The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

Ont CA rejects Charter challenge to health regulator investigation power

Today, the Court of Appeal for Ontario held that the power to issue a summons without judicial authorization that is granted to investigators appointed under the Health Professions Procedural Code complies with section 8 of the Canadian Charter of Rights and Freedoms.

Section 76(1) of the Code gives investigators appointed by a college of a regulated health profession the power to summon a person to give evidence on oath or produce evidence relevant to the subject matter of an investigation. The appellant – a doctor whose license was revoked for engaging in acts of sexual misconduct with three boys – argued that the power is wide-sweeping, prone to misuse and disproportionate in light of the legislative purpose underlying the Regulated Health Professions Act and its Code.

The Court dismissed this challenge.

In interpreting section 76(1) (subsequently amended), the Court held that it creates a power to inquire into all forms of professional misconduct and not merely inquire into the treatment of patients. Though this scope is associated with a greater intrusion into members’ private lives, the Court noted that the profession itself controls the scope of the conduct it regulates by articulating what “otherwise private” activity constitutes professional misconduct. It further held that section 76(1) is narrow in the sense that it only authorizes a seizure of information that is relevant to an investigation that has been duly authorized under the Code based on reasonable and probable grounds. The Court held that the registrar of a college must specify the misconduct alleged in authorizing an investigation so that an investigator’s powers are properly constrained, but also held that the Code‘s failure to require such specification did not render it unconstitutional.

The Court then endorsed the Divisional Court’s finding that the power in section 76(1) is reasonable based on the following factors:

  •  The investigation it supports is a regulatory investigation and not a criminal or quasi-criminal investigation.
  • A power of summons is less intrusive than a power to enter and search a premises because it can be challenged prior to being answered.
  • Appointment by a college based on a belief in misconduct on reasonable and probable grounds is a precondition to exercising the summons power.
  • There is a strong public interest in regulating health professionals.

The Court also dealt with an abuse of process/delay argument that I have not covered here.

Sazant v College of Physicians and Surgeons of Ontario, 2012 ONCA 727.

Does Criminal Responsibilty Still Require a “Guilty Mind”?

Here‘s a thought-provoking article from the Wall Street Journal on the increasing number of offences, under U.S. criminal law, which do not require the state to prove that the accused had mens rea, or a “guilty mind”.  It is somewhat surprising that this development should occur in the United States – birthplace of the Bill of Rights, which has inspired constitutional protection of citizens’ fundamental legal rights in liberal democracies around the world.

Canadian jurisprudence provides an interesting contrast to the recent U.S. experience.  Ever since the Supreme Court of Canada’s decision in R. v. Sault Ste. Marie, which predated the Canadian Charter of Rights and Freedoms, Canadian courts have recognized three different categories of criminal or regulatory offences:

1) “true criminal” offences, which require proof of criminal intent beyond a reasonable doubt;

2) strict liability (or “public welfare”) offences, where it is open to the accused, once the prohibited act has been proven beyond a reasonable doubt, to avoid liability by proving that she or he exercised all due care to avoid the infraction; and

3) absolute liability offences, where proof of the prohibited act automatically results in conviction, without regard to the accused’s intent.

In subsequent decisions following the adoption of the Charter, the Supreme Court has provided further guidance on the state’s ability to create offences which do not require proof of criminal intent.  In Re B.C. Motor Vehicle Act, the Court found that an absolute liability offence which included the possibility of a prison sentence was contrary to the principles of fundamental justice guaranteed by s. 7 of the Charter.  However, in R. v. Wholesale Travel Group, the Court found that strict liability offences, as recognized in R. v. Sault Ste. Marie, are consistent with the Charter, even though they place a reverse onus on the accused to establish due diligence.

Canadian jurisprudence has struck a balance between requiring the state to prove a guilty mind in the case of true criminal offences, and allowing a reverse onus, or even absolute liability in some cases, for regulatory offences designed to protect public welfare, many of which regulate workplace activities.

Time will tell how U.S. courts reconcile the development of offences which do not require proof of a “guilty mind” with the protections of the Bill of Rights.

