Category: E-Discovery

In praise of cyber response transparency (and in defence of the “breach coach”)

Wired Magazine published an article last week about school cyber attacks in the United States that was wholly denigrating of the role of cyber incident response counsel – “breach coaches.” Wired’s theme was that schools are using their lawyers to deprive parents, students, and the public of information. Wired has inspired this post, though I will say little more about it than “Don’t believe everything you read.” Rather, I will be positive, and explain that transparency is at the center of good cyber incident response and that breach counsel enable transparency through clear, accurate, and timely communication.

We must communicate to manage

Let us start with the object of incident response. Sure, we want to contain and eradicate quickly. Sure, we want to restore services as fast as possible. But without making light of it, I will say that there is lots of “drama” associated with most major cyber incidents today that renders incident response about more than containment and eradication.

Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You will have many stakeholders descending on you from time zero, and every one of them wants one thing – information. You do not have a lot of that to give them, in the early days at least, but you have got to give them what you can.

In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what has happened and what you are doing about it. It means reporting to law enforcement. It means sharing threat information with peers. It means getting your message out.

This is crises communication best practice. If smoke is billowing from your house and the public has questions, the public will make its own story about your fire if you say nothing, and any obfuscation risks blowback. You must, as best you can, get your message out.

Let’s get privilege straight

Lawyers love privilege, but we may not do a good enough job at helping the public understand why it is so important, and why it is not inimical to transparency.

There are two types of privilege.

Solicitor-client privilege is the strongest form of privilege. A confidential communication between lawyer and client that relates to the giving or receiving of legal advice (in the broadest sense) is privileged.

Litigation privilege works a little differently, and is quite important for giving a person who is in litigation or who contemplates litigation a “zone of privacy” in which to prepare, strategize and plan free from an adversary’s scrutiny.

Privilege is a powerful tool for organizations because it shields communications from everyone – an adversary in litigation, a freedom of information requester, a regulator.

This is for good reason: privilege allows for good legal advice on complicated, high stakes problems. If litigation is pending or anticipated, it also allows for the adversaries to be adversaries, which contributes to the truth seeking function of adjudication. Privileged is hallowed, and recognized by our courts as central to rule of law.

Privilege, though, applies to communications, not to facts that have an independent existence. Is your head exploding yet? Let me explain this tricky idea.

Say an incident leads to the discovery of four facts – Fact A, Fact B, Fact C and Fact D. There is a question about whether those four facts prove data exfiltration of a particular set of data. Lawyer and client can communicate with each other to develop an understanding of that legal question. The lawyer can advise the client about what the evidence means, whether inferences can be drawn, and how the evidence is likely to be interpreted by a judge or a regulator. The lawyer may give an answer – “no exfiltration” – but also explain the strengths and weaknesses of taking that position. All the evaluation and advice – the communication – is privileged, but Fact A, Fact B, Fact C, and Fact D are not. In incident response, those facts are normally embodied in the forensic artifacts collected and preserved by the forensic investigator or collected in communications with the threat actor(s). Those artefacts and communications are producible in litigation and producible to a regulator, which allows others to examine them, engage in analysis (that may replicate the analysis that occurred under privilege), and draw their own conclusions. What an adversary or regulator cannot do is piggyback on solicitor-client communications to understand how the lawyer and client viewed all the nuance of the issue.

This is an important point to understand because it answers some unfounded concerns that privilege is a tool of obfuscation. It is not.

Privilege must be respected, though. There’s a now famous case in Canada in which an organization attempted to claim that recorded dialog with a threat actor was privileged because the communication was conveyed to counsel by an expert retained by counsel. The Court rightly held this was over reach. The threat actor dialog itself is fact. The same goes for forensic timelines. They are privileged because they are recorded in privileged reports. In litigation, this does help put some burden on an adversary to analyze the evidence themselves and develop their own timeline. But it’s unwise to tell a regulator, “I’m not giving you a timeline because the only place its recorded is in my privileged report.” Withhold the precise framing of the timeline in your report. Keep any conclusory elements, evaluations, and qualifications confidential, too. But give the regulator the facts. That’s all they want, and it should spare you a pointless privilege dispute.

From the zone of privilege to the public

I explain to our incident response clients that we work with them in a zone of privacy or privilege that is a safe communication zone. It is like a staging area for evidence, where we can sit with evidence, understand it, and determine what is and is not fact. The picture of an incident is formed slowly over time based on investigation. Things that seem the case are often not the case, and assumptions are to be relied upon cautiously.

