Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.
Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.
Last September 27th, the Newfoundland and Labrador OIPC held that a municipality breached the Newfoundland Access to Information and Protection of Privacy Act because an employee, in the course of her duties, identified the Facebook accounts of two members of the public and messaged them through her own Facebook account.
The OIPC held that this use of Facebook led the municipality to engage in an improper use of personal information and breach its safeguarding duty. One problem, according to the OIPC, was the use of a means of communication not governed at all by the municipality:
Facebook is a social media website that is accessible from any computer or device which is capable of accessing the internet. In this sense, the use of Facebook by the Town employee may be akin to the removal of personal information from the Town office. This is further exacerbated by the use of the employee’s own personal account to engage in this communication. From this perspective, the information must be protected in the same manner as used by other public bodies which allow for the removal of personal information from their facilities.
The OIPC made clear, however, that communicating personal information through a Facebook account in a public body’s name is also inappropriate. It said:
For the various security and identification issues outlined above, there is no way to ensure that personal information is properly protected on these websites. If an individual requests that communications with a public body be carried out in this manner, the public body must first satisfy itself that the identity of the Facebook account holder is confirmed, and furthermore that express consent be obtained from the individual acknowledging that the privacy of the communication cannot be guaranteed.
The OIPC gives little reasoning about why communicating through a Facebook account in a public body’s name is less secure than communicating through other kinds of corporate email services, but the concept of channelling communications that include personal information through a consumer service like Facebook (which is neither designed as an email service nor targeted at business) raises obvious concerns.
I’m posting this from beautiful Edmonton, where I presented at the Alberta Law Conference social media session together with Diane McLeod-McKay (Alberta OIPC, Director, Alberta PIPA) and Doug Jasinski (Skunkworks Creative Group). Thank you to our Chair and warm host, uber-librarian Shaunna Mireau (Field Law). It was a nice balanced session, with a little marketing and communication, a little core privacy and a little “other,” all of which came together nicely to give helpful picture to our lawyer audience.
I was the “other.” My slides are below and deal with (1) the “licensed communicator” concept for governing business use of social media, (2) the social media civil production cases and (3) preservation of social media evidence. I also (as asked) spoke a little about my own blogging experience, an enjoyable first.
On December 21st, Ontario arbitrator Ian Anderson dismissed a termination grievance brought by an employee who was terminated for bringing personal computing devices into a high-security workplace and downloading significant volumes of unauthorized (and risky) software onto an employer’s network.
The outcome is driven by the facts, but Arbitrator Anderson did deal with an asserted employer duty to investigate suspected wrongdoing. He dismissed the union’s argument that the employer could not charge the grievor with the downloading offence given it did not investigate and discover the grievor’s downloading sooner, at the same time it discovered and disciplined the grievor with excessive internet use. Arbitrator Anderson said:
The Union suggests that an employer has a responsibility to investigate potential misconduct of which it has reasonable suspicion. Put differently, the Union suggests that in order to justify discipline delayed on the basis of earlier lack of knowledge of the alleged misconduct, there must previously have been no reasonable basis to suspect that misconduct.
The Union’s argument, as I understand it, is not restricted to circumstances that might give rise to estoppel. Absent some provision in the collective agreement, I do not agree that there is such a general duty of investigation on an employer. Nor, in my view, is this proposition supported by the cases relied upon by the Union.
According to a CBC News article (here), early reviews of Facebook’s new Graph Search feature are raising privacy concerns. The search feature appears to be eerily effective in mining Facebook users’ information in responding to search queries.
For employers who may be considering using social media to verify information about current or prospective employees, the depth of information revealed by Graph Search highlights the risk that obtaining information through social media could amount to an invasion of privacy, or conflict with human rights laws (see the Ontario Human Rights Commission’s policy on using Facebook information). Employers should tread carefully before using social media to obtain information about current or prospective employees, since the resulting information (even if obtained inadvertently) could create unanticipated liabilities.
Here is a link to an interesting Postmedia article on how HRSDC is moving to limit use by employees of portable data devices, following several incidents in which external drives containing Canadians’ personal information were lost or misplaced. There are many compelling reasons for employers to control how and when employees can remove data from the workplace, such as preventing data breaches, minimizing wrongful competition by employees or former employees, and avoiding claims for breach of privacy.
This is just a cross-post to a piece of mine that we’ve published on the Hicks Morley website. Here’s a link and a teaser:
The desire to use personal mobile devices to undertake work has risen like the incoming tide. Employers must make a choice: turn the tide on the use of personal devices by re-enforcing an outright ban or chart a thoughtful path to higher “Bring Your Own Device” or “BYOD” ground. Employers that do neither will sink into the mire of unreasonable IT security risk. This FTR Now discusses the pros and cons of adopting policy that allows employees to use a personal mobile device for work and the aims of proper BYOD policy.
