Case report – Full access to hard drives ordered

On August 31, the Alberta Court of Queen’s Bench declared that the plaintiff in a departing employee case was entitled to enforce a default order that allowed it direct access to a number of hard drives it had seized earlier in executing an Anton Piller order.

The plaintiff was granted an Anton Piller order at the outset of litigation. It seized hard drives but did not inspect them.

As the litigation proceeded, a case management judge ordered the defendants to serve and file an affidavit of records by a certain date, failing which the plaintiffs would have direct access to the hard drives (subject to confidentiality terms to be agreed upon or ordered). The parties subsequently consented to a joint confidentiality order.

The Court held that the defendants did not provide an adequate affidavit of records because they did not disclose a number of records related to their involvement in a consortium that had bid successfully for a contract formerly held by the plaintiff and did not disclose all relevant e-mails and deleted files. It also held that the defendants should have produced the passwords, systems files and software necessary to access files in their native format and should have processed the electronic records for export into a litigation support software program.

The Court also rejected the defendants’ justifications. It held that the records pertaining to the consortium would be adequately protected by the implied undertaking rule and the joint confidentiality order. It also held that the defendants had not shown that electronic production (as ordered) would be unduly burdensome. On this point, the Court said:

The unusually high level of disclosure imposed in this case is justified by: the underlying fact that the defendants were employees of the plaintiff when they began working in competition with the plaintiff, the judicial determination that this was an appropriate case in which to issue an Anton Piller order, the size of the claim, which exceeds $50 million, and the great IT expertise of the parties which presupposes that at least some of the work required to provide the required level of disclosure can be done in-house.

Spar Aerospace Limited v. Aerowerks Engineering Inc., 2007 ABQB 543 (CanLII).

Ontario IPC makes cease and desist and destruction order

As David Fraser reports, the Information and Privacy Commissioner/Ontario has used her order-making powers under the privacy part of Ontario’s public sector privacy legislation for the first time after receiving a privacy complaint about the collection of personal information relating to the sale of second hand goods. For the Commissioner’s news release click here and for a copy of the order, click here.

Case Report – BCCA says implied undertaking rule does not have a necessary disclosure component

On September 10th, the British Columbia Court of Appeal dismissed an application for leave to appeal in a novel application for contempt based on an alleged breach of the implied undertaking rule.

The plaintiffs alleged that the Insurance Corporation of British Columbia unnecessarily disclosed obtained information in materials served on third parties in support of a production order. They relied on an ICBC internal policy that recommended (in part) that such information only be disclosed in third-party production motion materials as “absolutely necessary.” The application was dismissed and the Court of Appeal dismissed the application for leave to appeal, holding that the appeal was not prima facie meritorious.

The Court of Appeal quoted the following passage from the application judge’s decision:

It is a matter of judgment to be exercised by counsel what information obtained by parties through the litigation discovery process needs to be disclosed to non parties in furtherance of the litigation in which that information has been obtained.

Any court-imposed constraint on that judgment is antithetical to the underlying rationale of court compelled disclosure, with its necessary intrusion on a litigant’s general right to privacy. That rationale is the need to do justice between the parties.

Implicit in the law and Rules governing disclosure is the proposition that justice between the parties is best assured when disclosure of all relevant evidence from whatever source may be compelled by the court, subject to claims of privilege.

Imposition of constraints on the parties’ use of information obtained through the discovery process in the litigation in which it is obtained, by expanding the scope of the implied undertaking, could inhibit counsel in their investigation of the case and undermine the rationale for court compelled disclosure.

***

The law delineating the scope of the implied undertaking of confidentiality respecting use of information obtained through the litigation discovery process draws a bright line. Use of that information within the litigation is permitted use. Use outside the litigation for an “alien” or “collateral” purpose is not permitted without the consent of the affected party or an order of the court.

That bright line tends to expedite litigation, which is the goal of all recent reforms of civil litigation procedure in various jurisdictions. An obscure line would tend to promote procedural controversy, which is antithetical to that goal. The current bright line sacrifices litigants’ privacy for more procedural certainty. Its ultimate goal is to achieve a just result in the litigation.

