I presented today on the topic of internal investigations and the cloud at the annual Association of Certified Forensic Investigators of Canada fraud conference.

The issue: outsourcing business IT systems to the cloud may impede access to information for audit and investigatory purposes. Data security is front and center in most outsourcings, but audit and investigation capability is also a key concern and is subject to unique requirements. Business owners should recognize that security and audit departments are likely stakeholders in most outsourcing projects and support the best possible needs analysis and requirements definition process.

Here are my slides:

 

Here are some related resources, including some data security resources that came up in discussion.

• J. Cheng, “IBM’s Siri ban highlights companies’ privacy, trade secret challenges”
• Digital Forensics Laboratories, “Digital investigations in the Cloud”
• T. Harbert, “E-discovery in the Cloud? Not so easy”
• W. Manning, “Investigating in the Clouds” (good, but password required)
• Hogan Lovells, “A Global Reality: Governmental Access to Data in the Cloud”
• K. Ruan et al, “Cloud forensics: An overview”
• A. Savvas, “Cloud providers cave into more flexible contracts”
• T. Trappler, “In the Cloud, Your Data Can Get Caught Up in Legal Actions”
• K. Zetter, “FBI Uses ‘Sledgehammer’ to Seize E-Mail Server in Search for Bomb Threat Evidence”

Finally, here’s a link to my comment on the recent Calgary Police Service case, which I used as an intro to a segment on handling an evidence trail that leads to an employee’s personal cloud-based account.

I hope this content helps you approach a pressing issue for internal investigators.

Employers who are regulated by privacy legislation need to reckon with privacy commissioner oversight in conducting searches of their work systems for evidence of misconduct. This is the clear lesson from the recent and much-discussed Calgary Police Service order of the Alberta OIPC that dealt with the service’s unauthorized access to an employee’s personal e-mail account.

The facts are simple. The service embarked on an internal sexual misconduct investigation that included a review of an employee’s work e-mail account. It conducted a search for the word “password” as a matter of protocol because the sending and receiving of passwords through e-mail is indicative of a number of common IT security problems. The service found a message to an outsider containing the employee’s password to her personal e-mail account, a communication the service said “seemed odd.” Given the employee had also sent “snippets” of confidential service records to others internally, the service accessed the personal account on a theory that the employee was leaking confidential information through the personal e-mail account. It happened to find evidence of work-related sexual misconduct and used it to discipline the employee. The employee later complained to the OIPC under Alberta’s public sector privacy legislation.

The OIPC was not impressed with the service’s professed basis for using the password to access the employee’s personal account, particularly given the investigator had no mandate to determine whether the employee had committed a breach of confidence. It upheld the employee’s complaint.

The result is no surprise. Taking a step in an investigation as intrusive as gaining unauthorized access to a personal e-mail account based significantly on the discovery of a communication that “seemed odd” is problematic. The record shows that the service was clearly on a fishing expedition, and despite the OIPC’s finding, its approach still signals respect for management’s right to investigate. The OIPC says, for example, “It might be policy for IT to check for data leakage whenever a Public Body employee is being investigated for inappropriate email or computer use, but this cannot extend, without cause, to an employee’s personal email account.”

The simple lesson from the case for employers who are subject to employment privacy regulation – far from all employers – is to develop and implement controls to structure the process of searching work systems for evidence of misconduct. Who authorizes a search? What’s the scope? What routine searches should be conducted? What should the investigator do if he or she finds evidence of wrongdoing that is out of scope? Who is responsible for securing evidence and how? Organizations should have clear answers to these questions before embarking on an IT search.

Order F2012-07 (April 30, 2012).

Yesterday the Alberta Court of Appeal rendered a significant decision ab0ut whether a university is obligated to consider students’ Charter rights in disciplinary proceedings.

This case involved University of Calgary students found guilty of non-academic misconduct in disciplinary proceedings for posting criticisms of a course and its instructor on Facebook. The Court unanimously upheld that part of a judicial review decision which found that the students should not have been found guilty of non-academic misconduct. However, the Court was sharply divided on whether the Charter would apply to this case.  Paperny J.A. found that the Charter applied to the disciplinary proceedings undertaken by the University and that a review committee had failed to take into account the students’ freedom of expression right as protected by the Charter. She rejected the University’s argument that “the application of the Charter in these circumstances undermines the University’s academic freedom or institutional autonomy,” finding that academic freedom and freedom of expression are not competing values. McDonald J.A. found that while it may be time to reconsider whether or not universities are subject to the Charter, the judicial review court erred in undertaking such an analysis in this particular case. O’Ferrall J.A. found that the issue here was not whether the university was a “Charter-free zone,” but whether the university’s disciplinary body ought to have considered whether its discipline violated the students’ right to their freedoms of expressions and association, freedoms which long pre-dated the Charter.

