Three key issues from the Ontario cyber security Expert Panel report

On October 3rd, the Ontario’s cyber security Expert Panel issued its report to Minister of Public and Business Service Delivery, Kaleed Rasheed.

His Honour said, “The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors as well as inform future targeted investments in our cyber capabilities and defences.”

Those recommendations are:

  1. Regarding governance: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.
  2. Regarding education and training: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.
  3. Regarding communication: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.
  4. Regarding shared services: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.

Here are three issues of significance to public sector instutions and their insurers.

FIRST, the governance recommendation contemplates more government oversight, including through “a single oversight body, employing a common operating model [and] clearly establishing accountabilities.”

Institutions require more funding to address cyber security risks. This recommendation is positive because it will lay the necessary groundwork.

As suggested by the Expert Panel, the current relationship between government and institutions is somewhat confused. Government is engaged an informal kind of oversight that lacks effectiveness and can rightly put institutions on guard because its measures are unclear. Institutions will benefit from clear and simple accountabilities and – did I say it already? – the funding to meet those accountabilities.

SECOND, the communication recommendation encompasses threat information sharing, with the Expert Panel stating, “Ontario should establish a unified critical information sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.”

This is to rectify what the Expert Panel says is the “unidirectional” flow of threat information, which is reported to government but is not yet “broadly shared across the BPS.” Institutions know that government currently craves the early reporting of threat information, but the perceived benefit is still minimal. The Expert Panel recommendation is positive in that it may lead to their receipt of more timely, more enriched threat information.

THIRD, the shared services recommendation addresses the cyber insurance coverage problem now faced by the public sector. The expert panel states:

Ontario should investigate options for establishing a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response, and recovery to which all BPS organizations can subscribe.

There is a form of self-funded cyber coverage available various parts of the Ontario public sector through insurance reciprocals. This coverage is expanding, and the role of reciprocals is becoming more important now that the insurance market has become so hard. Primary coverage by reciprocals, even if limited in scope, can make secondary coverage more obtainable for public sector institutions.

The “breach coaching” reference above gives me pause, though I understand it to be indicative of how the role of expert legal counsel in incident response was borne out of the cyber insurance market (with the term coined by cyber risk and insurance company NetDiligence, I believe).

Breach coaching is simply expert legal advice by another name. It is funded by cyber insurance for those who have coverage, and insurers have required their insureds to use vetted and approved legal advisors in responding to incidents because they understand the risk mitigating (and cost reducing) value of this specialized legal service. Public sector institutions without coverage bear all the same risks as those with coverage, and without proper advice are at great peril. The need for proper legal advice one reason is why it is so important to solve the public sector coverage problem, though institutions dealing with a major cyber incident should not consider legal advice to be optional.

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

  • A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
  • Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

ABCA decision on defending allegations about privileged communication

On April 12th, the Court of Appeal of Alberta held that a defendant waived solicitor-client privilege by affirmatively pleading that its counsel had no instructions to agree to a time extension for filing a prospectus.

The defendant faced a lawsuit that alleged its counsel gave a time extension and had the actual authority to do so. The majority judges explained that a party faced with such an allegation about a privileged communication can make a bald denial and safely rest on its privilege. The defendant went further, thereby putting its privileged communications in issue.

PetroFrontier Corp v Macquarie Capital Markets Canada Ltd, 2022 ABCA 136 (CanLII).

Where’s that workplace surveillance bill? More thoughts pending its release

It’s Friday at 4:20pm and I don’t see an Ontario workplace surveillance bill yet, so here are a couple more thoughts – one positive, one negative and one neutral.

Positive – Organizations ought to employ “information technology asset management” – a process for governing their network hardware and software. Those organizations with strong asset management practices will have little difficulty identifying how employees are “monitored.” For those who are weak asset managers, the new bill is an invitation to improvement and rooting out unmanaged applications.

Negative – As I said yesterday, the devil will be in the detail, and the scope of the “monitoring” that is regulated will be key. Monitoring must be defined in a way that does not affect non-routine processes – i.e., audits and investigations. Those raise a different kind of privacy concern, and a notification requirement shouldn’t frustrate an organization’s ability to investigate.

Neutral – Organizations typically keep security controls confidential to protect against behavior we call “threat shifting” – the shifting of tactics to circumvent existing, known controls. I’m doubtful the type of disclosure the bill will require will create a security risk, but it’s an issue to consider when we see the text.

Bring on the bill!

