Author: Dan Michaluk

Case Report – Production of hard drive ordered

On September 11th, the Ontario Superior Court of Justice ordered the production of a forensic image of a hard drive. Although not clear on the face of the endorsement, this appears to be an order for the production of a departed employee’s former work hard drive.

The Court saw the production order as an efficient means of producing accessible metadata and noted there was no evidence that the production order would lead to the disclosure of confidential or privileged information:

The cost of redacting the non-relevant documents and associated metadata is expensive and time consuming and it is efficient and cost effective to simply reproduce the entire hard drive in its original form. Rule 1.04(1) of the Rules requires the court to liberally construe the Rules to secure the just, most expeditious and least expensive determination of the proceeding on its merits. There is no evidence to suggest that the non-relevant documents are sensitive, confidential or prejudicial in any way such that Hummingbird might be entitled to some form of protection or to warrant the ordering of the redaction, which is a costly exercise.

The Court also presumed (based on the plaintiff’s prior production of paper records from the hard drive) that production of the hard drive itself would produce additional relevant metadata:

While there was no evidence as to the precise nature of metadata, it seems to me that metadata is “data and information in electronic form”. Hummingbird has determined that certain of the documents located on the hard drive and certain of the metadata was relevant. In my view, once Hummingbird has determined that a particular document is relevant, the metadata in relation to such document should be produced. In my view, the metadata is akin to a “time/;date stamp” affixed to a letter or the “fax header” that indicated the time/date of faxing and receipt.

As the Court noted, it made its order without the benefit of affidavit evidence from either party and without the benefit of hearing submissions on any case law on the proper scope of production of records in electronic form.

Hummingbird v. Mustafa, 2007 CanLII 39610(Ont. S.C.J.).

Case Report – Jurisdiction to order production of non-resident data

The Federal Court rejected an application to vacate a production order made under section 231.2 of the Income Tax Act. The order required two Canadian eBay subsidiaries to produce data about specific Canadian eBay users that resided on servers operated by eBay’s American subsidiary in the United States.

The Court dealt only with the issue of whether it had jurisdiction to order production of non-resident data because the parties agreed that the Court should reserve on whether there was a sufficient basis for the order pending resolution of the appeal in Canada (MNR) v. The Greater Montreal Real Estate Board, 2006 FC 1069 (CanLII). On the threshold issue, the Court stated:

In the present case, eBay Canada has access to and uses information respecting PowerSellers. It is not determinative of the issue that the electronic apparatus storing the information which eBay Canada accesses is outside Canada. The information can be summoned up in Canada and for the usual business purposes of eBay Canada. The situation may be different if the information never had been used in Canada.

For commentary by Michael Geist, please click here.

eBay Canada Limited v. Canada (National Revenue), 2007 FC 930 (CanLII).

Data breach response – a multidisciplinary perspective

In some chance timing given the release of the report on the Canadian investigation into the TJX breach, I presented today at a lunch meeting of the Association of Certified Forensic Investigators of Canada together with David Malamed of Grant Thonrton. We called the presentation “Data Breach Response: A Multidisciplinary Perspective.”

This is the first presentation David and I have given on an project we started at the beginning of the summer together with Karen Gordon, an expert crises communicator from Squeaky Wheel Communications. The idea we are promoting is that organizations should be using multi-disciplinary teams to manage breach response and, whether internal or external experts are used, the team should be defined in a formal breach response plan.

I’ve posted a copy of the presentation here.

Case Report – Data breach investigation report released

The Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have released their joint report into the TJX/Winners data breach. They found that TJX breached the collection, retention and safeguarding rules in both the federal and Alberta commercial privacy statutes.

With respect to TJX’s system for preventing the fraudulent return of goods, the commissioners held that TJX breached both statutes by collecting drivers license and other provincial ID numbers to identify individuals who returned goods without a receipt. While they accepted the importance of identifying such individuals for purposes of fraud control, they also held that retaining this sensitive data was not necessary and that TJX also did not give adequate notice of the purposes for its collection. The commissioners said:

A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number—any number—that can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).

Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers’ license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.

Having made this finding, they accepted TJX’s proposal to create unique identifiers from provincial ID numbers by using cryptographic hashing and approved of a three-year retention period for this information.

On the collection and retention of payment card information for processing purposes, the commissioners held that TJX’s retention of information for 18 months in accordance with its contractual obligations to financial institutions was reasonable, but were critical of TJX’s practice of retaining the information for longer periods for “troubleshooting” purposes. They reasoned that TJX had not clearly established “troubleshooting” as a primary purpose for collection, nor had it established the need to retain information in order to troubleshoot.

Finally, the commissioners held that TJX did not meet the safeguarding standard in both acts, primarily because it failed to upgrade its wireless encryption protocol within a reasonable period of time. Version 1.1 of the Payment Card Industry Data Security was released in September 2006 and endorsed the “Wi-fi Protected Access” or “WPA” encryption protocol. The commissioners said that TJX should have been adhering to this standard by “late 2006.” They commented:

TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion began in October 2005, and the pilot project was completed in January 2007. We are also aware that the final conversion to a higher level of encryption will be completed soon.

Furthermore, while TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.

TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006.

This comes just days after a settlement was announced in the related class action lawsuit.

Report of an Investigation into the Security, Collection and Retention of Personal Information (26 September 2007, C.P.P. and Alberta O.I.P.C.).

Case Report – Deemed undertaking protects against disclosure

On September 10th, a panel of the Divisional Court held that a motions judge erred in ordering a plaintiff in a disability insurance action to disclose a defence medical report and surveillance video that were prepared for and disclosed to the plaintiff in a prior tort action. The motions judge had ordered disclosure subject to the deemed undertaking’s constraint on use. The Divisional Court held that the disclosure order, absent an exercise of discretion under sub-rule 30.1.01(8), offended the rule. It also held that the reference to “use of evidence obtained in one proceeding” in sub-rule 30.1.01(6) does not support disclosure subject to a constraint on use:

The motion judge was concerned that under sub-rule 30.1.01(6) one could not use evidence from another proceeding to impeach the testimony of a witness, unless such evidence had been disclosed and therefore, impliedly, the Rule cannot be read to prohibit disclosure, but merely to restrict the use of such evidence once disclosed. We are of the view that sub-rule (6) allowing evidence from another proceeding to be used for impeachment refers to evidence which is lawfully in the hands of the examining party. Sub-rule (6) refers to “evidence obtained in one proceeding …”. We agree with the appellant’s submission that sub-rule (6) does not provide for or require the disclosure of protected evidence for use in impeaching testimony. It merely provides for the limited use of such evidence, when it is lawfully available.

Kitchenham v. AXA Insurance Canada, 2007 CanLII 37892 (ON S.C.D.C.).

Case Report – Publication of teaching evaluation data lawful

Arbitrator Brent held that the University of Windsor did not violate its faculty collective agreement or the Ontario Freedom of Information and Protection of Privacy Act by publishing teaching evaluation scores on a secure network for access by students and other members of the university community.

She made three findings. First, she held that the change in practice did not breach a frozen practices provision in the collective agreement because the publication condition (freedom from publication, as was argued) was not fundamental to the employment relationship. Second, she held that the express collective agreement restriction on disclosure of faculty personal information did not apply because the information disclosed was not “personal information” under the collective agreement. In reaching this finding, she relied on permissive collective agreement language that referred to the use of teacher evaluation data to construe the term “personal information.” Finally, she held that FIPPA did not apply based on its employment-related records exclusion and the fact that the data was used in the University’s promotion, tenure and renewal process. In rejecting the Association’s argument that student use of the data brought the records under the auspices of the Act, she said:

To argue that it ceases to become a “labour relations” or “employment-related” matter once it is made available to the students would in my view have the effect of excluding SET from FIPPA when it is used for employment related purposes but then including it when it is used to provide information to students. Such a result would be contrary to the Court of Appeal’s decision that once it is determined that FIPPA does not apply to certain material, then that material is exempt from FIPPA for ever.