It is our role, as counsel, to advise the client on what is safe to treat as fact. Once fact, it can be pushed out of the zone of privilege to the public in communications. It is at this point the communication will live on the public record and be used as evidence, so we carefully vet all such communication by asking four questions:

  • Is there any speculation? Are all facts accurately described? Are all facts clearly described?
  • Are there commitments/promises? Are they achievable?
  • Does the communication accurately convey the risk? If it raises alarm or encourages action, is that justified? Or will we cause stress for no good reason?
  • Does the communication reveal anything said under privilege (which can waive privilege)?

Our duty is to our client, and our filter is to protect our client, but it also benefits the public because it ensures that incident communications are clear and reliable. This is hard work, and the heavy scrutiny that always comes later can reveal weaknesses in word choice, even. But by and whole, organizations with qualified incident response counsel achieve transparency and engender stakeholder and public understanding and confidence.

Good notification takes time

Any organization whose network is compromised can contain the incident, and then an hour later announce, “If you have ever been employed with us or been a client of our your information may have been stolen.” This will almost always be a true statement, but it’s also a meaningless and vast over notification. Good legal counsel lead their clients to investigate.

Investigation takes time. Determining what has been taken, if anything, is the first step. If you do that well, it can take about a week. But that is only the start. Imagine looking at a 453,000 file listing, delivered to you by a threat actor without any file path metadata. The question: who is affected? Your file share is encrypted, so you do not even have readable copies of the files yet.

Is it any wonder that organizations notify weeks and months after they are attacked? You cannot rightly blame the lawyers or their clients for this. It is hard work. If an organization elects to spend six figures and four months on e-discovery to conduct file level analysis, it will be able to send a letter to each affected individual that sets out a tailored list of exposed data elements. Our regulator in Ontario has called this “the standard,” at the same time opening the door to more generalized notifications. We are moving now to population based notifications, while still trying to be meaningful. Consider the following:

All individuals who received service x between date 1 and date 2 are affected. The contact information of all such individuals has been exposed (phone, e-mail and address as provided). About a third of the individuals in this population provided an emergency contact. The identity of this person and their phone number was also exposed.

I am explaining this because time to notify is the easiest thing on which to criticize an organization. Time to notification visible, and far easier to understand than it is to explain to mas audiences with the kind of descriptions I have made here. Believe me, though, it is a very demanding challenge on which incident response counsel spend significant time and energy with their clients and data processing vendors, all with the aim of giving earlier and meaningful notifications.

Conclusion

Cyber incident response counsel are essential for effective and transparent incident management. They facilitate clear communication, crucial for stakeholder confidence and the fulfilment of obligations. Privilege, often misunderstood, enables open lawyer-client communication, improving decision-making. It’s not a tool to hide facts. Counsel guide clients through investigations and notifications, ensuring accuracy and avoiding speculation. Notification delays often stem from the complex process of determining breach scope and identifying affected individuals. Counsel help balance speed and quality of notification, serving their clients first, but also the public.

NSCA outlines the “law of redaction”

Exactly when should an entire document be withheld because redaction is not reaonable?

Freedom of information adjudicators have used the concept of “disconnected snippets” to delineate; if redaction would leave a reader with meaningless “disconnected snippets,” entire records can rightly be withheld.

The Nova Scotia Court of Appeal, on August 7th, applied similar logic in determining that a set of affidavits “could not be redacted without sacrificing their intelligibility and therefore the utility of public access.” It therefore held that the affidavits could be sealed in whole in compliance with the necessity component of the test from Sherman Estate.

Notably, the Court reviewed cases that establish a second basis for full record withholding – cost. In Patient X v College of Physicians and Surgeons of Nova Scotia, the Nova Scotia Supreme Court held that redacting a 120-page records would be too “painstaking and prone to error” given it included a significant number of handwritten notes. And in Khan v College of Physicians and Surgeons of Ontario, the Ontario Superior Court of Justice reached a similar finding given the record requiring redaction was almost 4,500 pages in length, requiring an error prone hunt for (sensitive) patient information.

Back to freedom of information, where costs are passed through to requesters. In Ontario, the norm is to charge through two minutes a page for redaction. Should a premium be chargeable for handwritten records or records that contain very sensitive information?

Dempsey v. Pagefreezer Software Inc., 2024 NSCA 76 (CanLII).

FCA revives longstanding test for protective orders in IP disputes

On February 17th, the Federal Court of Appeal re-clarified that protective orders ought to be granted based on the test set out in AB Hasslei.e., when “the moving party believes that its proprietary, commercial and scientific interests would be seriously harmed by producing information upon which those interests are based.” It held that the application of the more restrictive test for confidentiality orders set out in Sierra Club was not warranted.

Canadian National Railway Company v BNSF Railway Company, 2020 FCA 45 (CanLII).

Some relevant comments on e-discovery in recent Ontario order

Master Callum McLeod – long time member of the Sedona Canada Working Group – was recently appointed a judge of the Ontario Superior Court of Justice. On June 6th, still sitting as master, he issued an order that addressed a number of e-discovery issues. Here are some snipets of Master McLeod’s views.