Question of Remedy for Privilege Breach Back to Securities Commission in Knowledge House Affair

On Thursday, the Nova Scotia Court of Appeal issued a judgement about the Knowledge House affair, which has become as notable for the handling of an e-mail server containing solicitor-client communications as for the securities law issues at its heart.

In 2005, Justice Scanlan issued a scathing judgement in which he rejected an argument that certain individuals had waived privilege by sending communications over a company-owned server. In the result, he ordered removal of counsel who had seized the server and reviewed e-mails in prosecuting a civil claim on behalf of National Bank Financial Limited.

The Nova Scotia Securities Commission obtained privileged communications from NBFL and allegedly reviewed them in aide of its investigation. The Court of Appeal dealt with the affected persons’ quest for a remedy against the Commission in 2006. Justice Cromwell (as he then was) held that the affected persons’ application for certiorari was premature, but said the Commission should take “serious and immediate steps” to do right. The Commission did not respond to the Court’s suggestion by initiating proceedings to resolve the privilege issue. Instead, it issued formal allegations. The affected persons then moved before the Commission for a remedy. In June 2010, after numerous intervening proceedings, the Commission held that the privilege breach issue should not be bifucated and dealt with in advance of the merits of the Commission’s allegations.

Thursday’s decision is strictly procedural. Though it recognized that the hanging investigation and privilege question has been “stressful and costly” for the affected persons, the Court held that the delay in hearing the request to remedy the privilege breach was understandable and that the request for a remedy could be dealt with by way of a voire dire at the commencement of the hearing of the Commission’s allegations. It upheld the Commission’s decision.

Wadden v. Nova Scotia (Attorney General), 2011 NSCA 55.

The Far Reach of the CRA

When employers provide employee benefits, they are required to include the value of the taxable benefits in the income of employees.  If an employer does not properly report the taxable benefit, the Canada Revenue Agency (“CRA”) has considerable power to require employers to disclose the names and related information of the taxpayers who enjoyed the taxable benefit.  As discussed in Minister of National Revenue v. Lordco Parts Ltd., this also applies if a business provides taxable benefits to its customers.

Following an audit of Lordco, the CRA noted that Lordco established an incentive program, which included a bi-annual cruise for its customers who had earned rebates based on the volume of their purchases of Lordco products.  The customers could purchase tickets for the cruise using the rebates.  Corporate customers nominated individuals to attend the cruise as representatives.  Only 30% of the cruise related to business activities.

According to the CRA, Lordco was required to report the benefits enjoyed by the individual attendees.  When Lordco failed to complete such reporting, the CRA issued a “named requirement” requiring Lordco to provide a list of the individuals who attend the cruise.  Lordco refused to provide any names, addresses or registration forms, on the basis that the information related to unnamed third party individuals.  The CRA applied, without notice , for an order of the Federal Court requiring Lordco to produce “information and documents relating to certain persons whose identities are unknown to the Minister”, being the individual representatives of customers of Lordco.

The Federal Court granted the order, recognizing that obtaining information relevant to the tax liability of some specific person(s) whose tax liability is under review is a purpose related to the administration or enforcement of the Income Tax Act (“ITA”) and does not violate any rights of taxpayers under section 8 of the Charter of Rights and Freedoms (the Supreme Court of Canada has previously stated that taxpayers do not have a high expectation of privacy in relation to documents concerning tax matters).

The CRA is permitted to request third party information related to unknown persons with the authorization of a judge.  Two conditions must be met for an order to be made: (i) the individual or group is ascertainable; and (ii) the production is necessary to verify compliance with the ITA.  Finding both conditions met in this case, the Federal Court ordered that the CRA was authorized to impose a requirement to produce the information regarding the customers who went on the cruise, failing which Lordco could be subject to fines under the ITA up to $25,000 or both fine and imprisonment up to 12 months.

This is a reminder of how far the CRA’s reach can be extended when it comes to obtaining information for the purpose of identifying tax payers and ensuring compliance with the ITA.  Employers and businesses are not able to refuse production on the sole basis that the information pertains to unidentified third parties (e.g., representatives of corporate customers) when the CRA is attempting to verify compliance with the ITA.

