The Hicks Post – Data breach low hanging fruit

Paul Broad and I posted our fall edition of the Hicks Morley Information and Privacy Post today. It’s available here. In addition to some brief commentary on “data breach low hanging fruit,” we’ve included summaries of cases that we’ve reviewed since publishing our spring edition. The top draws in our current edition:

  • The Divisional Court’s FOI decision on the annonymization of databases and whether replacing a unique identifier (that is also personal information) creates a new record
  • The Ontario Court of Appeal’s finding that the public interest override in Ontario’s FOI legislation is unconstitutional and its reading-in remedy
  • A decision by labour arbitrator Paula Knopf on a challenge to an employer’s short term disability administration practices
  • The latest Ontario decision in the recent flare-up in drug testing litigation, a decision by labour arbitrator Jane Devlin
  • A June 27th American e-discovery case that illustrates how not to manage a complex e-discovery project

Please check out the Post. Hope you enjoy!

Recent appeal court decisions illustrate wisdom of reasonable restrictive covenants

The Ontario Court of Appeal issued a short endorsement in Crystal Tile and Marble Ltd. v. Dixie Marble & Granite Inc. on August 20th, upholding a judgment that dismissed a claim against a high-performing ex-salesperson. Presumably the salesperson was not bound by a restrictive covenant because the claim was based on an alleged breach of fiduciary duty and breach of confidence. The Court endorsed the following passage from the trial judgment:

The fact that the business decision to rely so heavily on Mr. Miskiewicz may have turned out to be a less than prudent one is not sufficient to brand Mr. Miskiewcz as a as a fiduciary when the other hallmarks of a fiduciary relationship, such as the power to make or influence management decisions or set corporate policy, are absent. To find otherwise would mean that every salesperson, regardless of his or her position or authority in the business, would have a fiduciary duty simply because of his or her success in sales.

This comment is reminiscent of those made recently in Imperial Sheet Metal Ltd. v. Landry and Gray Metal Products, a decision of the New Brunswick Court of Appeal. The Court held that cases (including some leading Ontario cases) that find salespeople to be fiduciaries based on a vulnerability arising from exposure to customers are wrong: “too many employees of ‘humble origin’ are being swept into fiduciary net.” It also held that knowledge of customer needs and preferences generally does not have the quality of confidence necessary to found an action for breach of confidence.

These cases are significant for their denouncement of the case commonly made against departing salespersons who are not bound by restrictive covenants. They’re reason for employers to carefully consider bargaining reasonable restrictive covenants at the outset of the employment relationship.

E-mail surveillance and constructive knowledge (Part 3)

This is a continuation of two earlier posts, one that spoke about an employer’s duty to maintain a harassment-free workplace as justification for routine e-mail surveillance and another that highlighted the different position that a post-secondary educational institution is in, at least vis-a-vis institutionally-administered e-mail accounts.

The United States v. Heckenkamp decision of this April is another illustration of how employers and post-secondary educational institutions are different. In it, the United States Ninth Circuit of Appeals held that a state university violated a student’s expectation of privacy by conducting a remote search of his own computer (connected to the university’s network from his dorm room) in an attempt to prevent an attack on its network. Despite this finding, the Court nonetheless held the evidence obtained was admissible in the student’s criminal trial under the American “special needs” doctrine.

I won’t comment directly on the case, but encourage you to read this good editorial by the Stanford Law School Center for Internet and Society’s Jennifer Granick. Ms. Granick focusses her critique on the Court’s application of the “special needs” exception (appropriately, as it determined the outcome of Mr. Heckenkamp’s case). She chooses not to address the subtle implication in the case that the university could have diminished Mr. Heckenkamp’s expectation of privacy, by promulgating a more strongly-worded network access policy:

In the instant case, there was no announced monitoring
policy on the network. To the contrary, the university’s computer
policy itself provides that “[i]n general, all computer
and electronic files should be free from access by any but the
authorized users of those files. Exceptions to this basic principle
shall be kept to a minimum and made only where essential
to . . . protect the integrity of the University and the rights and
property of the state.” When examined in their entirety, university
policies do not eliminate Heckenkamp’s expectation
of privacy in his computer. Rather, they establish limited
instances in which university administrators may access his
computer in order to protect the university’s systems. Therefore,
we must reject the government’s contention that Heckenkamp
had no objectively reasonable expectation of privacy
in his personal computer, which was protected by a screensaver
password, located in his dormitory room, and subject to
no policy allowing the university actively to monitor or audit
his computer usage.

