Court of Appeal for Saskatchewan reformulates guidance for ownership of lawyers’ files

On August 10th, the Court of Appeal for Saskatchewan held that the Saskatchewan Court of Queen’s Bench erroneously ordered “solicitor’s notes and inter-office memoranda” to be produced to a client because this categorization was over-broad. It reviewed the Canadian law and held that the authoritative text from Cordery’s Law relating to Solicitors is often misunderstood and unquestionably applied to provide lawyers ownership of their “working file.” It re-stated the test as follows:

Documents in existence prior to the retainer and provided by the client to the lawyer remain, in the absence of some proof to the contrary, the property of the client.
Documents prepared by a lawyer for the benefit of the client belong to the client. This would include, for instance: legal research memoranda; pleadings, briefs and other documents filed in court; witness statements; and notes of conversations with the client, other counsel or third parties concerning matters that relate to the substance of the file or to the business of advancing the file toward a conclusion.
Documents prepared by a lawyer for their own benefit or protection belong to the lawyer. This would include, by way of example, things such as accounting records, conflict searches, time entry records, and financial administration records like draft statements of account and cheque requisitions. Internal communications and notes concerning administrative matters such as the role that various lawyers and staff will play on the file may also fall into this category.
That said, documents will often be prepared for, or will serve, more than one purpose. For example, a file note setting out instructions received from a client will both benefit the client by helping to ensure that their wishes are clearly understood and benefit the lawyer by memorializing the mandate received from the client. In such circumstances, the predominant purpose should be controlling. Any doubt about the predominant purpose should be resolved in favour of the client with the result being that “documents prepared for the benefit of the lawyer” is likely to be quite a narrow class of material in most files. In this regard, one helpful way to assess if a document belongs to the client may be to ask whether, when it was created, a new lawyer taking over the file at that time would have wanted to have had the document in order to properly and efficiently manage the file and advance the client’s interests. If the answer is “yes”, and particularly if the client paid for the time involved in generating the document, then it should be seen as belonging to the client.
The fact that the client has been billed for the time involved in preparing a document will be a significant factor, but not necessarily a decisive one, weighing in favour of the conclusion that the document belongs to the client. In this regard, it is difficult to see how a document prepared for the benefit of the client and for which the client was billed would not be the property of the client. However, that said, I doubt that the same is true with respect to documents prepared for the benefit or protection of the lawyer. For example, and without endorsing this sort of billing practice, if the lawyer happens to record and charge out the time involved in doing a conflict of interest check to confirm that they can act for the client, the document reflecting the result of that conflict of interest check would nonetheless belong to the lawyer.
The burden of showing that a document in a file is the property of the lawyer should rest with the lawyer. They will understand the circumstances in which the document came to be created and will be in possession of the information about who it was intended to benefit.

Note the imposition of a predominant purpose test and a form of presumption in the fourth bullet above, which is at the crux of the Court’s decision.

CPC Networks Corp. v McDougall Gauley LLP, 2023 SKCA 90 (CanLII).

Ontario CA addresses claims arising out of IT security exploit

On January 11th, the Court of Appeal for Ontario dismissed an appeal of a decision that struck various pleadings of a former senior IT employee of Ontario and his family members, who the province alleges stole over $10 million by making fraudulent COVID benefit claims.

The Support for Families Program (SFFP) was launched quickly in April 2020 to help families with the cost of at-home learning. The IT employee helped develop the applications for the program, including its online application portal.

The province sued the employee and his family for allegedly stealing funds by making fraudulent applications and diverting them to bank accounts opened in the employee’s and his family members’ names – presumably by exploiting vulnerabilities known to the employee because of his duties. The province also alleges that the employee participated in and profited from a kick back scheme tied to the SFFP.

The employee has defended, and denies the allegations. In his defence, he pleaded contributory negligence – i.e., that the province was negligent in protecting itself against his alleged fraud. The family members – represented by the same counsel – say that the employee told them he used their personal information to open bank accounts in which to deposit the proceeds of fraud. Although they did not crossclaim against the employee, they counterclaimed against he province in intrusion upon seclusion and negligence.

The Court of Appeal affirmed the striking of these claims.