…on the utility of manually producing a Schedule A

This is not a new problem. But it is a problem that is greatly compounded when dealing with any significant amount of electronically stored information. In such cases, listing and describing all relevant documents is virtually impossible and threatens to become a hugely expensive make work project of little practical utility. What is required instead is to unearth the important and probative documents that will be necessary to prove or disprove facts that are in issue.

Under the Sedona Canada Principles incorporated into the rules, counsel are to actively co-operate in formulating a practical discovery plan. Counsel are required to seek agreement on the subset of potentially important relevant information and how it is to be located, preserved, exchanged, organized, described and retrieved. Some form of mutually acceptable electronic indexing that permits rapid identification and retrieval of each document should be adopted for purposes of production, discovery and trial. It is for this reason that the parties are now expected to engage in a collaborative discovery planning exercise in which they are to robustly apply the principle of proportionality.

Of course production through affidavit of documents process is not the end of the story. There are at least four other ways to extract documents from the other party. The first is a demand to inspect documents under Rule 30.04, the second is by listing documents in the Notice of Examination, the third is by cross examination on the affidavit of documents as part of the discovery process and the fourth is by obtaining disclosure and undertakings through the discovery process itself.

… on the use of shared document repositories

In the case at bar, the record is replete with technical production problems and unilateral attempts to satisfy production obligations. Malfunctioning USB keys, courier delivery of hard copies, delivery of copies on DVDs and refusal to make use of web based technology such as Google Docs are some examples. While there are many issues with cloud based storage of sensitive documents almost all of these can be overcome. The advantages and speed of a secure web based document vault utilizing standardized document formats and software should be readily apparent. Correctly utilized, such tools can eliminate production delays and arguments about who produced what and when.

… on providing access to cloud-based evidence as an alternative to production

As I understand it, the defendant is not taking the position that the logs are not relevant, they are simply inviting the plaintiffs to access the information themselves. They have not listed the Google logs in the affidavit of documents. As I indicated earlier, there is much to be said for web based production and the use of document vaults. This is not the same thing as inviting the other party to access the originals of the web site and to extract their own information without concern for forensic continuity or admissibility of the evidence. Counsel should not be put in the position of becoming a witness as to the provenance of documents.

For more, see:

Thompson v Arcadia Labs Inc, 2016 ONSC 3745 (CanLII).

Party can call evidence about contents of lost video

On January 22nd, Vice-Chair Harris of the (Ontario) Grievance Settlement Board held that an employer can call testimony from witnesses who had viewed a video tape before it was inadvertently destroyed. He held that exclusion was an inappropriate remedy for inadvertent spoliation given the employer’s case rested on the proposed evidence. He also held that the proposed evidence was not hearsay and was not excluded because the best evidence was unavailable.

The overwhelming strength of the authorities is that such secondary evidence is admissible when the trier of fact is satisfied that the original existed, has been lost or destroyed and a proper explanation has been given of the absence of the better evidence. Here, that explanation has been given and accepted by the union.

Ontario Public Service Employees Union (Phagau) v Ontario (Liquor Control Board of Ontario), 2016 CanLII 7445 (ON GSB).

A broader implication of the SCC’s decision in Fearon

The Supreme Court of Canada issued R v Fearon on December 11th. A 4-3 majority held that the police can search a cell phone incident to arrest without a warrant but subject to various limitations prescribed by the Court. One always must be careful in drawing too much from the Court’s handling of a specific issue in a specific context, but the dialogue between the majority and minority about the mitigating effect of a computer inspection protocol is notable for organizations.

The majority allows warrantless searches, in part, based on a finding that the privacy impact of a cell phone search incident to arrest can be meaningfully mitigated by the application of a “tailored” inspection. Justice Cromwell explains:

First, the scope of the search must be tailored to the purpose for which it may lawfully be conducted. In other words, it is not enough that a cell phone search in general terms is truly incidental to the arrest.  Both the nature and the extent of the search performed on the cell phone must be truly incidental to the particular arrest for the particular offence. In practice, this will mean that, generally, even when a cell phone search is permitted because it is truly incidental to the arrest, only recently sent or drafted emails, texts, photos and the call log may be examined as in most cases only those sorts of items will have the necessary link to the purposes for which prompt examination of the device is permitted. But these are not rules, and other searches may in some circumstances be justified. The test is whether the nature and extent of the search are tailored to the purpose for which the search may lawfully be conducted. To paraphrase Caslake, the police must be able to explain, within the permitted purposes, what they searched and why: see para. 25.

This approach responds to the privacy concerns posed by the virtually infinite storage capacity of cell phones by, in general, excluding resort to that capacity in a search incident to arrest.  It would also provide these protections while preserving the ability of the police to have resort to basic cell phone data where this serves the purposes for which searches incident to arrest are permitted.

