On August 24th, the United States District Court for the Central District of California affirmed a magistrate’s order that required the defendant in a copyright infringement action to preserve and produce data stored temporarily in a computer’s Random Access Memory or “RAM.”

The defendant operates a website that allows users to download files that are used to search and download video files. It did not log individuals’ IP addresses or instruct its third-party service provider to log IP addresses but these addresses, which can be used to identify users, were stored temporarily in RAM. The plaintiffs sued the defendant for contributing to and inducing copyright infringement and requested production of IP address logs.

In May, a magistrate ordered the defendant to start logging IP addresses and to routinely produce them in masked form and in a manner that would allow the plaintiffs to identify the regular users of the defendant’s service. In affirming the magistrate’s award, the Court simply reasoned that data stored in RAM is “stored” within the meaning of the United States Federal Rules of Civil Procedure. On the burden of preserving data from RAM, it made this somewhat comforting yet non-committal statement:

In response to amici’s concerns over the potentially devastating impact of this decision on the record-keeping obligations of businesses and individuals, the Court notes that this decision does not impose an additional burden on any website operator or party outside of this case. It simply requires that the defendants in this case, as part of this litigation, after the issuance of a court order, and following a careful evaluation of the burden to these defendants of preserving and producing the specific information requested in light of its relevance and the lack of other available means to obtain it, begin preserving and subsequently produce a particular subset of the data in RAM under Defendants’ control.

The Court also rejected a number of the defendant’s arguments related to its users’ privacy.

Columbia Pictures Industries Inc. v. Bunnel (24 August 2007, Dist. Ct. California).

This is a continuation of two earlier posts, one that spoke about an employer’s duty to maintain a harassment-free workplace as justification for routine e-mail surveillance and another that highlighted the different position that a post-secondary educational institution is in, at least vis-a-vis institutionally-administered e-mail accounts.

The United States v. Heckenkamp decision of this April is another illustration of how employers and post-secondary educational institutions are different. In it, the United States Ninth Circuit of Appeals held that a state university violated a student’s expectation of privacy by conducting a remote search of his own computer (connected to the university’s network from his dorm room) in an attempt to prevent an attack on its network. Despite this finding, the Court nonetheless held the evidence obtained was admissible in the student’s criminal trial under the American “special needs” doctrine.

I won’t comment directly on the case, but encourage you to read this good editorial by the Stanford Law School Center for Internet and Society’s Jennifer Granick. Ms. Granick focusses her critique on the Court’s application of the “special needs” exception (appropriately, as it determined the outcome of Mr. Heckenkamp’s case). She chooses not to address the subtle implication in the case that the university could have diminished Mr. Heckenkamp’s expectation of privacy, by promulgating a more strongly-worded network access policy:

In the instant case, there was no announced monitoring
policy on the network. To the contrary, the university’s computer
policy itself provides that “[i]n general, all computer
and electronic files should be free from access by any but the
authorized users of those files. Exceptions to this basic principle
shall be kept to a minimum and made only where essential
to . . . protect the integrity of the University and the rights and
property of the state.” When examined in their entirety, university
policies do not eliminate Heckenkamp’s expectation
of privacy in his computer. Rather, they establish limited
instances in which university administrators may access his
computer in order to protect the university’s systems. Therefore,
we must reject the government’s contention that Heckenkamp
had no objectively reasonable expectation of privacy
in his personal computer, which was protected by a screensaver
password, located in his dormitory room, and subject to
no policy allowing the university actively to monitor or audit
his computer usage.

This raises some interesting questions given that a post-secondary institution has a relationship with its student users that’s much like a relationship between a commercial internet service provider and its customers. Would a commercial ISP have felt compelled to search Mr. Heckenkamp’s computer to protect its network? Would privacy legislation permit the a commercial ISP to impose a condition of service that allowed it to conduct such a search? Are guarantees of academic freedom a reason for post-secondary institutions to be even more cautious than a commercial ISP in promulgating search-friendly network access policies?

These are all important questions. Of course, employers are in a different position than commercial ISPs and post-secondary institutions because they can establish policy to restrict employees from connecting their own computers to their networks. To the extent employers choose to depart from this ideal (by allowing employees to remotely access their networks from their own computers, for example), they open up a world of risks, one of which is well-illustrated by Heckenkamp.

Thanks goes to my colleague Paul Broad of our privacy group for his great input on this post.

This significant data breach case recently came to my attention. In it, the Southern District Court of Ohio dismissed a motion to certify a class proceeding because the plaintiff had not alleged any damage other than the cost of obtaining credit monitoring services.