It held that a defendant to a fraud or unjust enrichment claim cannot raise contributory negligence as a defence. The Court explained that allowing for the defence would suggest that crime pays and unfairly punish organizations who do not take adequate steps to protect themselves.

It held that the intrusion upon seclusion claim is untenable because it is based on the employee’s alleged misuse of information entrusted to him by his family, not the employer’s enterprise or a risk created or excaberated by that enterprise.

It held that a negligence pleading properly framed to address the Crown’s immunity from tort liability would fail for a lack duty/proximity given the family members claimed to have no interaction with the province other than in respect of the province’s money that the employee transferred into their accounts.

Sometimes the best defence is a good offence. That was likely the motivation for these novel claims – perhaps an attempt to capitalize upon the province’s sensitivity to mismanagement claims. They were rightly struck, and organizations in Ontario who are defrauded by insiders can continue to breathe easy.

Ontario v. Madan, 2023 ONCA 18 (CanLII).

IPC wades into shadow IT mess, may never again

The Information and Privacy Commissioner/Ontario issued a decision about a security incident on July 9th in which it made clear, after participating in a health information custodians’ efforts to recover lost data, that this burden falls on custodians alone.

The incident involved a clinician at an unnamed rehabilitation clinic and her estranged spouse, who reported to the clinic that he possessed 164 unique files containing the personal health information of 46 clinic clients on two computers that belonged to the clinician. The clinician explained the existence of the files as a by-product of secure access and inadvertent, though the the files appear to have been purposely moved from temporary storage to a Google drive at some point, possibly by the spouse

The spouse was not particularly cooperative. This led the IPC, who the clinic had notified, to engage with the spouse together with the clinic over a several month period. The IPC took the (questionable) position that the spouse was in breach of duties under section 49(1) of PHIPA.

In the course of these dealings the spouse reported he had also received e-mails with attached assessment reports from the clinician for printing purposes. The clinician said she had thought she had adequately de-identified the reports, though one included a full patient name and others (as the IPC held) contained ample data to render patients identifiable.

All of the detritus was eventually deleted to the satisfaction of the clinic and IPC. The clinic reconfigured its means of providing secure remote access to adresses the risk of local storage and beefed up its administrative policies and training. There is no mention of implementing a digital loss prevention solution.

The IPC decision is notable for two points.

First, the IPC made clear that custodians should not rely on the IPC to help with data recovery (which can be very expensive):

It is clear that interactions between the Clinic and the Spouse had been very challenging, chiefly due to the Spouse’s changing positions throughout this investigation. However, the obligations on a health information custodian to contain the breach remain, even in the face of challenging circumstances. The Privacy Breach Guidelines are clear that there is an obligation on the health information custodian to retrieve any copies of personal health information that have been disclosed and ensure that no copies of personal health information have been made or retained by anyone who was not authorized to receive the information. Nothing in the legislation or these guidelines transfers this obligation to the IPC.

Second, the clinic was less skeptical of the clinician than it might otherwise have been, and did not issue discipline. The IPC accepted this, and re-stated its deferential position on employee discipline as follows:

With respect to the Clinic’s decision, I am satisfied that it was reasonable in the circumstances. This office has stated that its role is not to judge the severity or appropriateness of sanctions taken by a custodian against its agents (see PHIPA Decision 74). However, the IPC can taken into account a custodian’s disciplinary response as part of its assessment of whether the custodian has taken reasonable steps to protect personal health information against unauthorized access.

A Rehabilitation Clinic (Re), 2020 CanLII 45770 (ON IPC).

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

What’s significant about the Loblaw report

I finally got around to reading the @PrivacyPrivee report of findings on Loblaw’s manner of authenticating those eligible for a gift card. The most significant (or at least enlightening) thing about the report is that the OPC held that residential address, date of birth, telephone number and e-mail address were, together, “sensitive.” It did so in assessing the adequacy of the contractual measures Loblaw used in retaining a service provider for processing purposes. It said:

The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.

As outlined above, the additional ID’s requested by the Program Administrator were collected through a secure channel (if online) or by mail, verified and then destroyed.

In our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. Therefore, in our view, Loblaw did not contravene Principle 4.1.3 of Schedule 1 of the Act.

Residential address, date of birth, telephone number and e-mail address is a set of basic personal information. In analyzing it, one must recall the “contact information” that the Ontario Superior Court of Justice said was not “private” enough to found a class action claim in Broutzas.