Cyber class action claims at an inflection point

Yesterday, I happily gave a good news presentation on cyber claims legal developments to an audience of insurance defence lawyers and professionals at the Canadian Insurance Claims Managers Association – Canadian Independent Adjusters’ Association – Canadian Defence Lawyers joint session.

It was good news because we’ve had some recent case law developments create legal constraints on pursuing various common claims scenarios, namely:

  • The lost computer, bag or other physical receptacle scenario – always most benign, with notification alone unlikely to give rise to compensable harm, a trial judgement looking positively at a one year credit monitoring offer and proof of causation of actual fraud a long shot at best
  • The malicious outsider scenario – for the time being looking like it will not give rise to moral damages that flow from an intentional wrong (though this will be the subject of an Court of Appeal for Ontario hearing soon in Owsianik)
  • The malicious insider scenario – partly addressed by a rather assertive Justice Perell finding in Thompson

We’re far from done yet, but as I say in the slides below, we’re at the early stages of an inflection point. I also give my cynical and protective practical advice – given the provable harms in the above scenarios flow mainly from the act of notification itself, notify based on a very strong analysis of the facts and evidence; never notify because there’s a speculative risk of unauthorized access or theft​. Never a bad point to stress.

The union right of access to information

I’ve done a fair deal of enjoyable work on matters relating to a union’s right of access to information – be it under labour law, health and safety law (via union member participation in the health and safety internal responsibility system) or via freedom of information law. Today I had the pleasure of co-presenting to the International Municipal Lawyers Association on the labour law right of access with my colleague from the City of Vaughan, Meghan Ferguson.

Our presentation was about how the labour law right has fared against employee privacy claims. In short, it has fared very well, and arguably better in Ontario than in British Columbia.

I don’t believe the dialogue between labour and management is over yet, however, especially as unions push for greater access at the same time privacy sensitivities are on the rise. The advent of made-in-Ontario privacy legislation could be an impetus for a change, not because it is likely to provide employees with statutory privacy rights as much as because the new legislation could apply directly to unions. So stay tuned, and in the interim please enjoy the slides below.

The current state of FOI

Here is a deck I just put together for the The Osgoode Certificate in Privacy & Cybersecurity Law that gives a high-level perspective on the state of FOI, in particular given (a) the free flow of information that can eviscerate practical obscurity and (b) the serious cyber threat that’s facing our public institutions. As I said in the webinar itself, I’m so pleased that Osgoode PDP has integrated an FOI unit into into its privacy and cyber program given it is such a driver of core “information law.”

For related content see this short paper, Threat Exchanges and Freedom of Information Legislation, 2019 CanLIIDocs 3716. And here’s a blog post from the archives that with some good principled discussion that I refer to – Principles endorsed in Arar secrecy decision.

Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students

I’ve had a long time interest in threat assessment and its application by educational institutions in managing the risk of catastrophic physical violence, though it has been a good ten years since the major advances in Canadian institutional policy. Here is a pointer to a journal article about an apparent new United States trend – automated monitoring of online and social media posts for threat assessment purposes.

Author Amy B. Cyphert starts with an illustrative scenario that’s worth quoting in full:

In 2011, a seventeen–year–old named Mishka,1 angry that his friends had recently been jumped in a fight, penned a Facebook post full of violence, including saying that his high school was “asking for a [expletive] shooting, or something.” Friends saw the post and alerted school officials, who contacted the police. By the time psychologist Dr. John Van Dreal, who ran the Safety and Risk Management Program for Mishka’s Oregon public school system, arrived, Mishka was in handcuffs.4 Mishka and his classmates were lucky: their school system employed a risk management program, and Dr. Van Dreal was able to help talk with Mishka about what caused him to write the post. Realizing that Mishka had no intention of harming anyone, Dr. Van Dreal helped Mishka avoid being charged with a criminal offense. Dr. Van Dreal also arranged for him to attend a smaller school, where he found mentors, graduated on time, and is today a twenty–five–year–old working for a security firm.

Had Mishka’s story happened today, just eight short years later, it might have looked very different. First, instead of his friends noticing his troubled Facebook post and alerting his school, it might have been flagged by a machine learning algorithm developed by a software company that Mishka’s school paid
tens of thousands of dollars to per year. Although Mishka’s post was clearly alarming and made obvious mention of possible violence, a post flagged by the algorithm might be seemingly innocuous and yet still contain terms or features that the algorithm had determined are statistically correlated with a higher likelihood of violence. An alert would be sent to school officials, though the algorithm would not necessarily explain what features about the post triggered it. Dr. Van Dreal and the risk management program? They might have been cut in order to pay for the third-party monitoring conducted by the software company. A school official would be left to decide whether Mishka’s post warranted some form of school discipline, or even a referral to the authorities.

