees rights were being infringed? If the opportunity had existed who would not want to move from the Age of Sail to the Age of Flight without going through the Age of Steam first?

Arbitrator Murray was very critical of Arbitrator Timms’ IKO Industries award, in which she allowed a grievance challenging the same timekeeping system.

Re Good Humour – Breyers and United Food & Commercial Workers Union, Local 175, [2007] O.L.A.A. No. 406 (Murray) (QL).

State report on Virginia Tech released

The state panel struck by Virginia Governor Tim Kaine released its report on the April shootings yesterday. Once again, the report has some strong comments on the need for information-sharing, at one point stating, “Information privacy laws cannot help students if the law allows sharing, but agency policy or practice forbids necessary sharing.”

At this point I have only scanned the report and read the summary, but may post a comment after reading the (lengthy) report in full.

See the University’s internal “Interface” report here and the special report to the President of the United States here. I’ve posted about the incident here and written about here.

One to watch – Implied undertaking case at the SCC

A significant case on the implied undertaking rule (or deemed undertaking rule, as it may be) is being heard at the Supreme Court of Canada on November 16th.

In Doucette v. Wee Watch Day Care Systems Inc., 2006 BCCA 2662 the British Columbia Court of Appeal held that a party obtaining information in the discovery process can make a bona fide report of criminal conduct to the police without seeking court approval.

The underlying action was a negligence claim against a day care and day care worker which was filed after a child suffered a seizure while under care. The police investigation was ongoing, but the police had not yet laid charges by the time the day care worker’s examination for discovery was scheduled. The day care worker filed a motion to request an express restriction on disclosure of her transcript and the Attorney-General brought a competing motion seeking to vary the implied undertaking to allow disclosure of the discovery transcript to the police. The trial judge held that both motions were premature but declared that the A-G and the police were under an obligation not to cause the parties to violate their undertakings without the day care worker’s consent or leave of the court.

The Court of Appeal acknowledged an exception to the undertaking when disclosure is necessary to prevent serious and imminent harm and then went further to permit disclosure without court approval in non-exigent circumstances:

The conclusion reached by the chambers judge is thoughtful and practical. It does not, however, contemplate the circumstance in which neither party has an interest in or is willing to seek court ordered relief from the disclosure of information under the undertaking or otherwise. Nor does it contemplate non-exigent circumstances of disclosed criminal conduct. It is easy to imagine a situation in which criminal conduct is disclosed in the discovery process, but no one apprehends that immediate harm is likely to result. Nevertheless, if an application to court is required before a party may disclose the alleged conduct, the perpetrator of the crime may be notified of the disclosure and afforded the opportunity to destroy or hide evidence or otherwise conceal his or her involvement in the alleged crime.

In my opinion, the scope of the undertaking must be fashioned in a manner that accommodates these and other eventualities. I conclude that the implied undertaking of confidentiality rule is as stated in Hunt: a party obtaining production of documents or transcriptions of oral examination of discovery is under a general obligation, in most cases, to keep such document confidential. A party seeking to use the discovery evidence other than in the proceedings in which it is produced must obtain the permission of the disclosing party or leave of the court. However, the obligation of confidentiality does not extend to bona fide disclosure of criminal conduct. On the other hand, non-bona fide disclosure of alleged criminal conduct would attract serious civil sanctions for contempt.

The focus of the inquiry is on the use to which the evidence is to be made. A party is limited in the manner in which it can use the discovery evidence as I have indicated above. A non-party, such as the police, who obtains the discovery evidence by lawful means (such as by search warrant) is not prevented from using the evidence to further an investigation. Whether the evidence can be used in a subsequent criminal proceeding is a matter to be considered by the criminal court.

In Ontario the issue is governed by Rule 30.1.01(8) but the analysis is the same. In fact, the Court considered the limited Ontario jurisprudence on the issue and held, to the extent the Ontario jurisprudence favoured a rigorous deemed undertaking rule over the protection of the public interest in the detection and prosecution of crimes, the Ontario jurisprudence should not be followed. See in particular: Linchris Homes Ltd. (1990), 1 O.R. (3d) (G.D.), Perrin v. Beninger, 2004 CanLII 18347 (Ont. S.C.J.) and Klassen v. College of Physicians and Surgeons of Ontario, [2002] O.J. No. 4055 (S.C.J.).

This is truly one to watch.