Don’t be misled, though. The OPC made its finding because Loblaw was engaged in authentication, and collected a data set precisely geared to that purpose. The potential harm – identity theft – was therefore real, supporting finding that the data set as a whole was sensitive. Context matters in privacy and data security. And organizations, guard carefully the data you use to identify your customers.

NIST’s recommended password policy evolves

As imperfect a means of authentication as they are, “memorized secrets” like passwords, pass phrases and PINs are common, and indeed are the primary means of authentication for most computer systems. In June, the National Institute of Standards and Technology issued a new publication on digital identity management that, in part, recommends changes to password policy that has become standard in many organizations – policy requiring passwords with special characters.

Here is what the NIST says:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and may be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorize secrets SHOULD be imposed.

The NIST believes that the complexity derived from special characters is of limited benefit to security, yet creates (well known) useability problems and promotes “counterproductive” user behaviour – writing passwords down or storing them electronically in plain text. It’s better, according to the NIST, to allow for long passwords (that may incorporate spaces) and use other protective measures such as password blacklists, secure hashed password storage and limits to the number of failed authentication attempts.

The NIST publication includes other related guidance, including a recommendation against routine password resetting.

NIST Special Publication 800-63B – Digital Identity Guidelines (June 2017)

The Saskatchewan OIPC okays health authority’s incident response

On June 8th, the Office of the Saskatchewan Information and Privacy Commissioner issued an investigation report in which it held that a regional health authority responded appropriately to a privacy breach. Most notably, the OIPC reinforced a recommendation about notification included in its 2015 publication, Privacy Breach Guidelines. The recommendation:

Unless there is a compelling reason not to, [health information] trustees should always notify affected individuals.

This is a novel and conservative variation on the normal harms-related principle that guides notification. It is simply a recommendation – and one directed only at public agencies and health information trustees in Saskatchewan. It is notable nonetheless, however, in that it reflects an arguably developing public sector norm. Right or wrong, there is a unique pressure on public sector institutions to notify that should always be considered as part of a public sector institution’s careful response to a data handling incident.

Investigation Report 101-2016 (8 June 2016).

USB key treated as a private receptacle by labour tribunal – but why?

On March 29th the Grievance Settlement Board (Ontario) held that a government employer did not breach its collective agreement or the Charter by examining a USB key that it found in the workplace.

They key belonged to an employee who used it to store over 1000 files, some of which were work-related and allegedly confidential and sensitive. Remarkably, the employee also stored sensitive personal information on the key, including passport applications for his two children and a list of his login credentials and passwords. The key was not password protected and not marked in any way that would identify it as belonging to the employee.

The employee lost the key in the workplace. The employer found it. An HR employee inserted they key in her computer to read its contents. She identified the key as possibly belonging to the employee. She gave the key to the employee’s manager, who inserted it in his computer on several occasions. The manager identified that the key contained confidential and sensitive information belonging to the employer. The manager then ordered a forensic investigation. The investigation led to the discovery of a draft of an e-mail that disparaged the manager and had earlier been distributed from an anonymous e-mail account.

The GSB held that the employee had a reasonable expectation of privacy – one so limited as not to be as “pronounced” as the expectation recognized in R v Cole. The GSB also held, however, that the employer acted with lawful authority and reasonably. The reasonableness analysis contains some helpful statements for employers, most notably the following statement on the examination of “mixed-use receptacles” (my words):

The Association argues that the search conducted by Mr. Tee was “speculative” and constituted “rummaging around” on the USB key. It asserts that if Mr. Tee had been interested in finding files which might contain government data, he would have or should have searched directories which appeared to be work related, such as EPS, TPAS or CR. I do not find this a persuasive argument. As noted in R. v. Vu, in discussing whether search warrants issued in relation to computers should set out detailed conditions under which the search might be carried out, such an approach does not reflect the reality of computers: see paras. 57 and 58. Given the ease with which files can be misfiled or hidden on a computer, it is difficult to predict where a file relevant to an inquiry will be found. It may be filed within a directory bearing a related name, but if the intention is in fact to hide the file it is unlikely that it will be. Further, the type of file, as identified by the filename extension, is not a guarantee of contents. A photograph, for example can be embedded in a Word document. Provided that the Employer had reasonable cause to view the contents of the USB key in the first place (as I have found there was in this case), an employee who uses the same key for both personal and work related purposes creates and thereby assumes the risk that some of their personal documents may be viewed in the course of an otherwise legitimate search by the employer for work related files or documents.