University of Windsor and University of Windsor Faculty Association (Re) (19 February 2007, Brent).

Sedona Conference search and retrieval draft paper

I direct your attention to this very informative August 2007 draft/public comment paper by the Sedona Conference Working Group 1. In discussing best practices in the use of search and information retrieval methods in discovery, the paper advocates the use of automated search and retrieval methods as an alternative to manual search and suggests eight practice points.

Here are some key quotes made in advocating for automated search:

  • A consensus is forming in the legal community that human review of documents in discovery is expensive, time consuming, and error-prone. There is growing consensus that the application of linguistic and mathematic-based content analysis, embodied in new forms of search and retrieval technologies, tools, techniques and process in support of the review function can effectively reduce litigation cost, time, and error rates.
  • It is not possible to discuss this issue without noting that there appears to be a myth that manual review by humans of large amounts of information is as accurate and complete as possible – perhaps even perfect – and constitutes the gold standard by which all searches should be measured. Even assuming that the profession had the time and resources to continue to conduct manual review of massive sets of electronic data sets (which it does not), the relative efficacy of that approach versus utilizing newly developed automated methods of review remains very much open to debate. Moreover, past research demonstrates the gap between lawyers’ expectations and the true efficacy of certain types of searches. The Blair and Maron study (discussed below) reflects that human beings are less than 20% to 25% accurate and complete in searching and retrieving information from a heterogeneous set of documents (i.e., in many data types and formats). The importance of this point cannot be overstated, as it provides a critical frame of reference in evaluating how new and enhanced forms of automated search methods and tools may yet be of benefit in litigation.
  • There is no magic to the science of search and retrieval: only mathematics, linguistics, and hard work. If lawyers do not become conversant in this area, they risk surrendering the intellectual jurisdiction to other fields.

Case Report – Court says consensual disclosure a principle of fundamental justice

Yesterday, the Ontario Superior Court of Justice invalidated Ontario’s new adoption disclosure regime, which opened past and future adoption records to searching adult adoptees and birth parents notwithstanding individual consent. The judgement contains a significant discussion of how section 7 of the Canadian Charter of Rights and Freedoms restricts government disclosure of personal information.

The applicants, three adopted persons and a father who was recorded as a birth parent in government records despite some uncertainty about his paternity, objected the the adoption disclosure regime brought in by the provinces Adoption Information Disclosure Act. In short, the Act allowed adult adopted persons to obtain information that could be used to identify their birth parents and allowed birth parents to obtain similar information in respect of their children who had reached 19 years of age. These disclosures could be made without consent, but the regime did feature two protections. Adopted individuals and birth parents could file a “no contact” notice, in which case thier searching parents and adoptees would be restricted from contacting them despite receiving information that would allow for contact. Adopted individuals and birth parents could also apply for a non-disclosure order, to be granted in exceptional circumstances to protect against “sexual harm” or “significant physical or emotional harm.”

Mr. Justice Belobaba held that the regime violated the applicants’ section 7 rights. His key factual determination was that the applicants had established a reasonable expectation of privacy in their adoption records based on the history of the adoption regime: “Since 1927, the statutory framework in Ontario has been predicated on confidentiality.” Based on this finding and the principles articulated by the Supreme Court of Canada in R. v. O’Connor, Belobaba J. found that the applicants’ liberty interest was engaged by the propsetive dislcosure of their identifying information. He then went on to find that the applicants’ had been deprived of this interest in a manner inconsistent with the following newly-articulated principle of fundamental justice:

Where an individual has a reasonable expectation of privacy in personal and confidential information, that information may not be disclosed to third parties without his or her consent.

Addressing the seeming strictness of this principle, Belobaba J. suggested that governmental interests in disclosure may be partly managed based on the “reasonable expectation of privacy” qualifier, which he characterized as a manageable and predictable legal principle. Beyond this, he suggested that governments should be responsible for justifying non-consensual disclosures under the Charter‘s saving provision.