The defendant, a mortgage loan service provider, experienced a break-in in August 2005. The thieves took over $60,000 in computer hardware, including four hard drives containing the personal information of over 229,000 individuals. About four weeks after the break-in, the defendant notified individuals of the breach. In its notification letter, the defendant recommended that affected individuals place a fraud alert on their credit files but did not offer to pay for credit monitoring services.

The plaintiff claimed the defendant was negligent in securing the hard drives and negligent in terminating its internal investigation of the breach before identifying the perpetrators. The resulting loss, as alleged in the claim, was the cost of obtaining credit monitoring services “for many years” and “at great expense.”

The Court held that the plaintiff did not have standing to bring a claim in negligence because she did not establish a genuine issue of material fact in respect of her own claim. It cited a series of American cases from the last two years for the proposition that the cost of responding to an increased risk of identity theft, when merely speculative, is not an actionable loss. The following paragraph is a nice summary of the factual basis for the Court’s decision:

Although the above cited cases are not binding on this Court, this Court finds them to be persuasive. Plaintiff has admitted, that to her knowledge, no unauthorized use of her personal information has occurred. She has not been a victim of identity fraud since the theft, which occurred 20 months ago. Additionally, Plaintiff waited until almost one full year after the theft to obtain credit monitoring and chose not to place a free fraud alert on her credit report. She also failed to allege in her complaint that the information was the target of the theft. Although in her briefs she theorizes that the break-in was an “inside job” and that the information was targeted there is no evidence to support this. The four hard drives were among $60,000 worth of equipment that was stolen from the server room. There is no evidence that the information was the target of the theft as opposed to the actual hard drive themselves. Neither the Atlanta Police Department nor the private investigator hired by Litton came to any such a determination. Furthermore, even if the information was the target of the theft, there is no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it would be used for unlawful purposes. Thus, any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.

Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 205, 706-07 (S.D. Ohio 2007).

On August 16th the keepers of the Canadian E-Discovery Case Law Digest posted an update. I say “keepers” because the Digest now notes that it is maintained by the Sedona Canada Working Group, a group which I have just joined. I’ll have to find out how I can make a contribution because it is a great resource.

Also, I just listened to the first edition of “The ESI Report,” an e-discovery podcast broadcast on the Legal Talk Network (originally posted on August 13th).

I was most interested in the discussion of Columbia Pictures Industry v. Bunnel and the May 29th preservation order of the California Central District Court, which is notable as the first American case in which a party to a legal action has been ordered to preserve and produce data stored temporarily in a computer’s Random Access Memory.

In Bunnel, the defendant operates a website that allows users to download files that are used to search and download video files.  It did not log individuals’ IP addresses or instruct its third-party service provider to log IP addresses but these addresses, which can be used to identify users, were stored temporarily in RAM.  The plaintiff sued the defendant for contributing to and inducing copyright infringement and requested production of IP address logs to identify the direct copyright infringers.

The Court ordered the defendant to start logging IP addresses and to routinely produce them in masked form and in a manner that would allow the plaintiff to identify the regular users of the defendant’s service.  It held that IP addresses were existing records, were relevant to the action and were not unduly burdensome to produce.  It rejected numerous arguments that the privacy rights of the site’s users weighed against the order.

On June 28th the Information and Privacy Commissioner/Ontario upheld a fee estimate that involved an extensive process of retrieving e-mails.  The Ministry had nine individual custodians conduct electronic keyword searches of their own workstations using a number of specified terms.  The custodians spent time opening e-mails and other documents to determine whether they were responsive.  The Ministry also searched shared directories (presumably using the same terms). 

The IPC held the Ministry’s field filtering process was reasonably efficient and that the Ministry had established the basis for its estimate.  Note that only the efficiency of the search (and not its quality) was under appeal.

Order PO-2592 (Ontario Secretariat for Aboriginal Affairs) (I.P.C. Ont.).

I gained a penchant for diagrams during my foray into the business world that I make no apologies for!

I’d like to build this post around the diagram below, which illustrates a very common model by which employers manage medical information – i.e., one in which the employer seeks information from an employee’s treating physician through its own medical adviser. 

 

The point I’d like to make is that role definition is key to effective medical information management.  When there is confusion about the players’ roles and responsibilities (especially vis-a-vis confidential medical information) the management process tends to break down.

Relationship “A” is the employment relationship.  In most cases employers cannot obtain employee medical information without express written consent, but employees have a duty to consent to the release of medical information when it is reasonably necessary to the administration of the employment relationship.  Employers typically need medical information for four purposes:  (1) to determine the validity of an absence, (2) to determine eligibility for an income protection benefit, (3) to develop accommodation plans and proposals and (4) to ensure that employees can safely return to work.