Alex Cameron of the On the Identity Trail project recently wrote a good article on the related issue of privacy and litigation at blog-on-nymity. It’s available here.

The Hicks Post – Data breach low hanging fruit

Paul Broad and I posted our fall edition of the Hicks Morley Information and Privacy Post today. It’s available here. In addition to some brief commentary on “data breach low hanging fruit,” we’ve included summaries of cases that we’ve reviewed since publishing our spring edition. The top draws in our current edition:

  • The Divisional Court’s FOI decision on the annonymization of databases and whether replacing a unique identifier (that is also personal information) creates a new record
  • The Ontario Court of Appeal’s finding that the public interest override in Ontario’s FOI legislation is unconstitutional and its reading-in remedy
  • A decision by labour arbitrator Paula Knopf on a challenge to an employer’s short term disability administration practices
  • The latest Ontario decision in the recent flare-up in drug testing litigation, a decision by labour arbitrator Jane Devlin
  • A June 27th American e-discovery case that illustrates how not to manage a complex e-discovery project

Please check out the Post. Hope you enjoy!

Recent appeal court decisions illustrate wisdom of reasonable restrictive covenants

The Ontario Court of Appeal issued a short endorsement in Crystal Tile and Marble Ltd. v. Dixie Marble & Granite Inc. on August 20th, upholding a judgment that dismissed a claim against a high-performing ex-salesperson. Presumably the salesperson was not bound by a restrictive covenant because the claim was based on an alleged breach of fiduciary duty and breach of confidence. The Court endorsed the following passage from the trial judgment:

The fact that the business decision to rely so heavily on Mr. Miskiewicz may have turned out to be a less than prudent one is not sufficient to brand Mr. Miskiewcz as a as a fiduciary when the other hallmarks of a fiduciary relationship, such as the power to make or influence management decisions or set corporate policy, are absent. To find otherwise would mean that every salesperson, regardless of his or her position or authority in the business, would have a fiduciary duty simply because of his or her success in sales.

This comment is reminiscent of those made recently in Imperial Sheet Metal Ltd. v. Landry and Gray Metal Products, a decision of the New Brunswick Court of Appeal. The Court held that cases (including some leading Ontario cases) that find salespeople to be fiduciaries based on a vulnerability arising from exposure to customers are wrong: “too many employees of ‘humble origin’ are being swept into fiduciary net.” It also held that knowledge of customer needs and preferences generally does not have the quality of confidence necessary to found an action for breach of confidence.

These cases are significant for their denouncement of the case commonly made against departing salespersons who are not bound by restrictive covenants. They’re reason for employers to carefully consider bargaining reasonable restrictive covenants at the outset of the employment relationship.

E-mail surveillance and constructive knowledge (Part 3)

This is a continuation of two earlier posts, one that spoke about an employer’s duty to maintain a harassment-free workplace as justification for routine e-mail surveillance and another that highlighted the different position that a post-secondary educational institution is in, at least vis-a-vis institutionally-administered e-mail accounts.

The United States v. Heckenkamp decision of this April is another illustration of how employers and post-secondary educational institutions are different. In it, the United States Ninth Circuit of Appeals held that a state university violated a student’s expectation of privacy by conducting a remote search of his own computer (connected to the university’s network from his dorm room) in an attempt to prevent an attack on its network. Despite this finding, the Court nonetheless held the evidence obtained was admissible in the student’s criminal trial under the American “special needs” doctrine.

I won’t comment directly on the case, but encourage you to read this good editorial by the Stanford Law School Center for Internet and Society’s Jennifer Granick. Ms. Granick focusses her critique on the Court’s application of the “special needs” exception (appropriately, as it determined the outcome of Mr. Heckenkamp’s case). She chooses not to address the subtle implication in the case that the university could have diminished Mr. Heckenkamp’s expectation of privacy, by promulgating a more strongly-worded network access policy:

In the instant case, there was no announced monitoring
policy on the network. To the contrary, the university’s computer
policy itself provides that “[i]n general, all computer
and electronic files should be free from access by any but the
authorized users of those files. Exceptions to this basic principle
shall be kept to a minimum and made only where essential
to . . . protect the integrity of the University and the rights and
property of the state.” When examined in their entirety, university
policies do not eliminate Heckenkamp’s expectation
of privacy in his computer. Rather, they establish limited
instances in which university administrators may access his
computer in order to protect the university’s systems. Therefore,
we must reject the government’s contention that Heckenkamp
had no objectively reasonable expectation of privacy
in his personal computer, which was protected by a screensaver
password, located in his dormitory room, and subject to
no policy allowing the university actively to monitor or audit
his computer usage.

