On June 20, the U.S. District Court for the Northern District of Texas held that the US Department of Health and Human Services exceeded its authority by issuing a guidance bulletin that warned HIPAA regulated entries that tracking visitors to web pages with content about health conditions or health care providers is governed by the HIPAA privacy rule.
The HHS concern is focused on the disclosure of “protected health information” or “PHI” to tracking vendors given such disclosures are subject to particular legal requirements. Similar to the law in Ontario, PHI is only information about an identifiable individual that “relates to” the provision of health care.
The HSS bulletin distinguishes the following two scenarios to explain when the HIPAA privacy rule does and does not apply:
For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.
The Court held that the required connection between the information and the provision of health care can not be based on the subjective intent of visitors if the website does not collect any information about subject intent. Without such a collection, the Court held, there is only a “speculative inference” about the visitor’s health and interest in or need for health care, too weak of a connection to meet the “relates to” criterion.
On January 22, 2024, Arbitrator Shapiro upheld the discharge of a long service IT employee with an unblemished record for installing crypto-currency mining software on a college network.
Labour arbitrators have the power to substitute a penalty for an “unjust” discharge. The analysis is multi-factorial, though length of service and disciplinary record weighs heavily. In this case, these mitigating factors were overcome by the gravity of the misconduct and its impact on the employer’s trust in an IT administrator. Arbitrator Shapiro quoted a case I did for Sheridan College many years ago, and said:
In Sheridan College Institute of Technology & Advanced Learning v OPSEU, (2010) 201 LAC (4th) 243 (Ont Arb), the grievor was an infrastructure analyst in a college IT department. His employment was terminated for unauthorized use of the employer’s computer network. The grievor used a college computer for private purposes using the college’s network. He downloaded and stored thousands of copyrighted works including TV shows, music, games, and pornographic videos. The union argued that the termination was excessive as the employer was aware of the conduct and other employees accessed the computer. The arbitration board disagreed and upheld the termination, noting that the grievor had “significant responsibilities for the College’s network, including its security” and “his activities (by his own admission) increased the risk to the security of the network”. Like in Sheridan College, the Grievor here held significant responsibilities for the College’s network, including its security, and put that system at risk through his breach of College policies, pointing to a finding of serious misconduct in this matter.
This is a good finding. Employers truly are at the mercy of their IT administrators. A violation of that trust is a very serious breach.
I’ll also call out one other point here. Here is a comment the arbitrator made about how the employer handled the investigation and discharge:
By no means can it be said that the College rushed to judgment regarding its decision to terminate D.L.’s employment. To the contrary, despite the already overwhelming evidence against him, in order to permit a full investigation and avoid prejudgment, the College generously placed him on paid administrative leave, which continued from February 14, 2022, the date of his suspension, to July 14, 2022, the date of termination. The investigation was largely paused while D.L. was on administrative leave and sick leave, until he informed the College at the end of June that he was ready for a graduated return to work. At that time, Taylor, Studney and Lavoie were actively considering reinstatement, albeit at a time before they became aware, through both Safruik and Heisler, of the extent of the network issues D.L. had caused, which elevated the risk to the College to high. The College did not in any way act precipitously and instead gave D.L. every reasonable consideration and opportunity to explain himself before moving to terminate. In addition to the other steps it took, the Employer arranged an external IT expert assessment. Finally, before terminating the Grievor’s employment, the College sought external legal advice. Overall, this was a careful, informed decision, following a fair and thorough investigation.
It’s so hard for employers who have caught employees “dead to rights” to employ due process, but it’s very important to do so given the employee interests at stake. It’s sometimes said there is no duty to investigate, but I have little doubt that had this employer acted “precipitously,” the grievance would have been allowed.
On April 23rd, a panel of the Divisional Court (Ontario Superior Court of Justice) affirmed an order that permitted a producing party to redact personal information from otherwise producible records provide it could establish (a) that the redacted information is irrelevant and (b) that its disclosure would infringe the privacy interests of affected individuals.
The parties filed foreign law affidavits that disputed the applicable test in Germany, which permits production based on the so-called “legitimate interests” exception. The motions judge rejected the producing party’s argument that, to show appropriate respect for EU and German law, an Ontario court ought to default to the redaction of all personal information subject to proof that redaction would compromise the effectiveness of the fact finding process. Rather, the judge held that the legitimate interest in production is “baked into” our production rule, meaning that we can respect EU and German law while defaulting to production, though a producing party may justify redaction of irrelevant (personal) information if producing it would infringe public interests (including privacy interests) worthy of protection.