Case Report – Court won’t order disclosure of health professional’s identity

On January 27th, the British Columbia Supreme Court denied a request for an order requiring an online contact lens and eyeglass business to disclose the identity of an eye care professional it employs.

The College sought the identity of the registrant who worked for the respondents (affiliated companies) in the course of an investigation. The College applied to the Court for an order based on the Court’s equitable jurisdiction (a Norwich Pharmacal order), or alternatively, its inherent jurisdiction (in aide of an inferior tribunal).

The Court held that an order should not be made on either basis. This was partly based on a finding that the evidence did not show the unidentified registrant was involved in the matter under investigation. The Court also held that an order would not be appropriate in light of the statutory powers granted to the College. The Court suggested that the College had ample means to identify the registrant without relying on the Court, noting its power to inspect the premises and records of a registrant, the possibility of asking for warrant to search a non-registrant’s premises and the possibility of requiring registrants to file their business address and telephone number.

College of Opticians of British Columbia v. Coastal Contacts Inc., 2010 BCSC 104 (CanLII).

Case Report – Whistle-blower leaks privileged report to Crown… charges stayed

Today, the Ontario Court of Appeal allowed an appeal of a noteworthy case about breach of privilege by the Crown.

The case involves an investigation report prepared at the request of external legal counsel after a critical injury for which Occupational Health and Safety Act charges were ultimately laid. An employee who was given a draft of the report on the undertaking he destroy it gave a copy to the Crown. This was after the company had asserted privilege to the Ministry inspector, who had agreed not to order the report’s production.

When the Crown disclosed the report to the company in its Stinchcombe production the company immediately objected, and at trial moved before a justice of the peace for a declaration (that the report was privileged) and a stay. It initially succeeded in obtaining a declaration, a stay and an order for $38,000 in legal costs. On appeal to a judge, the Court overturned the stay and the costs order. It held that the proper remedy for breach of the defendants’ section 8 rights was an order excluding the report and that the motion for a stay based on prejudice to trial fairness was premature.

In allowing the appeal, the Court of Appeal started by minimizing a statement made by the justice of the peace about the reporting being “primarily informational.” It held the lower court had found the report was subject to solicitor-client privilege and that this point was not challenged in the appeal.

The Court of Appeal then held that the presumption of prejudice endorsed by a majority of the Supreme Court of Canada in Celanese applies when the Crown comes into possession of a defendant’s solicitor-client communications:

Counsel for the Crown in this court sought to distinguish Celanese on the basis that it was a civil case in which the appellants were “attempting to utilize a civil onus to achieve a criminal result”. I reject this submission. In my view, the above cases support the proposition that when the Crown comes into possession of a defence document that is protected by solicitor-client and litigation privilege, prejudice to the defence will be presumed. The presumption, however, is rebuttable.

On the facts, the Court of Appeal held that a stay was the appropriate remedy. The basis for the finding is narrow. It stressed that the justice of the peace had made a specific finding that the report set out items that could be used to the disadvantage and prejudice of the defendants and held that the Crown had not led any evidence about its distribution and use of the report to rebut the inference.

R v. Bruce Power, 2009 ONCA 573.

Case Report – Ontario’s top court affirms order granting compelled observation of surgery

Today, the Ontario Court of Appeal held that investigators appointed under the Ontario Health Professions Procedural Code have the power to compel observation of surgery conducted by an investigated physician and the power to compel an individual physician under investigation to submit to an interview.

Registrars of the self-regulating colleges may appoint investigators to look into whether a member has committed an act of misconduct or is incompetent. They must report the results of an investigation to a committee which, in turn, decides whether to proceed with discipline or incompetence charges in accordance with the procedures outlined in the Code. Investigators enjoy the following grant of power:

An investigator may inquire into and examine the practice of the member to be investigated and has, for the purposes of the investigation, all the powers of a commission under Part II of the Public Inquiries Act.