This raises some interesting questions given that a post-secondary institution has a relationship with its student users that’s much like a relationship between a commercial internet service provider and its customers. Would a commercial ISP have felt compelled to search Mr. Heckenkamp’s computer to protect its network? Would privacy legislation permit the a commercial ISP to impose a condition of service that allowed it to conduct such a search? Are guarantees of academic freedom a reason for post-secondary institutions to be even more cautious than a commercial ISP in promulgating search-friendly network access policies?

These are all important questions. Of course, employers are in a different position than commercial ISPs and post-secondary institutions because they can establish policy to restrict employees from connecting their own computers to their networks. To the extent employers choose to depart from this ideal (by allowing employees to remotely access their networks from their own computers, for example), they open up a world of risks, one of which is well-illustrated by Heckenkamp.

Thanks goes to my colleague Paul Broad of our privacy group for his great input on this post.

Virginia Tech internal reports released

As I’ve posted about here and written about here, the Virginia Tech shooting has served as a good discussion point for how a post secondary institution’s duty to maintain a safe campus environment should be balanced against its duty to respect student privacy. Yesterday the University released reports from three internal committees struck shortly after the incident to examine the strengths and weaknesses of its systems. One of the reports, that of the school’s “Interface Group,” examines the security/privacy balance and echoes some of thoughts about the need for information sharing that were first expressed in the special report made to President Bush on June 13, 2007. For a flavour, here’s of one of the internal group’s seven recommendations:

Effective communication among units regarding at-risk students is essential. There are a number of recommendations intended to enhance communication in the system including conducting on-going training for personnel on the application of the Family Educational Privacy Act (FERPA) in the discussion of cases, clarifying public statements in university policy on how FERPA is applied, establishing a central university contact who has a comprehensive picture of distressed students who have been assessed by the system, clarifying policies for communicating with external agencies regarding acutely distressed students, and implementing a new policy for emergency notification for students.

According to the New York Times, a report from a panel struck by Virginia Governor Tim Kaine will be released late next week.

Case Report – Latest American data breach case

This significant data breach case recently came to my attention. In it, the Southern District Court of Ohio dismissed a motion to certify a class proceeding because the plaintiff had not alleged any damage other than the cost of obtaining credit monitoring services.

The defendant, a mortgage loan service provider, experienced a break-in in August 2005. The thieves took over $60,000 in computer hardware, including four hard drives containing the personal information of over 229,000 individuals. About four weeks after the break-in, the defendant notified individuals of the breach. In its notification letter, the defendant recommended that affected individuals place a fraud alert on their credit files but did not offer to pay for credit monitoring services.

The plaintiff claimed the defendant was negligent in securing the hard drives and negligent in terminating its internal investigation of the breach before identifying the perpetrators. The resulting loss, as alleged in the claim, was the cost of obtaining credit monitoring services “for many years” and “at great expense.”

The Court held that the plaintiff did not have standing to bring a claim in negligence because she did not establish a genuine issue of material fact in respect of her own claim. It cited a series of American cases from the last two years for the proposition that the cost of responding to an increased risk of identity theft, when merely speculative, is not an actionable loss. The following paragraph is a nice summary of the factual basis for the Court’s decision:

Although the above cited cases are not binding on this Court, this Court finds them to be persuasive. Plaintiff has admitted, that to her knowledge, no unauthorized use of her personal information has occurred. She has not been a victim of identity fraud since the theft, which occurred 20 months ago. Additionally, Plaintiff waited until almost one full year after the theft to obtain credit monitoring and chose not to place a free fraud alert on her credit report. She also failed to allege in her complaint that the information was the target of the theft. Although in her briefs she theorizes that the break-in was an “inside job” and that the information was targeted there is no evidence to support this. The four hard drives were among $60,000 worth of equipment that was stolen from the server room. There is no evidence that the information was the target of the theft as opposed to the actual hard drive themselves. Neither the Atlanta Police Department nor the private investigator hired by Litton came to any such a determination. Furthermore, even if the information was the target of the theft, there is no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it would be used for unlawful purposes. Thus, any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.

Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 205, 706-07 (S.D. Ohio 2007).