I learned about this case shortly before it was decided and remarked that it was quite bizarre. I couldn’t fathom why anyone would be so utterly irresponsible to store such sensitive information on a USB key. This is one reason why I’m critical of this decision, which treats this employee’s careless information handling practice as something worthy of protection. The other reason I’m critical of this decision is that it suggests the expectation of privacy recognized in Cole is higher than contemplated by the Supreme Court of Canada – which remarked that Richard Cole’s expectation of privacy was not “entirely eliminated” by the operational realities of the workplace. Not all of our dealings with information demand privacy protection, and in my view we need to make the reasonable expectation of privacy threshold a real, meaningful threshold so management can exercise its rights without unwarranted scrutiny and litigation.

I also should say that it’s very bad to stick USB keys found lying around (even in the workplace) into work computers (or home computers), at least without being very careful about the malware risk. That’s another reason why USB keys are evil.

Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v Ontario (Government and Consumer Services), 2016 CanLII 17002 (ON GSB).

Late apology and lack of correction results in increased privacy damages award

There has been some public discussion of the recent arbitration award by Arbitrator Knopf in which she awarded an employee $1,000 in damages for breach of privacy. The following is my view about what organizations should take from Ms. Knopf’s award.

The case is about one employer who shared a medical note with another employer. The other employer also employed the employee and wanted to confirm its understanding of her fitness for work and need for accommodation.

The note the employer disclosed stated, “pt is able to perform the duties of Dietary Aide at St. Pat’s home.” The disclosure was made by a contractor who managed the employee. He also told the other employer that the employee (a) was not currently being accommodated, (b) had no work-related restrictions and (c) was working her regularly scheduled shifts.

The employer admitted liability, and it appears that damages were awarded based only on the disclosure of the medical note. This is notable because it is debatable whether it was wrong for the employer disclose “a” and “c” as noted above. The information I’ve noted as “a” is not received from a health information custodian and therefore is not regulated by statute. The information I’ve noted as “c” is also note received from a health information custodian and is also arguably not personal information. I’m not suggesting the employer was clearly right in disclosing “a” and “c,” but it was also not clearly wrong.

The most important part of the award is the damages analysis, most notably Ms. Knopf’s comments the employer’s delayed apology and lack of corrective action. She said:

This Employer has apologized to the Grievor in the course of these proceedings and affirmed its desire to maintain and to continue a positive relationship with the Grievor. However, this apology was only offered once the Union refined and narrowed the claim for relief in the course of preparation for this hearing, even though the breach of the Confidentiality Policy was apparent from the outset. Therefore almost three (3) years had gone by. The evidence also disclosed that the Employer had not required its contractors to abide by this Policy and there is no evidence to suggest that it has done so to date. Employers often criticize grievors who do not offer timely apologies in situations of wrongdoing. Employers should be held to the same standard. The apology from the Employer is clearly meaningful and significant, but it did come very late and it lacks completion, given the apparently continuing failure to insist on compliance with its Confidentiality Policy by the contractors who serve the residents and interact with the members of this bargaining unit.

The most common and preferred strategy for responding to a loss of data is to conduct a good early assessment and “take lumps” – including by issuing an appropriate apology and committing to corrective action. This case supports the use of that strategy.

St. Patrick’s Home of Ottawa Inc. v Canadian Union of Public Employees, Local 2437, 2016 CanLII 10432 (ON LA).

Data breach response – Examining evidence and determining credibility

Having good investigative capacity is essential to good data breach response. More often than not, a post-incident investigation involves gathering evidence from witnesses. Digital forensics is also a common part of a breach investigation, but digital forensic evidence typically complements other testimonial and documentary evidence. For this reason I’m sharing a presentation I did with student conduct officers at Canadian colleges and universities last week, in which my aim was to prepare the audience to deal with a more challenging “credibility case.” It is relevant to human resources practitioners engaged in an investigative capacity post-incident and is relevant to lawyers and others who act as “breach coaches.”