The Divisional Court affirmed the order. In doing so it reconciled the test for production under EU and German privacy law and under domestic law in Ontario as stated in McGee v London Life Insurance.
I was up at the crack of dawn today to burn down to Cape May, New Jersey for the DeSatnick Foundation Paddle Around the Cape Race this Sunday. (It’s still not to late to donate.) I listened to the Supreme Court of Canada’s York Region District School Board decision between Allentown PA and the NJ border. It’s significant, but thankfully only in a technical sense – not changing the balance between employee privacy and management rights. I’ll explain.
Of course, this is the case about a series of “searches” conducted by a school principal in an attempt to manage a workplace called “toxic” by labour arbitrator Gail Misra, who held the principal’s searches were justified. I put “searches” in quotes because the term is a technical one in the section 8 Charter jurisprudence, which Arbitrator Misra referred to but didn’t apply very well. Any criminal lawyer or judge reading her decision would quickly pick out Arbitrator Mirsa’s jurisprudential flaws. These flaws are what ultimately led the majority of the Supreme Court of Canada to quash her decision.
Along the way the Court unanimously (and finally?) held that the Charter applies to school boards (Ontario ones, at least). It said, “Public education is inherently a governmental function. It has a unique constitutional quality, as exemplified by s. 93 of the Constitution Act, 1867 and by s. 23 of the Charter. Ontario public school boards are manifestations of government and, thus, they are subject to the Charter under Eldridge’s first branch.”
Given Charter application, the majority held that Arbitrator Misra erred by balancing interests under the privacy test long employed by arbitrators and endorsed by the Supreme Court of Canada in Irving Pulp and Paper – a derivative of the famous KVP test. She was bound to apply the section 8 Charter framework, the majority said, and do so correctly.
So Charter-bound employers, like law enforcement, must not conduct unreasonable searches. The test is two part. There must be a “search,” which will only be so if there is a “reasonable expectation of privacy.” And then the search must be “reasonable.” This is a highly contextual test that encompasses a balancing of interests, and a labour arbitrators’ balancing will be subject to review on the correctness standard.
Non Charter-bound employers – like Irving – will continue to live under the balancing of interest test and KVP. As to whether that will result in different outcomes, the majority suggests it may not: “The existing arbitral jurisprudence on the “balancing of interests”, including the consideration of management rights under the terms of the collective agreement, may properly inform the balanced analysis.”
I’ve said here before that privacy law should be unified such that the concepts that bear upon section 8 analysis are used by labour arbitrators. This judgement grants my very wish. It should lend predictability to otherwise unpredictable balancing by labour arbitrators, as should correctness review. And although non Charter-bound employers will have a notionally different framework, I expect that arbitrators will strive for unification.
And there is nothing in the judgement that alters the management-employee balance or elevates workplace privacy rights. To the contrary, it erases a Court of Appeal for Ontario judgement that one could argue was too insensitive to the principal’s interest in dealing with a serious workplace problem.
This very short and informal post is made (that is plainly influenced by my one day vacation) is made strictly in my personal capacity.
On April 26th, the Court of Appeal of Alberta affirmed a lower court decision that privilege in two post-incident investigation reports had been waived, also opining on the law governing whether the reports were subject to litigation privilege.
The case arises out of 2015 pipeline failure. The operator initiated an investigation for multiple purposes, ultimately leading to the creation of several reports, including the two expert reports at issue. The operator relied on an affidavit sworn by its assistant general counsel in which she stated that she contemplated litigation soon after the incident and directed all investigations to be conducted on a privileged and confidential basis under the supervision of legal counsel.
The two reports were later produced by experts. The lower court judge did not review the reports, but held they were used to decide whether to repair or replace the pipeline and encompassed “too many other concerns” to have been prepared for the dominant purpose of litigation. The lower court judge also held the operator waived privilege in the reports by sharing them with the Alberta Energy Regulator and the Association of Professional Engineers and Geoscientists of Alberta and by mentioning the conclusion of the reports at a press conference.
