On September 10th, the British Columbia Court of Appeal dismissed an application for leave to appeal in a novel application for contempt based on an alleged breach of the implied undertaking rule.

The plaintiffs alleged that the Insurance Corporation of British Columbia unnecessarily disclosed obtained information in materials served on third parties in support of a production order. They relied on an ICBC internal policy that recommended (in part) that such information only be disclosed in third-party production motion materials as “absolutely necessary.” The application was dismissed and the Court of Appeal dismissed the application for leave to appeal, holding that the appeal was not prima facie meritorious.

The Court of Appeal quoted the following passage from the application judge’s decision:

It is a matter of judgment to be exercised by counsel what information obtained by parties through the litigation discovery process needs to be disclosed to non parties in furtherance of the litigation in which that information has been obtained.

Any court-imposed constraint on that judgment is antithetical to the underlying rationale of court compelled disclosure, with its necessary intrusion on a litigant’s general right to privacy. That rationale is the need to do justice between the parties.

Implicit in the law and Rules governing disclosure is the proposition that justice between the parties is best assured when disclosure of all relevant evidence from whatever source may be compelled by the court, subject to claims of privilege.

Imposition of constraints on the parties’ use of information obtained through the discovery process in the litigation in which it is obtained, by expanding the scope of the implied undertaking, could inhibit counsel in their investigation of the case and undermine the rationale for court compelled disclosure.

***

The law delineating the scope of the implied undertaking of confidentiality respecting use of information obtained through the litigation discovery process draws a bright line. Use of that information within the litigation is permitted use. Use outside the litigation for an “alien” or “collateral” purpose is not permitted without the consent of the affected party or an order of the court.

That bright line tends to expedite litigation, which is the goal of all recent reforms of civil litigation procedure in various jurisdictions. An obscure line would tend to promote procedural controversy, which is antithetical to that goal. The current bright line sacrifices litigants’ privacy for more procedural certainty. Its ultimate goal is to achieve a just result in the litigation.

The plaintiffs’ applications seek to have the court impose the policy reflected in s. 8.3.2 of the Manual as a constraint on the use of information obtained through the litigation discovery process within the litigation. If the court were to impose that policy by expanding the scope of the implied undertaking of confidentiality to limit use of information obtained through the litigation discovery process within the litigation in which it was obtained, the bright line would become an obscure line. There is no precedent for imposing such a policy. For the reasons stated, I decline to do so.

Jampolsky v. Shattler, 2007 BCCA 439.

An American court has dismissed another data breach claim because the plaintiffs did not allege any damage other than the cost of obtaining credit monitoring services.

The plaintiffs provided their personal information to the defendant, a bank, in an online application for services. Their information was hosted by a third party and was subject to a malicious hacking attack in 2005. The Seventh Circuit upheld the bank’s motion to dismiss based on the inadequacy of the plaintiffs’ pleadings. It made the following comment on the recent court decisions that weigh against recovery of credit monitoring costs borne as a result of a data breach:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

The outcome and reasoning in this case is similar to that in Kahle v. Litton Loan Servicing LP, discussed here.

Pisciotta v. Old National Bancorp (23 August 2007, 7th Cir.).

Ralph Losey is a Florida litigator who publishes a blog called, “E-Discovery Team.” He’s published an article called, “HASH: The New Bates Stamp.” You can download a copy, originally published in the June 2007 edition of the Journal of Technology Law & Policy, here. Mr. Losey explains what hash values are, how they are used in litigation and proposes that a file naming protcol featuring truncated hash values should replace the bates numbering convention. It’s a clearly written, well-thought and compelling article. Thank you!

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.

As promised, here are some comments on the privacy-related aspects of the Virginia Tech state report. I’ve split this post into a part on legal issues and a part on policy issues.

Legal Issues – With no golden rule, strong policy should guide

Not all risks can be effectively mitigated by detailed policy, but given the need for decentralized decision-making about the sharing of information and the apparent inaccessibility of privacy legislation to laypersons, the student-at-risk/catastrophic violence challenge is clearly one that should be addressed through the promulgation of good policy.

Here’s a key quote from the report:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option—even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Following this theme, the report runs through a number of disclosures in the Virginia Tech case that could have been made, were not, but would have been permitted under applicable state and federal privacy laws.

Similar to the situation in Ontario (where I practice), in Virginia there’s no single “golden rule” or simplifying model to help teachers, administrators and student volunteers figure out what information can be shared about a student at risk, with whom and under what circumstances. Rather, there are a number of different rules – disclosure “exceptions” to be slightly more precise. These exceptions apply indirectly to the scenarios that commonly confront individuals in university and college communities.

In Ontario, for example, when teachers learn of disturbing behavior in the course of teaching, the legality of reporting that behavior to a case management team is ordinarily governed by the “need to know” rule or exception – i.e. the report is lawful if “necessary and proper in the discharge of the institution’s functions.” While this language may allow a lawyer to interpret whether a disclosure is permissible based on a set of facts, without specific guidance on what to do when a student demonstrates objectively threatening behavior, how’s a teacher to know whether reporting the behavior is permissible?

Post-secondary educational institutions must have systems in place that encourage the exercise of sound judgement and due diligence. Enabling the reporting of information about certain student behaviors through policy so these systems can function on complete and valid information is critical to their effectiveness.

Policy Issues – Parental disclosures and safe harbour provisions

I’d like to identify two good policy issues raised by the report, one for consideration by schools and another for consideration by government.

Issue 1: Should post-secondary educational institutions pursue a policy of sharing information about adult students at risk with their parents?