This raises some interesting questions given that a post-secondary institution has a relationship with its student users that’s much like a relationship between a commercial internet service provider and its customers. Would a commercial ISP have felt compelled to search Mr. Heckenkamp’s computer to protect its network? Would privacy legislation permit the a commercial ISP to impose a condition of service that allowed it to conduct such a search? Are guarantees of academic freedom a reason for post-secondary institutions to be even more cautious than a commercial ISP in promulgating search-friendly network access policies?

These are all important questions. Of course, employers are in a different position than commercial ISPs and post-secondary institutions because they can establish policy to restrict employees from connecting their own computers to their networks. To the extent employers choose to depart from this ideal (by allowing employees to remotely access their networks from their own computers, for example), they open up a world of risks, one of which is well-illustrated by Heckenkamp.

Thanks goes to my colleague Paul Broad of our privacy group for his great input on this post.

Virginia Tech internal reports released

As I’ve posted about here and written about here, the Virginia Tech shooting has served as a good discussion point for how a post secondary institution’s duty to maintain a safe campus environment should be balanced against its duty to respect student privacy. Yesterday the University released reports from three internal committees struck shortly after the incident to examine the strengths and weaknesses of its systems. One of the reports, that of the school’s “Interface Group,” examines the security/privacy balance and echoes some of thoughts about the need for information sharing that were first expressed in the special report made to President Bush on June 13, 2007. For a flavour, here’s of one of the internal group’s seven recommendations:

Effective communication among units regarding at-risk students is essential. There are a number of recommendations intended to enhance communication in the system including conducting on-going training for personnel on the application of the Family Educational Privacy Act (FERPA) in the discussion of cases, clarifying public statements in university policy on how FERPA is applied, establishing a central university contact who has a comprehensive picture of distressed students who have been assessed by the system, clarifying policies for communicating with external agencies regarding acutely distressed students, and implementing a new policy for emergency notification for students.

According to the New York Times, a report from a panel struck by Virginia Governor Tim Kaine will be released late next week.

Case Report – Latest American data breach case

This significant data breach case recently came to my attention. In it, the Southern District Court of Ohio dismissed a motion to certify a class proceeding because the plaintiff had not alleged any damage other than the cost of obtaining credit monitoring services.

The defendant, a mortgage loan service provider, experienced a break-in in August 2005. The thieves took over $60,000 in computer hardware, including four hard drives containing the personal information of over 229,000 individuals. About four weeks after the break-in, the defendant notified individuals of the breach. In its notification letter, the defendant recommended that affected individuals place a fraud alert on their credit files but did not offer to pay for credit monitoring services.

The plaintiff claimed the defendant was negligent in securing the hard drives and negligent in terminating its internal investigation of the breach before identifying the perpetrators. The resulting loss, as alleged in the claim, was the cost of obtaining credit monitoring services “for many years” and “at great expense.”

The Court held that the plaintiff did not have standing to bring a claim in negligence because she did not establish a genuine issue of material fact in respect of her own claim. It cited a series of American cases from the last two years for the proposition that the cost of responding to an increased risk of identity theft, when merely speculative, is not an actionable loss. The following paragraph is a nice summary of the factual basis for the Court’s decision:

Although the above cited cases are not binding on this Court, this Court finds them to be persuasive. Plaintiff has admitted, that to her knowledge, no unauthorized use of her personal information has occurred. She has not been a victim of identity fraud since the theft, which occurred 20 months ago. Additionally, Plaintiff waited until almost one full year after the theft to obtain credit monitoring and chose not to place a free fraud alert on her credit report. She also failed to allege in her complaint that the information was the target of the theft. Although in her briefs she theorizes that the break-in was an “inside job” and that the information was targeted there is no evidence to support this. The four hard drives were among $60,000 worth of equipment that was stolen from the server room. There is no evidence that the information was the target of the theft as opposed to the actual hard drive themselves. Neither the Atlanta Police Department nor the private investigator hired by Litton came to any such a determination. Furthermore, even if the information was the target of the theft, there is no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it would be used for unlawful purposes. Thus, any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.

Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 205, 706-07 (S.D. Ohio 2007).

A couple new e-discovery resources

On August 16th the keepers of the Canadian E-Discovery Case Law Digest posted an update. I say “keepers” because the Digest now notes that it is maintained by the Sedona Canada Working Group, a group which I have just joined. I’ll have to find out how I can make a contribution because it is a great resource.

Also, I just listened to the first edition of “The ESI Report,” an e-discovery podcast broadcast on the Legal Talk Network (originally posted on August 13th).

I was most interested in the discussion of Columbia Pictures Industry v. Bunnel and the May 29th preservation order of the California Central District Court, which is notable as the first American case in which a party to a legal action has been ordered to preserve and produce data stored temporarily in a computer’s Random Access Memory.

In Bunnel, the defendant operates a website that allows users to download files that are used to search and download video files.  It did not log individuals’ IP addresses or instruct its third-party service provider to log IP addresses but these addresses, which can be used to identify users, were stored temporarily in RAM.  The plaintiff sued the defendant for contributing to and inducing copyright infringement and requested production of IP address logs to identify the direct copyright infringers.

The Court ordered the defendant to start logging IP addresses and to routinely produce them in masked form and in a manner that would allow the plaintiff to identify the regular users of the defendant’s service.  It held that IP addresses were existing records, were relevant to the action and were not unduly burdensome to produce.  It rejected numerous arguments that the privacy rights of the site’s users weighed against the order.

Case Report – Departing employees and the injunction standard

On July 3rd the Ontario Superior Court of Justice dismissed a motion for an interlocutory injunction in a departing employee case where the plaintiff claimed breach of fiduciary duty, breach of contract (notice of resignation and non-solicitation provisions) and breach of confidence.  The claim and motion were brought after a senior investment advisor and his two subordinates joined a competitor.The award is most notable for its clear statement on the standard to be applied on the first part of the RJR-MacDonald test.

I agree that where alleged breaches of restrictive covenants or fiduciary duty are asserted in an attempt to restrict a person’s ability to engage in their chosen vocation the higher standard strong prima facie case should be applied.  Where the allegation relates to breach of common law duties regarding use of confidential information to compete, the test is serious issue because it involves protection of employer’s rights as opposed to restraint of trade.

The Court held that the plaintiff did not establish the strong prima facie case necessary to support an injunction restraining further solicitation of its clients.  Although the Court held that the plaintiff did establish a serious issue to be tried in its request for an injunction to restrain further use of its confidential information (client lists), the Court held that the plaintiff did not establish irreparable harm and did not establish that the balance of convenience favoured an injunction.  In addressing the balance of convenience, the Court stated, “I think it is also important to consider in this discussion the interests of clients about who the fight is really all about and who are entitled to have access to the investment adviser of their choice.”

BMO Nesbitt Burns Inc. v. Ord, 2007 CanLII 2463 (Ont. S.C.J.).

Case Report – Principles endorsed in Arar secrecy decision

On July 24, the Federal Court ordered a portion of the information that had been redacted from the report of the Maher Arar Commission to be released.

In September 2006 the Commission objected to the government’s decision to redact 1500 words from its public report on the grounds their disclosure would cause injury to Canada’s international relations, national defence or national security. It gave notice of its position and, in response, the government applied for an order prohibiting disclosure under section 38.04 of the Canada Evidence Act.

The information ordered to be released by the Federal Court can only be discerned by viewing the Commission’s Addendum because the publicly-available court decision (for security reasons) discusses principles but does not apply them to the information in dispute.