In Ontario, section 49 of the Personal Health Information Protection Act requires employers to use and disclose medical information for only those purposes specified in the written medical release (ordinarily, the four noted above) and, essentially, share information internally on a need to know basis.

Relationship “B” is the treatment relationship.  An employee’s treating physician has a professional and legal duty to act in the employee’s best interests.  This does not mean that a physician must let a patient dictate his or her opinion.  To the contrary, abdicating professional judgment in this manner is a breach of a physician’s duty.  In this regard, the Ontario Medical Association has helped physicians reconcile employee and employer interests by advising them of the health-related benefits of a safe and early return to work.

Treating physicians also have a professional and legal duty to maintain patient confidentiality.  They are subject to the full range of “health information custodian” rules in PHIPA, and may only release medical information to employers based on written consent.

Relationship “C” is either an employment or contractual relationship.  Employers often retain the services of medical professionals to act on their behalf.  These professionals typically (1) take custody of medical information received pursuant to a release and share it with management as permitted by the medical release and on a need to know basis, (2) evaluate and make objective recommendations to the employer about the sufficiency of information provided and (where it is sufficient) about eligibility for paid or unpaid leave, accommodation plans and return-to-work and (3) act as the employer’s liaison (and advocate) with the treating physician.

The medical adviser does not have independent legal or professional duties to the employee.  He or she acts as the employer and shares the employer’s section 49 duty.  Does he or she nonetheless play an important role in medical confidentiality?  Yes.  The medical adviser role helps create a confidentiality screen.  By taking immediate custody of the medical information on behalf of the employer, he or she is the means by which the “need to know” rule is given effect.  This is a difficult role, and sometimes out of a sense that he or she has an independent duty of confidentiality to the employee, the medical adviser takes a position at odds with the employer.  This type of conflict can generally be avoided by establishing reasonable and PHIPA-compliant policy to guide the internal distribution of medical information received pursuant to a medical release.

The advisory model described above is common, but there are other models by which employers seek and obtain medical information they need to make employment-related decisions.  In the Ontario Bar Association’s latest Eye on Privacy, I wrote an article called, “Understanding Church and State – The Occupational Health and Safety Department and PHIPA” I elaborated on Relationship “C” and briefly discussed how the legal duties change when an employer actually provides health care to its employees.  I missed an opportunity to draw diagrams in that article, but if you’re interested in this topic you may nonetheless find them helpful.

In my post yesterday I suggested that employers in some circumstances may be presumed to have constructive knowledge of employee e-mails and that this may justify routine e-mail monitoring.

Let’s push the idea of constructive knowledge a little further.

Consider the Virginia Tech shooting. Let’s say Cho Seung-Hui, the troubled 23-year-old shooter, had an accomplice and let’s say Cho and the acomplice planned the shooting by way of e-mail exchange. Could the University be liable for failing to take reasonable steps in response to the e-mail exchange? In other words, would it have breached a duty (either a civil duty or perhaps one based in occupational health and safety legislation) to monitor its e-mail system to identify threatening e-mails and respond appropriately?

I’ve been thinking lots about the privacy-related implications of Virginia Tech and wrote about it with my colleague Catherine Peters several months ago. As universities and colleges across North America are thinking through their security-related policy, I wouldn’t be surprised if routine, software-aided e-mail surveillance is under consideration at one or more institutions.

Could it be justified on the basis of a competing legal duty? The most directly-applicable case law is American, and tends to suggest the answer is “no.”

In Shin v. MIT the Commonwealth of Massachusetts Superior Court allowed a wrongful death action to proceed against a suicidal student’s residence don and MIT’s dean of student affairs – finding they did have a duty to take reasonable steps to secure the student’s short term safety. The case caught the attention of colleges and universities who would argue (as MIT did) that the relationship between a student and a post-secondary educational institution is not close enough to warrant a duty to protect students from harming themselves and others. The duty endorsed by the court is seemingly triggered by the formation of a quasi-custodial relationship marked, in its words, by the “imminent probability of harm.” On this reasoning, at some point after a student is designated “at risk” (voluntarily or otherwise) a school’s duty crystallizes. At the same time, the student’s right to privacy becomes diminished.