Last September, the Divisional Court held that the power to “inquire into and examine,” interpreted purposively, allowed for compelled observation of surgeries. It stressed that the College’s evidence showed observation is an effective, customary and even necessary process for assessing a health care practitioner’s competence. It held that the grant of power in the Code was unambiguous, so there was no scope for interpreting it narrowly to conform with Charter values that weigh against self-incrimination and unreasonable search.

The Court of Appeal fully endorsed the Divisional Court’s reasoning and made clear that the power to compel observation of surgery applies notwithstanding recent amendments to the Code. Its reasoning stressed that the plain meaning of the words “inquire into and examine” and the purpose of the self-regulatory enactment outweighed any narrowing inference about legislative intent that might be drawn from the other text in the Code. It rejected the appellants’ argument that the Divisional Court erred in failing to consider the entire legislative context, and said, “…it would take clear words to deprive the investigator of powers necessary to carry out this important public interest [in effectively regulating the medical professions].”

Gore v. College of Physicians and Surgeons of Ontario, 2009 ONCA 546. 

Court stays order granting compelled observation of surgery

Yesterday, the Ontario Court of Appeal granted a stay pending appeal of a September 2008 order in which the Divisional Court held that investigators appointed under the Ontario Health Professions Procedural Code have the power to compel observation of surgery conducted by an investigated physician. (Summary here.) The Court of Appeal stay decision indicates the merits of the appeal will be argued on June 10th.

Gore v. College of Physicians and Surgeons of Ontario, 2009 ONCA 294.

Case Report – Information Commissioner can impose confidentiality screen on joint legal retainer

In a judgement dated October 5th of last year, the Federal Court held that the Information Commissioner of Canada acted lawfully in making a confidentiality order that prohibited Crown counsel from sharing information with the Crown that it gained while jointly representing individual Crown servants.

The Crown servants were compelled to give evidence before the Deputy Commissioner in the course of his investigation into an Access to Information Act complaint. Department of Justice counsel accompanied the witnesses and acted as their counsel. In order to preserve the integrity of his investigation, the Deputy Commissioner prohibited the witnesses from disclosing the questions asked, answers given and exhibits used in the examination and prohibited counsel from disclosing the same. The Crown applied for judicial review of the orders, arguing that they interfered with its solicitor-client relationship with Crown counsel.

The Court held that the Information Commissioner has an implicit power to make confidentiality orders and that the potential for a conflict of interest given the witnesses were not high-ranking officials made the Deputy Commissioner’s orders reasonable and necessary in the circumstances. It said:

Counsel for the applicant countered that there is absolutely no factual or evidentiary foundation for the proposition that such a conflict of interest exists or is even likely to come up in the present circumstances, and that the decision and orders are therefore founded on speculation and unsubstantiated assumptions. The only reason that the individuals were subpoenaed by the Deputy Commissioner was on account of their activities on behalf of the Crown. Since they were not examined in their personal capacity but rather in their professional capacity as Crown servants and employees, there can be no conflict of interest in this proceeding between the individuals and the Crown, according to the applicant’s argument.

I must confess that I am somewhat troubled by this automatic and necessary assimilation of the Crown’s and the employees’ interests. As a general rule, I am prepared to concede that it is unlikely the employees’ views with respect to the disclosure of a document will differ from those of the senior management of the Department involved. But the possibility cannot be ruled out entirely, especially when the employees subpoenaed by the Commissioner are not in the higher ranks of the Department but rather at the lower level. Similarly, I can easily envisage situations where there is no conflict at the outset but conflict develops as the questioning proceeds and the investigation unfolds. It is in those kinds of circumstances that employees must have the assurance that they will remain in control of the disclosure of their testimonies notwithstanding the fact that their counsel play a dual role.

I agree with the respondent that the investigatory process would simply be unworkable and profoundly undermined if the Attorney General had a de facto right to attend all hearings simply by providing a counsel to the witnesses compelled to give evidence.

The Court also rejected an argument that the confidentiality orders unjustifiably violated section 2(b) of the Charter.

Canada (Attorney General) v. Canada (Information Commissioner) (F.C.), [2008] F.C.J. No. 1235 (F.C.) (QL).