Cyphert raises good questions about the problem of bias associated with algorithmic identification and about the impact of monitoring and identification on student expression, privacy and equality rights.

My views are quite simple.

I set aside algorithmic bias as a fundamental concern because the baseline (traditional threat assessment) is not devoid of its own problems of bias; technology could, at least in theory, lead to more fair and accurate assessments.

I also put my main concern on the matter of efficacy. Nobody disputes that schools and higher education institutions should passively receive threat reports from community members. My questions. Has the accepted form of surveillance failed? What is the risk passive surveillance will fail? How will it fail? To what degree? Does that risk call for a more aggressive, active monitoring solution? Is there an active monitoring solution that is likely to be effective, accounting concerns about bias?

If active internet monitoring cannot be shown to be reasonably necessary, however serious the problem of catastrophic physical violence, I question whether it can be either legally justifiable or required in order to meet the standard of care. Canadian schools and institutions who adopt new threat surveillance technology because it may be of benefit, without asking the critical questions above may invite a new standard of care with tenuous underpinnings.

Cyphert, Amy B. (2020) “Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students,” Nevada Law Journal: Vol. 20 : Iss. 2 , Article 4.
Available at: https://scholars.law.unlv.edu/nlj/vol20/iss2/4

BCCA denies access to total costs spent on a litigation matter

On August 21st, the Court of Appeal for British Columbia held that a requester had not rebutted the presumption of privilege that applied to the total amount spent by government in an ongoing legal dispute. 

The Court first held that the presumptive privilege for total legal costs recognized by the Supreme Court of Canada in Maranda v Richer applies in the civil context. Then, in finding the requester had not rebutted the privilege, the Court engaged in detailed discussion about how the timing of the request and the surrounding context will weigh in the analysis.

The Court’s analysis is as complex as it is lengthy. Ultimately, the outcome rested most heavily on (a) the timing of the request (early into trial), (b) the identity of the requester (who was a party) and (c) the degree of information about the matter available to the public (which was high). The Court felt these factors supported the making of strong enough inferences about confidential solicitor-client communications that sustaining privilege was warranted.

More generally, the decision stresses the presumption of privilege and associated onus of proof. Despite Maranda, it is easy to think that total legal fees spent on matter are accessible subject to the privilege holder’s burden of justification. Precisely the opposite is true.

British Columbia (Attorney General) v. Canadian Constitution Foundation, 2020 BCCA 238 (CanLII).

Arbitration board dismisses spoliation motion

On May 6th, the Ontario Grievance Settlement Board dismissed a union motion for the ultimate spoliation remedy – granting of a grievance based on an abuse of process.

The Union made its motion in a seemingly hard fought discipline and discharge case. The Union’s pursuit of electronically stored information “to review the life cycle of certain documents that were exhibits in order to test the integrity and reliability of the documents” began after the employer had put its case in through 40 days of witness testimony. The ESI motion itself took 13 days, and at some point the employer agreed to conduct a forensic examination of certain data. Unfortunately, just before it was about to pull the data, three computers were wiped as part a routine hardware renewal process. Ooops.

Based on two more hearing days the Board held the destruction of the data was inadvertent and not even negligent. Arbitrator Petryshen said:

It is not surprising that the Employer or FIT did not arrange for the imaging of the three bailiff computers prior to September of 2017 because no one considered that there was a risk of losing that data.  Although management at the OTO unit and FIT knew that government computers were replaced every four years, it was reasonable for OTO management to expect that they would be notified when the computers in OTO unit were about to be refreshed. 

Although this is quite forgiving, Arbitrator Petryshen’s finding that the “the granting of grievances due to a loss of potentially relevant documents is an extraordinary remedy” is quite consistent with the prevailing law. In 2006, the Court of Appeal for Ontario quashed an arbitration award that allowed a grievance based on an employer’s inadvertent destruction of relevant evidence, and the Court of Appeal for Alberta’s leading decision in Black & Decker says that even negligent destruction of relevant evidence will not amount to an abuse of process.

Ontario Public Service Employees Union (Pacheco) v Ontario (Solicitor General), 2020 CanLII 38999 (ON GSB).