Consistent with the United States Department of Education’s philosophy on parental involvement, the state report clearly favours information sharing with parents:

During his formative years, Cho’s parents worked with Fairfax County school officials, counselors, and outside mental health professionals to respond to episodes of unusual behavior. Cho’s parents told the panel that had they been aware of his behavioral problems and the concerns of Virginia Tech police and educators about these problems, they would again have become involved in seeking treatment.

I’m not sure what Canadian post-secondary institutions will want to do with this. Is it reasonable to assume that all parental relationships will be supportive? How will institutions know if there is a benefit to the disclosure? If the decision to share information with parents is discretionary, what factors should inform the exercise of discretion? To what extent should schools rely on a disclosure to parents as a complete discharge of their duty of care (assuming such a duty exists)?

Issue 2: Should governments enact new exemptions to allow for disclosures made in a good faith belief that they are necessary for protecting health and safety?

The state report recommends this type of “safe harbour” exemption as a means of cutting through the confusion about how existing and general privacy exemptions apply to the health and safety problem illustrated by Virginia Tech. It states:

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

The current health and safety exemptions in Ontario’s public sector privacy and health privacy statutes are objective standards that are based on a “serious harm” threshold. Short of this relatively high threshold, disclosures are only permitted under other more general exemptions like the “need to know” exemption noted above (which applies only to internal disclosures) or the similarly-obscure “consistent purpose” or “law enforcement” exemptions. Would acceptance of the safe harbour proposal lead to an appropriate clarification of the law? Is it important that privacy legislation be made accessible to laypeople? Will this type of amendment harm the integrity of the legislation?

***

I’m just scratching the surface with these comments, but hope they provoke some good thought amongst those who are interested in this subject. It’s a sad one, but I like the privacy-related ideas that have been raised following the shootings because they are simple, compelling and important. Look for more posts on campus security and privacy in the future.

On August 7th, Arbitrator David Murray dismissed a grievance that challenged the implementation of a biometric timekeeping system. According to Mr. Murray, when an employer proves the general superiority of a new technology, the standard for invasiveness that would justify restricting its implementation is high. He said:

The union grounded its case squarely on the claim that Kronos violated the management rights clause of the collective agreement. No evidence was brought that it did. Instead the union pointed out that the evidence of Erskine could be interpreted to justify the view that if there was anything wrong with the old ITR system (and the union said, correctly, there had been no evidence of time stealing or buddy punching) it could be rectified with a system less technologically advanced than Kronos. That line of reasoning is not only not persuasive, it is positively Luddite. If the employer believed that Kronos was state-of-the-art and met its needs why should it have to put up with second best absent any evidence that employees rights were being infringed? If the opportunity had existed who would not want to move from the Age of Sail to the Age of Flight without going through the Age of Steam first?

Arbitrator Murray was very critical of Arbitrator Timms’ IKO Industries award, in which she allowed a grievance challenging the same timekeeping system.

Re Good Humour – Breyers and United Food & Commercial Workers Union, Local 175, [2007] O.L.A.A. No. 406 (Murray) (QL).

The state panel struck by Virginia Governor Tim Kaine released its report on the April shootings yesterday. Once again, the report has some strong comments on the need for information-sharing, at one point stating, “Information privacy laws cannot help students if the law allows sharing, but agency policy or practice forbids necessary sharing.”

At this point I have only scanned the report and read the summary, but may post a comment after reading the (lengthy) report in full.

See the University’s internal “Interface” report here and the special report to the President of the United States here. I’ve posted about the incident here and written about here.

Paul Broad and I posted our fall edition of the Hicks Morley Information and Privacy Post today. It’s available here. In addition to some brief commentary on “data breach low hanging fruit,” we’ve included summaries of cases that we’ve reviewed since publishing our spring edition. The top draws in our current edition:

• The Divisional Court’s FOI decision on the annonymization of databases and whether replacing a unique identifier (that is also personal information) creates a new record
• The Ontario Court of Appeal’s finding that the public interest override in Ontario’s FOI legislation is unconstitutional and its reading-in remedy
• A decision by labour arbitrator Paula Knopf on a challenge to an employer’s short term disability administration practices
• The latest Ontario decision in the recent flare-up in drug testing litigation, a decision by labour arbitrator Jane Devlin
• A June 27th American e-discovery case that illustrates how not to manage a complex e-discovery project

Please check out the Post. Hope you enjoy!

The Ontario Court of Appeal issued a short endorsement in Crystal Tile and Marble Ltd. v. Dixie Marble & Granite Inc. on August 20th, upholding a judgment that dismissed a claim against a high-performing ex-salesperson. Presumably the salesperson was not bound by a restrictive covenant because the claim was based on an alleged breach of fiduciary duty and breach of confidence. The Court endorsed the following passage from the trial judgment:

The fact that the business decision to rely so heavily on Mr. Miskiewicz may have turned out to be a less than prudent one is not sufficient to brand Mr. Miskiewcz as a as a fiduciary when the other hallmarks of a fiduciary relationship, such as the power to make or influence management decisions or set corporate policy, are absent. To find otherwise would mean that every salesperson, regardless of his or her position or authority in the business, would have a fiduciary duty simply because of his or her success in sales.

This comment is reminiscent of those made recently in Imperial Sheet Metal Ltd. v. Landry and Gray Metal Products, a decision of the New Brunswick Court of Appeal. The Court held that cases (including some leading Ontario cases) that find salespeople to be fiduciaries based on a vulnerability arising from exposure to customers are wrong: “too many employees of ‘humble origin’ are being swept into fiduciary net.” It also held that knowledge of customer needs and preferences generally does not have the quality of confidence necessary to found an action for breach of confidence.

These cases are significant for their denouncement of the case commonly made against departing salespersons who are not bound by restrictive covenants. They’re reason for employers to carefully consider bargaining reasonable restrictive covenants at the outset of the employment relationship.