The press conference statement is worth quoting:
Nexen has conducted comprehensive investigations into the pipeline failure in July 2015 and the January 2016 explosion at its Long Lake Oil Sands facility to determine the root cause for each incident. . . .
• Following the Long Lake pipeline rupture discovered on July 15, 2015, Nexen conducted a comprehensive, independent investigation using Nexen’s Event Recording and Analysis (ERA) Procedure to determine the root cause.
• Based on our investigation, the root cause of the rupture was a thermally-driven upheaval buckling of the pipeline and the subsequent cooldown during the turnaround. This was the result of using an incompatible pipeline design for the muskeg ground conditions. Steps that could have been taken to mitigate the potential for upheaval buckling were not addressed.
The Court of Appeal held that this revelation did not waive privilege as found by the lower court judge. The core of its reasoning is that the statement did not clearly reveal the content of the privileged reports: “It is difficult to see how privilege could be lost over a document that is no even mentioned.”
Privilege was nonetheless waived, the Court said, by the voluntary disclosure of the reports to the Regulator and the APEGA. Although the operator disclosed the reports to the Regulator with various stipulations, none precluded the Regulator from using the reports in a prosecution or from disclosing the reports to others as required by law. Likewise, disclosure to the APEGA for its use was incompatible with maintaining a privilege claim.
On the privilege claim itself, the Court applied its decision in Suncorp, which dictates that litigation privilege must be assessed on a document-by-document basis. It then stressed that the dominant purpose test applies to the creation of a document, not the investigation that preceeded the document’s creation or the use of the document after it was created. It questioned the lower court judge’s finding because the judge made it without reviewing the reports and because the judge placed too much emphasis on the reports’ use use rather than the purpose for their creation.
The creation and maintenance of a litigation privilege claim is very technical, and this decision is illustrative in many ways. The finding that the above-quoted press conference statement did not waive privilege is most notable. The statement does have a degree of vagueness about it, but also hints at the content of privileged documents in a way that begs a question about what they say. Ultimately, the Court’s finding suggests that drafters of such statements have some latitude to garner trust from expert investigations so long as they don’t refer to the content of privilege reports. This is helpful, though to be relied upon with caution.
Online proctoring software was critical to higher education institutions during the heart of the pandemic. Though less signficant today, the report of findings issued by the Information and Privacy Commissioner/Ontario last week about McMaster University’s use of online proctoring is an important read for Ontario public sector institutions – with relevant guidance on IT contracting, the use of generative AI tools and even the public sector necessity test itself.
The necessity test
To be lawful, the collection of personal information by Ontario public sector institutions must be “necessary to the proper administration of a lawfully authorized activity.” The Court of Appeal for Ontario adopted the IPC’s interpretation of the test in Cash Converters in 2007. It is strict, requiring justification to collect each data element, and the necessity standard requires an institution to establish that a collection is more than “merely helpful.”
The strictness of the test leaves one to wonder whether institutions’ business judgment carries any weight. This is a particular concern for universities, whose judgement in academic matters has been given special deference by courts and administrative decision-makers and is protected by a FIPPA exclusion that carves out teaching and research records from the scope of the Act. It does not appear that McMaster argued that the teaching and research records exclusion limited the IPC’s jurisdiction to scrutinize its use of online proctoring, but McMaster did argue that it, “retains complete autonomy, authority, and discretion to employ proctored online exams, prioritizing administrative efficiency and commercial viability, irrespective of necessity.”
The IPC rejected this argument, but applied a form of deference nonetheless. Specifically, the IPC did not question whether the University’s use of online proctoring was necessary. It held that the University’s decision to employ online proctoring was lawfully authorized, and only considered whether the University’s online proctoring tool collected personal information that was necessary for the University to employ online proctoring.
This deferential approach to the Ontario necessity test is not self-evident, though it is the same point that the University of Western Ontario prevailed on in2022 in successfully defeating a challenge to its vaccination policy. In Hawke v Western University, the Court declined to scrutinize the necessity of the University’s vaccination policy itself; the only questions invited by FIPPA were (a) whether the the University’s chosen policy was a lawful exercise of its authority, and (b) whether the collection of vaccination status information to enforce the chosen and lawful policy was necessary.