More to come on this decision in a while.

Pridgen v. University of Calgary, 2012 ABCA 139

On March 7th, the Alberta Court of Queen’s Bench found a departed employee in contempt for counseling a contact to destroy evidence for the purpose of interfering with the administration of justice. The Court ordered the employee:

• to produce any and all computers and electronic media in his possession, power or control, for a forensic review to be conducted by a computer expert retained by the plaintiffs;
• to pay for the review and post $30,000 in security for costs; and
• to pay the costs of the contempt motion on a full indemnity basis.

Yesterday the Court of Appeal for Alberta varied the order because it was not well-proportioned. It explained:

As a remedy for the contempt, the chambers judge ordered that the individual appellant pay the cost of the application on a full indemnity basis. While acknowledging that “in the present case no information has been lost”, he nevertheless ordered a full computer forensic investigation. The chambers judge speculated that “it is unclear what else may have been deleted”. The contempt application was based entirely on the efforts to delete the HSE Manual. No allegation was made of the destruction of any other document, nor is there any evidence of any other destruction. Embarking on an expensive fishing expedition at this stage of the litigation is unwarranted. Should the discovery process produce evidence of other problems, further applications for relief can be brought.

Despite allowing the appeal in part, the Court ordered the appellant to pay the full costs of the appeal “to ensure an effective sanction.”

Fuller Western Rubber Linings Ltd. v Spence Corrosion Services Ltd., 2012 ABCA 137 (CanLII).

On April 26th the Ontario Superior Court of Justice issued an order under section 7(3)(c) of the Personal Information Protection and Electronic Documents Act to allow to credit unions to merge without gaining the express consent of members. It’s not clear that such an order is actually authorized by PIPEDA (and the applicants don’t appear to have given notice to members), but Justice Lauwers listed a number of Ontario commercial list matters in which such permissive orders have been made. He echoed comments made by Justice Farley in “urging that a route be provided that will permit the disclosure of the necessary personal information in such circumstances as these to avoid wasting the court’s time and the parties’ funds.” Bill C-12 received first reading way back last September and will add a “business transaction” exemption to PIPEDA. Its time is obviously overdue!

In the Matter of an Application Under Rules 14.05(3)(d), 2012 ONSC 2530 (CanLII).

The Alberta Court of Appeal dropped a bomb on April 30th by raising extremely broad questions about the constitutionality of Alberta’s commercial sector privacy statute in disposing of a dispute about the right of a union to take images of people who cross a picket line.

Last September the Alberta Court of Queen’s Bench held that the Alberta Personal Information Protection Act violated the right of expression guaranteed by section 2(b) of the Charter because it was disproportionate in restricting unions from engaging in “union journalism” relating to labour disputes and picket lines. The Court’s focus was relatively narrow though, and its Charter-based order focused on the breadth of a scope provision meant to protect journalistic activity and an exclusion for publicly available information.

The Court of Appeal first re-framed the expressive interest at stake as related to labour relations and not journalism. It then held that the statute interfered with this interest in a manner that could not be justified in a free and democratic society.

The Court’s proportionality analysis is remarkable in its breadth. It weighs the purpose of Alberta PIPA – protecting reasonable expectations of privacy, protecting expectations that one can control one’s own image and personal information and limiting the misuse of personal information – against the right of free expression in general. The Court says:

There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:

-It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.

-The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.

-The definition of “publicly available information” is artificially narrow.

-There is no general exemption for information collected and used for free expression.

-There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.

Regarding remedy, the Court issued a declaration that the restrictive order at issue was unconstitutional and invited the Alberta legislature to “decide what amendments are required to the Act in order to bring it in line with the Charter.”

Look for a leave to appeal application in which the Alberta Commissioner is joined by her counterparts from other provinces at the leave to appeal stage.

United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII).

On March 16th the Federal Court affirmed a Public Service Labour Relations Board order that requires the Canada Revenue Agency to provide the Professional Institute of the Public Service of Canada (a trade union) with the home address and telephone numbers of its bargaining unit members on a quarterly basis.