On November 15th, the Supreme Court of Nova Scotia dismissed a motion to amend a production order that caused a pension plan great difficulty given its committee members had used their work e-mail accounts to send and receive relevant communications.
The pension plan sued its investment advisors to recover investment losses. About a year ago the Court ordered it to conduct keyword searches involving 51 terms. This required the pension plan to search for e-mails sent and received by its committee members who held day jobs for the plan sponsor (a separate legal entity) and used their work e-mail accounts to send and receive relevant communications. Matters were made worse because the pension plan’s litigation counsel was actively engaged in matters adverse to the sponsor, which meant the sponsor was unwilling to let the pension plan review e-mails without first vetting them itself. The 51 terms produced too many responsive records for the sponsor, who objected to the pension plan. In response, the pension plan moved for relief. It argued that the 51 terms produced too many “false positives” and asked for an amendment.
The Court dismissed the motion. It held that an amendment to the order could only be justified based on “compelling reasons” given that the order was the product of argument, reasoning and a lengthy decision and because it would invite selective application of a narrower search (to the benefit of one party) than applied to all other data sources under the parties’ control. The Court held that the pension plan failed to meet this burden. It was unimpressed with the evidence adduced through counsel’s paralegal, who gave hearsay evidence about search quality analysis conducted by the pension plan’s litigation support company. The Court explained:
I have no direct evidence from CWL and am not satisfied that the evidence shows CWL to have the capability to reliably identify relevant documents subject to disclosure. I have little evidence upon which to assess the correctness of CWL’s assessment of what constituted a “false positive”. I am particularly concerned because the context in which the revised search was conducted intended to minimize the number of documents to be reviewed. I cannot say whether CWL sacrificed the quality of the search to meet the goal of reducing the quantity of captured documents.
The Court did not clearly rely on the committee members’ use of the sponsor’s e-mail system in dismissing the motion, but did comment that the pension plan’s situation was “of its own making.”
On June 27th, the Information and Privacy Commissioner/Ontario issued a significant report on the Ministry of Natural Resources’ use of an American company to maintain the primary database for its hunting and fishing licensing system.
The Commissioner has made public statements downplaying the significance of the USA PATRIOT Act to data security outsourcing risks, but this is the first time she has expressed these views formally. She says:
There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted. For the reasons outlined on pages 5 and 6, the feared powers were available to law enforcement long before the passage of the PATRIOT Act, through a variety of other legal instruments. In my view, these fears are largely overblown, and focusing on them unduly constitutes a pointless exercise. I believe it is far more productive to compel organizations to be fully responsible and accountable for the services they provide or outsource. As noted earlier, my position on this remains that you can outsource services, but you cannot outsource accountability. Flowing from that, one critical question prevails: Have reasonable steps been taken to ensure privacy and security, regardless of where the data resides? The measures taken by MNR, as described in this report, represent a good example of such accountability.
This is of help to Ontario public sector institutions who have needed to account for significant perceived risks related to the PATRIOT Act in approaching hosted service projects, many likely associated with lower risks than the MNR project. One might wonder how many useful, cost-saving initiatives have been parked because of a requirement that all personal information be stored in Canada by a Canadian company. The Commissioner’s report should be liberalizing, though outsourcing in and outside of Canada will always be associated with special data security risks that institutions need to carefully manage.
Fortunately, the Commissioner also uses this report to give some good guidance on outsourcing in the Ontario public sector, largely approving of the manner by which the MNR went about its outsourcing. Her focus is on the commercial contract between the MNR and its vendor, which she held contained nine “necessary provisions” to achieve the “reasonable measures” data protection standard under FIPPA. Ontario public sector institutions should pay heed to these provisions and, more generally, the design and development process described towards the front of the Commissioner’s report.
Hat tip to David Fraser, who gets a nice nod in this report from the Commissioner for his work on the PATRIOT Act.
I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.
If you have feedback please comment or send me an e-mail.
Dan
1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?
In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.
2. What are the most common purposes for employer access?
Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.
3. How should employers describe the scope of application of an acceptable use policy?
Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.
4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?
Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.
5. How should passwords be addressed in an acceptable use policy?
Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.
6. Does access to forensic information raise special issues?
Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).
7. How should an employer address the use of personal devices on its network?
Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.
8. Should an acceptable use policy govern the use of social media?
Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.
9. Should employers utilize annual acknowledgements?
Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”
10. Are there special concerns for public sector employers?
Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.
All About Information 
You must be logged in to post a comment.