The Court applied the three-part test from Canada (Attorney-General) v. Ribic while also acknowledging that its jurisdiction should be exercised in a manner respectful of the uniqueness and utility of commissions of inquiry. Here are some of the principles it endorsed:

  • A section 38.04 application is not a judicial review proceeding, and the Federal Court does not owe any measure of deference to government or its delegate. At the same time, the Court held that the Commission’s decision should be considered in answering the first and third part of the Ribic test.
  • In determining whether disclosure would be injurious to national security, national defence or international relations, courts should give deference to decisions of the executive. However, the executive’s opinion must have a factual basis and be established by evidence.
  • Disclosure of information that is in the public domain may still be injurious. It depends on how much information has been disclosed, whether it is widely-known, whether its authenticity has been confirmed or denied and the circumstances in which inadvertence led to its disclosure.
  • Information that is critical of or embarrassing to the government cannot be protected on that basis.
  • “National security,” as it is protected by the Canada Evidence Act, means “the preservation of the Canadian way of life, including the safeguarding of the security of persons, institutions and freedoms in Canada.”
  • The “third party rule” (an understanding that intelligence agencies providing information to other agencies will control the information’s subsequent use and disclosure) is “of essence to guarantee the proper functioning of modern police and intelligence agencies.” Intelligence allegiances of importance should be given greater protection.
  • The “mosaic effect” (an understanding that information which in isolation appears meaningless or trivial could, when fitted together, permit a comprehensive understanding of the information being protected) on its own will not usually provide sufficient reason to prevent disclosure of what would otherwise appear to be an innocuous piece of information. There must be some factual basis for the government’s mosaic effect claim.

The Court also identified seven factors to be assessed and weighed against one another to determine whether the public interest lies in disclosure or in non-disclosure.

Canada (Attorney-General) v. Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, 2007 FC 766 (CanLII).

Case Report – Use of meta tags and passing off

On July 7th the Ontario Superior Court of Justice dismissed a motion for an interlocutory injunction brought, in part, on a breach of confidence claim. 

The treatment of the confidentiality claim is very fact-specific.  Not surprisingly, Madam Justice Low held that it would not be reasonable for her to draw an inference that a company that developed and hosted an online retailer’s website misused the retailer’s confidential information merely because it had started a directly competitive business (in the adult footed pajama market, if you care).

Although intellectual property is beyond the scope of my real interest (and what I will normally speak to in this blog), you may be interested in Madam Justice Low’s obiter comments about the defendant’s improper use of the plaintiff’s trade name as a meta tag.  She said:

It seems to me that an obvious (though not necessarily the only) reason for FOW’s use of the phrase “Jumpin Jammerz” as a meta tag for its website was to draw members of the internet public to its site who had some prior knowledge of Jumpin Jammerz as a vendor of pajamas and believed that they could find footed pajamas at the website associated with the words “Jumpin Jammerz”.


Had it been necessary, I would have made an order restraining the use of the phrase “Jumpin Jammerz” as a meta tag in association with FOW’s  website in these circumstances given that the phrase is not descriptive of the wares and an arguable case could be made that its use as a meta tag was for the purpose of diverting or luring members of the public to a site that was not in fact connected with the business known as Jumpin Jammerz at all. It was not necessary, however, for the motion to be pursued on this issue, as the defendants have removed the meta tags to which the plaintiffs objected and do not assert an intention or desire to recommence using them.

The defendant had agreed to remove the offending tag from its website, thereby making an order unnecessary.

Pandi v., 2007 CanLII 27028 (Ont. S.C.J.).

Why the name change?

I imagine I’ve broken a cardinal rule of blog branding, but I thought I’d change the name before I do this for too much longer.  I wanted to replace “Michaluk’s Information & Privacy Pages” with “All About Information” to reflect the blog’s breadth. 

Privacy is a rapidly-developing area of substantive law, but it is not all that’s  driving my interest.  Lateral employee movement is putting pressure on organizations as they attempt to protect their confidential business information.  And if the experience in the United States is a valid basis for prediction, electronic records management (or non-management as it be) is going to cause some extremely interesting developments in the law of production and access to information law in the next while.

 So there it is.  Part privacy, and part more.  I hope you’ll enjoy!