Given the Crown bears the onus of establishing a reasonable search incident to arrest, the majority makes clear that police must take “detailed notes” of their inspection process.

For the minority, the privacy interest in a cell phone is too great to permit any warantless intrusion. Justice Karakatsanis also calls the majority’s reliance on the mitigating effect of a tailored inspection protocol “complicated,” “impractical” and inviting of “after-the-fact litigation.”

Organizations have been reckoning with an expectation of privacy on workplace computers since the Supreme Court of Canada’s 2012 finding in R v Cole. I’ve argued elsewhere that, notwithstanding Cole, the standard for employer searches will likely remain reasonably permissive. The reasoning in Fearon can be used by employers to argue for a permissive search standard. Employers should be careful, however, to (1) document the purpose of their inspections and (2) follow a logical, documented inspection process. Justice Karakatsanis is correct; litigation about the manner in which a computer inspection has been conducted is too easy to foresee.

 R v Fearon, 2014 SCC 77 (CanLII).

 

NSCA addresses relevance, prorportionality and privacy in the ordering of forensic hard drive reviews

On January 28th, the Nova Scotia Court of Appeal affirmed an order that required a plaintiff to produce a hard drive for forensic review because it contained data relevant to his lost income claim (i.e., the amount of time he spent working at a home office each day).

The Court held that the data was relevant and therefore producible subject to rebuttal by the plaintiff. It set out the following list of factors for Nova Scotia judges to consider in deciding whether or not to grant production in similar cases:

1. Connection: What is the nature of the claim and how do the issues and circumstances relate to the information sought to be produced?

2. Proximity: How close is the connection between the sought-after information, and the matters that are in dispute? Demonstrating that there is a close connection would weigh in favour of its compelled disclosure; whereas a distant connection would weigh against its forced production;

3. Discoverability: What are the prospects that the sought-after information will be discoverable in the ordered search? A reasonable prospect or chance that it can be discovered will weigh in favour of its compelled disclosure.

4. Reliability: What are the prospects that if the sought-after information is discovered, the data will be reliable (for example, has not been adulterated by other unidentified non-party users)?

5. Proportionality: Will the anticipated time and expense required to discover the sought-after information be reasonable having regard to the importance of the sought-after information to the issues in dispute?

6. Alternative Measures: Are there other, less intrusive means available to the applicant, to obtain the sought-after information?

7. Privacy: What safeguards have been put in place to ensure that the legitimate privacy interests of anyone affected by the sought-after order will be protected?

8. Balancing: What is the result when one weighs the privacy interests of the individual; the public interest in the search for truth; fairness to the litigants who have engaged the court’s process; and the court’s responsibility to ensure effective management of time and resources?

9. Objectivity: Will the proposed analysis of the information be conducted by an independent and duly qualified third party expert?

10. Limits: What terms and conditions ought to be contained in the production order to achieve the object of the Rules which is to ensure the just, speedy and inexpensive determination of every proceeding?

The Court also suggested that, although “the semblance of relevance” test for production has been abolished under the Nova Scotia Rules, in gleaning what might ultimately be relevant at trial, “it is better to err on the side of requiring disclosure of material that, with the benefit of hindsight, is determined to be irrelevant rather than refusing disclosure of material that subsequently appears to have been relevant.”

Laushway v Messervey, 2014 NSCA 7 (CanLII)

Court says no to production of 1100 Facebook photos

On September 6th, Master Muir of the Ontario Superior Court of Justice declined to order production of approximately 1100 photos that a personal injury plaintiff posted to her Facebook friends. The plaintiff employed the “I’ve got nothing to hide” approach by filing the photos under seal with an accompanying affidavit, an approach also used effectively last year in Stewart v Kempster. Master Muir held that pictures of the plaintiff happy and socializing were not relevant and that there was no reason to believe that the plaintiff had failed to produce pictures of engagement in physical activity.

Garacci v Ross, 2013 ONSC 5627 (CanLII).

Access to e-mails, text messages and other ESI

I did double-duty today, also presenting on issues relating to control of corporate information in light of business computing trends like BYOD and cloud computing at day one of Osgoode PDP’s e-discovery certificate program. My slides are below.

Justice David Brown and Master Calum McLeod have written a number of the judgements I’ve blogged about here. I was able to stay for their lunch presentations on addressing the e-discovery burden. Justice Brown warned of a coming apocalypse (death by seppuku, to be precise) unless something gives way to break the e-discovery burden, starting with adversarial behavior in the discovery process. Master McLeod delivered similar message, though more from his in the trenches perspective – noting the wisdom of including ADR mechanisms into discovery plans and bifurcated discovery. Take note.