The order under review was re-issued by the Board after being quashed in 2010 because the Board had simply blessed the parties’ consent order without considering the privacy interests of affected parties. In re-issuing the order (with some newly-imposed security features), the Board held that the disclosure did not breach the federal Privacy Act because CRA’s purpose for obtaining home contact information (contacting employees about the terms and conditions of their employment) was consistent with the use for which PIPSC would use it (discharging its statutory duties as bargaining agent by contacting employees about employment-related matters). The applicant sought review before the Federal Court of Appeal.

The Court of Appeal’s disposition is unremarkable, and turns mainly on the standard of review and other technical matters.

Bernard v. Canada (Attorney General), 2012 FCA 92.

Sending preservation letters to opposing counsel can be quite a useless exercise when done as a matter of routine. A March 20th decision of the British Columbia Supreme Court illustrates when a hold letter can serve a critical purpose. It also illustrates how a party’s duty to preserve evidence that is likely to be relevant in foreseeable litigation can weigh heavily in favor of allowing an adversary to inspect evidence where no direct duty to allow for such an inspection exists.

The facts are simple. A fire started on the defendant’s premises and spread to the plaintiff’s premises. The defendant denied the plaintiff’s insurer access to its premises, which led the plaintiff’s insurer to write. The insurer said that it would likely bring a subrogated claim and that the plaintiff should preserve all physical and other evidence. This left the defendant with an option to allow the requested inspection or stop cleaning the damaged property and debris. It did neither.

The plaintiff raised a spoliation claim in the context of a production dispute. It claimed that privilege in certain communications should be waived in the interests of justice on account of the defendant’s spoliation. Master Baker of the BCSC agreed.

Hat tip to Seva Batkin of the B.C. Business Litigation Blawg for this one. Seva’s post on the case is here.

Brown v. Wilkinson, 2012 BCSC 398 (CanLII).

On March 27th, the Court of Appeal for British Columbia split on whether lawyers’ trust account ledgers are presumptively subject to solicitor-client privilege.

Mr. Justice Smith dissented. He held that, in Maranda v. Richer, the Supreme Court of Canada held that “all information arising out of solicitor-client relationships whatever may be their legal context” is presumptively privileged. Facts are not privileged, but Smith J.A. explained that the Supreme Court adopted a broad and protective rule for a records related to the solicitor-client relationship because solicitor-client privilege is so important and because “it is difficult to segregate single professional acts from the complex of facts, events, and communications that characterizes ongoing solicitor-client relationship.”

Mr. Justice Chiasson (Madam Justice Newbury concurring) held that Maranda was about a search for lawyer fee accounts in the course of a law enforcement investigation and could not be applied directly to a dispute about the production of trust account ledgers in the civil context. Trust accounts, according to the majority, “generally record facts.” Therefore, the party claiming privilege over trust account ledgers must establish that the entries claimed “arise out of the solicitor-client relationship and what transpired within it” to establish a rebuttable claim. In applying this test, the majority held that some entries met this test and others related strictly to a real estate transaction and did not.

The Court also unanimously rejected application of the crime and fraud exception to solicitor-client privilege in the circumstances and made comment on the procedure for hearing privilege claims in a manner that protects privilege but is also fair and transparent.

 Donell v. GJB Enterprises Inc., 2012 BCCA 135.

On March 23rd, the Supreme Court of British Columbia held that the British Columbia Freedom of Information and Protection of Privacy Act empowers the British Columbia OIPC to adjudicate questions of solicitor-client privilege for the purpose of determining whether government records are exempt from the right of public access.

In rendering this jurisdictional decision, the Court stressed that the OIPC has the power to adjudicate, including the power to “decide all questions of fact and law arising in the course of an inquiry.” It also rejected an argument that the legislature could not have intended a “lay tribunal” to adjudicate privilege claims and an argument that the OPIC’s power to report information about offences to the Attorney General weighed against a power to adjudicate on privilege.

In the end, the Court held that the OIPC erred in rejecting part of the institution’s privilege claim because the institution had not adduced any evidence to establish that certain records were privileged. The request was for records about the expenditure of legal fees. The Court held that the responsivness of the records was sufficient to create a rebuttable presumption of privilege.

School District No. 49 (Central Coast) v. British Columbia (Information and Privacy Commissioner), 2012 BCSC 427 (CanLII).