Facebook’s Graph Search: New Privacy Concerns?

According to a CBC News article (here), early reviews of Facebook’s new Graph Search feature are raising privacy concerns.  The search feature appears to be eerily effective in mining Facebook users’ information in responding to search queries.

For employers who may be considering using social media to verify information about current or prospective employees, the depth of information revealed by Graph Search highlights the risk that obtaining information through social media could amount to an invasion of privacy, or conflict with human rights laws (see the Ontario Human Rights Commission’s policy on using Facebook information).  Employers should tread carefully before using social media to obtain information about current or prospective employees, since the resulting information (even if obtained inadvertently) could create unanticipated liabilities.

Government limits use of external drives, to avoid data breaches

Here is a link to an interesting Postmedia article on how HRSDC is moving to limit use by employees of portable data devices, following several incidents in which external drives containing Canadians’ personal information were lost or misplaced.  There are many compelling reasons for employers to control how and when employees can remove data from the workplace, such as preventing data breaches, minimizing wrongful competition by employees or former employees, and avoiding claims for breach of privacy.

BYOD policy – Charting a good path to higher ground

This is just a cross-post to a piece of mine that we’ve published  on the Hicks Morley website. Here’s a link and a teaser:

The desire to use personal mobile devices to undertake work has risen like the incoming tide. Employers must make a choice: turn the tide on the use of personal devices by re-enforcing an outright ban or chart a thoughtful path to higher “Bring Your Own Device” or “BYOD” ground. Employers that do neither will sink into the mire of unreasonable IT security risk. This FTR Now discusses the pros and cons of adopting policy that allows employees to use a personal mobile device for work and the aims of proper BYOD policy.

Plaintiff left to lie in its e-mail mess

On November 15th, the Supreme Court of Nova Scotia dismissed a motion to amend a production order that caused a pension plan great difficulty given its committee members had used their work e-mail accounts to send and receive relevant communications.

The pension plan sued its investment advisors to recover investment losses. About a year ago the Court ordered it to conduct keyword searches involving 51 terms. This required the pension plan to search for e-mails sent and received by its committee members who held day jobs for the plan sponsor (a separate legal entity) and used their work e-mail accounts to send and receive relevant communications. Matters were made worse because the pension plan’s litigation counsel was actively engaged in matters adverse to the sponsor, which meant the sponsor was unwilling to let the pension plan review e-mails without first vetting them itself. The 51 terms produced too many responsive records for the sponsor, who objected to the pension plan. In response, the pension plan moved for relief. It argued that the 51 terms produced too many “false positives” and asked for an amendment.

The Court dismissed the motion. It held that an amendment to the order could only be justified based on “compelling reasons” given that the order was the product of argument, reasoning and a lengthy decision and because it would invite selective application of a narrower search (to the benefit of one party) than applied to all other data sources under the parties’ control. The Court held that the pension plan failed to meet this burden. It was unimpressed with the evidence adduced through counsel’s paralegal, who gave hearsay evidence about search quality analysis conducted by the pension plan’s litigation support company. The Court explained:

I have no direct evidence from CWL and am not satisfied that the evidence shows CWL to have the capability to reliably identify relevant documents subject to disclosure. I have little evidence upon which to assess the correctness of CWL’s assessment of what constituted a “false positive”. I am particularly concerned because the context in which the revised search was conducted intended to minimize the number of documents to be reviewed. I cannot say whether CWL sacrificed the quality of the search to meet the goal of reducing the quantity of captured documents.

The Court did not clearly rely on the committee members’ use of the sponsor’s e-mail system in dismissing the motion, but did comment that the pension plan’s situation was “of its own making.”

Halifax (Regional Municipality Pension Committee) v State Street Global Advisors Ltd., 2012 NSSC 399 (CanLII).

IPC/Ontario issues report on outsourcing to USA resident vendors and more

On June 27th, the Information and Privacy Commissioner/Ontario issued a significant report on the Ministry of Natural Resources’ use of an American company to maintain the primary database for its hunting and fishing licensing system.

The Commissioner has made public statements downplaying the significance of the USA PATRIOT Act to data security outsourcing risks, but this is the first time she has expressed these views formally. She says:

There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted. For the reasons outlined on pages 5 and 6, the feared powers were available to law enforcement long before the passage of the PATRIOT Act, through a variety of other legal instruments. In my view, these fears are largely overblown, and focusing on them unduly constitutes a pointless exercise. I believe it is far more productive to compel organizations to be fully responsible and accountable for the services they provide or outsource. As noted earlier, my position on this remains that you can outsource services, but you cannot outsource accountability. Flowing from that, one critical question prevails: Have reasonable steps been taken to ensure privacy and security, regardless of where the data resides? The measures taken by MNR, as described in this report, represent a good example of such accountability.

This is of help to Ontario public sector institutions who have needed to account for significant perceived risks related to the PATRIOT Act in approaching hosted service projects, many likely associated with lower risks than the MNR project. One might wonder how many useful, cost-saving initiatives have been parked because of a requirement that all personal information be stored in Canada by a Canadian company. The Commissioner’s report should be liberalizing, though outsourcing in and outside of Canada will always be associated with special data security risks that institutions need to carefully manage.

Fortunately, the Commissioner also uses this report to give some good guidance on outsourcing in the Ontario public sector, largely approving of the manner by which the MNR went about its outsourcing. Her focus is on the commercial contract between the MNR and its vendor, which she held contained nine “necessary provisions” to achieve the “reasonable measures” data protection standard under FIPPA. Ontario public sector institutions should pay heed to these provisions and, more generally, the design and development process described towards the front of the Commissioner’s report.

Hat tip to David Fraser, who gets a nice nod in this report from the Commissioner for his work on the PATRIOT Act.

Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report (June 27, 2012).

Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.

Dan

1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.

Speeding Up Criminal Reference Checks

The federal government is implementing new digital technology to speed up the process for obtaining criminal reference checks.  This change will be welcome relief to employers who are required to perform criminal reference checks on employees or prospective employees, such as school boards and social services agencies.  A link to a CTV article on the announcement is here.

Investigating Computer Abuse – Help for Human Resources

My colleague Kathryn Bird and I presented today at the HRPA 2011 conference on “Investigating Computer System Abuse – Help for HR.” It was our aim to help human resources professionals charged with investigating computer-related misconduct to identify issues, ask proper questions of internal IT and know when to get professional IT forensics and legal help. We covered investigation basics, sources of digital evidence, preservation best practices, interview tips and managing the investigation record. Big thanks to Kevin Lo of Froese Forensics for reflecting on some of our ideas over beers. Slides are below.

The Special Case of E-Mail (as Electronic Evidence)

I attended and presented at Day 1 of  the Osgoode Short Course in Obtaining, Producing and Presenting Electronic Evidence.

Thank you to Chuck Rothman of Wortzman Nickle for fielding my question about preserving web based communications. He suggested that Adobe Acrobat does a good job of producing a reasonably true copy of web page renderings, but should be used in conjunction with good evidence handling practices – e.g., keeping a log of steps, hashing the file produced and so on. Chuck also mentioned Facebook’s new feature that allows users to download profiles as worth thinking about when dealing with Facebook preservation issues.

I presented with John Gregory on “The Special Case of Email.” John is a true authority on electronic evidence, and I’ve been lucky to do this presentation with him a few times now. Our slides are below.

For some of John’s materials on electronic evidence, check out his web page here. We also noted Stephen Mason’s excellent website as a resource on electronic evidence. It is linked here.