The plaintiffs’ applications seek to have the court impose the policy reflected in s. 8.3.2 of the Manual as a constraint on the use of information obtained through the litigation discovery process within the litigation. If the court were to impose that policy by expanding the scope of the implied undertaking of confidentiality to limit use of information obtained through the litigation discovery process within the litigation in which it was obtained, the bright line would become an obscure line. There is no precedent for imposing such a policy. For the reasons stated, I decline to do so.

Jampolsky v. Shattler, 2007 BCCA 439.

Case Report – Another data breach claim dismissed

An American court has dismissed another data breach claim because the plaintiffs did not allege any damage other than the cost of obtaining credit monitoring services.

The plaintiffs provided their personal information to the defendant, a bank, in an online application for services. Their information was hosted by a third party and was subject to a malicious hacking attack in 2005. The Seventh Circuit upheld the bank’s motion to dismiss based on the inadequacy of the plaintiffs’ pleadings. It made the following comment on the recent court decisions that weigh against recovery of credit monitoring costs borne as a result of a data breach:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

The outcome and reasoning in this case is similar to that in Kahle v. Litton Loan Servicing LP, discussed here.

Pisciotta v. Old National Bancorp (23 August 2007, 7th Cir.).

Good article on hash values

Ralph Losey is a Florida litigator who publishes a blog called, “E-Discovery Team.” He’s published an article called, “HASH: The New Bates Stamp.” You can download a copy, originally published in the June 2007 edition of the Journal of Technology Law & Policy, here. Mr. Losey explains what hash values are, how they are used in litigation and proposes that a file naming protcol featuring truncated hash values should replace the bates numbering convention. It’s a clearly written, well-thought and compelling article. Thank you!

Virginia Tech – Information graphic and a personal thought

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.

Case Report – FCA gives effect to statutory privilege in access dispute

On August 27th, the Federal Court of Appeal held that information provided by the Canadian Imperial Bank of Commerce to the Canadian Human Rights Commission as part of an employment equity audit was exempt from public access as “information supplied in confidence.”

The request, made under the Access to Information Act, was for a final employment equity report that primarily contained information provided by the bank to the Commission in the course of an employment equity audit. In arguing against disclosure, the bank relied heavily on section 34(1) of the Employment Equity Act, which creates a statutory privilege for all information obtained by the Commission under the Act. This provision is not listed in Schedule II to the ATIA, which lists nineteen other statutory privilege provisions. Information that is protected by a Schedule II provision is expressly exempt from public access by section 24 of the ATIA.

The Commission decided to disclose the report and the Federal Court dismissed the bank’s application for judicial review. On appeal, the bank argued that the report was not subject to public access because it was not under the Commission’s control, that the report was not subject to public access because the information it contained was privileged and, alternatively, that the record was exempt from public access under a number of specific provisions of the ATIA. The Canadian Bankers Association intervened in the appeal, expressing a broader interest in the confidentiality of bank disclosures to a number of federal regulators under similar statutory privilege provisions.

In the end, the Court dismissed the bank’s broader arguments and held the report was exempt from disclosure based on section 20(1)(b) of the ATIA as information provided in confidence and treated consistently in a confidential manner. It held that the application judge erred on a number of bases in finding this exemption did not apply. Most significantly, it held the application judge erred in finding that the bank had no reasonable expectation of confidentiality because the right of public access in the ATIA expressly applies “notwithstanding any other Act of Parliament” and because the Commission had warned the bank that its information could be subject to public access. Rather, the Court held that the statutory privilege in section 34(1) of the Employment Equity Act provided a reasonable basis for the bank’s belief that the information in question would be held in confidence and held that the bank had also met the other requirements of the section 20(1)(b) exemption.

While the Federal Court of Appeal judgement offers strong support for the application of the section 20(1)(b) to records of information provided to federal regulators and protected by a statutory privilege, the Court did note the requirement to bring the record within the scope of the exemption in every case: “A statutory guarantee of confidentiality is not, in and of itself, a sufficient basis for a claim of exemption under paragraph 20(1)(b) of the ATIA.”

Canadian Imperial Bank of Commerce v. Canada (Human Rights Commission), 2007 FCA 272 (CanLII).