Counsel for the Attorney-General raised some concerns about the need to balance interests in the process of formulating a principle of fundamental justice. It wasn’t clear to me if the submissions on this point were directed at the broadly stated “right to privacy” principle or at the more refined Suggested Principle [as quoted above]. In any event, let me set out my understanding of balancing at the section 7 stage of the analysis.

The balancing of individual and societal interests within section 7 is only relevant when elucidating a particular principle of fundamental justice – and here the relevant intersts were balanced using language such as “reasonable expectation of privacy.” Once the principle of fundamental justice has been elucidated, however, it is not within the ambit of section 7 to bring into account further societal interests, such as the rights of the searching adoptee or birth parent or the implications for government record-keeping etc. These considerations will be looked at, if at all, under section 1, where the Crown has the burden of proving that the impugned law is demonstrably justified in a free and democratic society.

On the facts and despite the two protections in the Act, Belobaba J. held that the government had not met its section 1 onus and issued a declaration of invalidity.

Cheskes v. Ontario (Attorney-General) (19 September 2007, Ont. S.C.J.).

Halifax to Toronto in five podcasts all about information

We took young Hugo on his first surf trip to Halifax recently, and after enjoying a couple of weeks of beautiful weather and very bad surf, it took me about fifteen and a half hours from the time I dropped him and Seanna off at the Halifax airport to drive to our door in Toronto. (Dad travels with surfboards while mom travels with baby. And yes, I am a type “A” personality.)

Tom Petty’s newest, Highway Companion, pretty much blows my mind, but there’s only so many times I could listen to it (and sing along loudly enough to keep me alert) before seeking relief in the modern equivalent of talk radio. Here are the information-related podcasts that I listened to on the way home, listed in order of appreciation.

  1. “Electronic Evidence,” ABA Book Briefs Podcast (14 August 2007). An interview with Sharon Nelson and John Simek, co-authors of The Electronic Evidence and Discovery Handbook. Includes a good practical discussion on managing forensic experts.
  2. “Attorney-Client Privilege and the Work-Product Doctrine,” ABA Book Briefs Podcast (10 July 2007). An interview with Edna Epstien, Author of Attorney-Client Privilege and the Work-Product Doctrine. Good for issue identification. One good one: When an in-house lawyer sues for wrongful dismissal and alleges she was terminated for whistleblowing, in what circumstances will the records containing her advice be producible?
  3. “Negotiating Tip: Negotiating with Email,” Negotiating Tip of the Week (5 May 2007). This podcast series is by Dr. Josh Weiss, Associate Director of the Global Negotiation Project at the Program on Negotiation at Harvard. This one is really about negotiation, but has an outside link to records management. The last of the five tips: don’t negotiate by e-mail unless you have to.
  4. “What Hewlett-Packard’s Spying Scandal Tells Us about the Limitations of Corporate Boards,” Knowledge@Wharton Audio Articles (23 October 2006). Primarily about governance but describes the context for a much-discussed privacy issue.
  5. “Ten Rules for Managing Electronically Stored Information,” Litigation Podcast: Tips and Tactics (29 March 2007). Tips on proactive ESI management.

Case Report – “Crime and fraud” exception to solicitor-client privilege broadly framed

In March 2007, the Ontario Superior Court of Justice held that the “crime and fraud” exception to solicitor-client privilege applies to communications made in furtherance of perpetrating all forms of tortious conduct that may become the subject of a civil proceeding. As noted by Mr. Justice Perell, this finding may be “contentious” because it establishes an arguably broader exception than endorsed in two of the Court’s earlier decisions: see Rocking Chair Plaza (Bramalea) Ltd. v. Brampton (City) (1988), 29 C.P.C. (2d) 82 (Ont. H.C.J.) and Hallstone Products Ltd. v. Canada (Customs and Revenue Agency), [2004] O.J. No. 496 (S.C.J.). His honour distinguished the case at bar on the facts, which involved an e-mail sent to counsel during the time frame that intentional infliction of mental suffering was alleged (i.e., pre-litigation) and that he held to be prima facie evidence of the same.

Dublin v. Montessory Jewish Day School of Toronto (2007), 85 O.R. (3d) 511 (Ont. S.C.J.).