As for the duty to protect the campus community at large (where the risk is generalized rather than specific), the duty is more likely to conflict with privacy rights. This is well-illustrated by another Commonwealth of Massachusetts Superior Court decision – Bash v. Clark University from last November. The student who attended at Clark and died from a heroin overdose at the end of her freshman year was far from trouble-free. In her one year at the university she had been noted a number of times for alcohol related misconduct, placed on academic probation, referred to counseling and questioned about drug use (where she admitted trying heroin). The Court held the University and its administrators did not owe the student a duty of care. It made the point that the standard for the imposition of a duty is high because of competing “social values,” including privacy values:

Third, recognition of the existence of a legal duty on the part of university officials and staff in this case would conflict with the expanded right of privacy that society has come to regard as the norm in connection with the activities of college students. The incursion upon a student’s privacy and freedom that would be necessary to enable a university to monitor students during virtually every moment of their day and night to guard against the risks of harm from the voluntary ingestion of drugs is unacceptable and would not be tolerated.

So short of some threshold – which is high according to this Court’s reasoning – a school’s duty is limited and student privacy rights remain undiminished. This certainly weighs against a duty and corresponding right to conduct routine e-mail surveillance as a means of managing the risk of catastrophic on-campus violence. It also supports an argument that a university or college will not likely be held to have constructive knowledge of e-mails sent over its system in the same manner as would other organizations.

While this reasoning may not give university and college administrators comfort when contemplating the Cho Seung-Hui scenario presented above, they can and should take other steps to assess and monitor potential threats (including reasonable grounds e-mail searches). If they are confident that these means will not be effective, depending on local laws, routine e-mail monitoring may still be an option. My only point, and I hope it’s a useful one, is that privacy rights must fit with (and be limited by) competing legal duties.

Just when is an organization’s e-mail system a record of its conscience?  And if it is, does this justify routine e-mail surveillance?

People haven’t been talking about e-mail surveillance in the workplace for some time now.  Even video surveillance is a little passe, with far sexier monitoring technologies like GPS, biometrics, keystroke monitoring and RFID implants taking centre-stage.

The reality is that there’s never been a business case for routine monitoring of employee e-mails.  Who’s got the time to read through employee e-mails?  With broad “no expectation of privacy” statements in almost every employer’s computer use policy backed by a practical restraint on doing anything more than reasonable grounds searches, the law on e-mail monitoring has seemed in balance for the last half-decade.

Is this about to change?  Here is some evidence that the answer is “yes.”  First, we heard about the aggressiveness of the United States domestic security program since 9/11.   Professor Daniel Solove’s recent article does a fine job of describing its “Total Information Awareness” project, a data-mining initiative.  Then back in April, Fortune 500 retailer came under some heat when a fired security worker exposed the extent of the company’s surveillance activity, which apparently includes (or included) software-supported monitoring of its computer systems.  My last piece of evidence in anecdotal.  A forensic accountant friend of mine suggested to me a few week’s back that data-mining software is in use in at least some organizations as part of their corporate governance initiatives.

Assuming that routine e-mail monitoring is coming into its time, when is it likely to be justified?

To start, Canadian labour arbitrators (the only Canadian decision-makers who have regularly had the opportunity to address the validity of e-mail surveillance) have taken a different approach to computer systems surveillance than other forms of surveillance.  Rather, than balance business interests against employee privacy rights, they’ve arguably applied a more employer-friendly approach that has centred on the property rights of a system owner:  “It’s your property so you can assert absolute control over users’ expectation of privacy.”  This approach may seem offensive to privacy advocates, but it’s consistent with the balancing approach when one considers competing legal duties and whether the employer will be deemed (in an assessment of whether it has discharged such duties) to have constructive knowledge of the transitory and non-business communications made through its system.

Take the duty to provide a harassment-free workplace for example.  Starting with the Supreme Court of Canada’s Robichaud case, courts and tribunals have placed a very high standard of due dilligence on employers to root out and stop workplace harassment.  The premise is that employees are vulnerable and only the employer (who controls the workplace) has the ability to protect.  Although the standard is not one of strict liability, any employer that receives a harassment complaint, searches for responsive e-mails and only then discovers a harmful and longstanding dialogue should be very concerned.  Is it any coincidence that some of the hardest-fought e-discovery cases in the United States – including the Zubulake case – are harassment cases?

As offensive as routine e-mail monitoring seems, I wouldn’t rule it out.  Your average corporate counsel today will squirm if you ask her what she thinks is being sent over her company’s computer system.  At least under Canadian harassment law, the corporate computer system is treated as a record of the corporate conscience.  Constructive knowledge is presumed and, in my view, very difficult to rebut.  The ideal e-mail system would file all business e-mails into a logical structure and immediately obliterate everything else, but the greatest document management system in the world won’t achieve this ideal.  Does this make routine monitoring a justifiable alternative?

I plan on following this post with another on college and university computer systems, constructive knowledge and the duty of care to prevent incidents of catastrophic violence like what happened at Virginia Tech.  I feel very cool about the use of routine surveillance in this context.  Please come back to hear why.