To summarize, the authority now makes clear that Ontario institutions get to set their own “policy” within the scope of their legal mandates, even if the policy invites the collection of personal information. The necessity of the collection is then measured against the purposes of the chosen lawful policy.
IT contracting
It is common for IT service providers to reserve a right to use the information they process in providing services to institutions. Institutions should appreciate whether the right reserved is a right to use aggregate or de-identified information, or a right to use personal information.
The relevant term of use in McMaster’s case was as follows:
Random samples of video and/or audio recordings may be collected via Respondus Monitor and used by Respondus to improve the Respondus Monitor capabilities for institutions and students. The recordings may be shared with researchers under contract with Respondus to assist in such research. The researchers are consultants or contractors to Respondus and are under written obligation to maintain the video and/or audio recordings in confidence and under terms at least as strict as these Terms. The written agreements with the researchers also expressly limit their access and use of the data to work being done for Respondus and the researchers do not have the right to use the data for any other purposes. No personally identifiable information for students is provided with the video and/or audio recordings to researchers, such as the student’s name, course name, institution, grades, or student identification photos submitted as part of the Respondus Monitor exam session.
Despite the (dubious) last sentence of this text, the IPC held that this contemplated a use of test taker personal information was for a secondary purpose that was not a “consistent purpose.” It was therefore not authorized by FIPPA.
In recommending that the University secure a written undertaking from the service provider that it would cease to use student personal information for system improvement purposes without consent, the IPC carefully noted that the service provider had published information that indicated it refrains from this use in certain jurisdictions.
In addition to this finding and a number of related findings about the use of test taker personal information for the vendor’s secondary purposes, the IPC held:
the vendor contract was deficient because it did not require the vendor to notify the University in the event that it is required to disclose a test taker’s personal data to authorities; and
that the University should contractually require the vendor to delete audio and video recordings from its servers on, at minimum, an annual basis and that the vendor provide confirmation of this deletion.
The McMaster case adds to the body of IPC guidance on data protection terms. The IPC appears to be accepting of vendor de-identification rights, but not of vendor rights to use personal information.
Generative AI
While the IPC recognized that Ontario does not have law or binding policy specifically governing the use of artificial intelligence in the public sector, it nonetheless recommended that the University build in “guardrails” to protect its students from the risks of AI-enabled proctoring software. Specifically, the IPC recommended that the University:
conduct an algorithmic impact assessment and scritinize the source or provenance of the data used to train the vendors algorithms;
engage and consult with affected parties (including those from vulnerable or historically marginalized groups) and those with relevant expertise;
provide an opt out as a matter of accommodating students with disabilities and “students having serious apprehensions about the AI- enabled software and the significant impacts it can have on them and their personal information”;
reinforce human oversight of outcomes by formalizing and communicating about an informal process for challenging outcomes (separate and apart from formal academic appeal processes);
conduct greater scrutiny over how the vendor’s software was developed to ensure that any source data used to train its algorithms was obtained in compliance with Canadian laws and in keeping with Ontarians’ reasonable expectations; and
specifically prohibit the vendor from using students’ personal information for algorithmic training purposes without their consent.
The IPC’s approach suggests that it expects institutions to employ a higher level of due diligence in approaching AI-enabled tools given their inherent risks.
On November 22, 2023, the Court of Appeal (England and Wales) held that the Freedom of Information Act 2000 permits the public interest in maintaining non-absolute exemptions to be weighed in the aggregate against the public interest in disclosure.
This decision is technical, and about the unique structure of the United Kingdom’s freedom of information statute. Lady Justice Andrews even remarked, “I anticipate that it will rarely be the case that the issue of statutory construction that we have been asked to resolve would make a practical difference to the outcome of an application for disclosure under FOIA.” The ICO is apparently appealing nonetheless.
I am blogging about the decision because Lord Justice Lewis provides us with this good quote that challenges the idea that a purposive interpretation of an access statute necessarily favours access. He says:
…it is too simplistic to say, as the Upper Tribunal did and as the respondents do, that aggregation of the different public interests in non-disclosure would lead to less disclosure of information and so run counter to the purpose of FOIA which is to promote openness. Similarly, it is unduly simplistic to take the view that FOIA is to be interpreted in as liberal a manner as possible in order to promote the right to information. As Lord Hope recognised in the Common Services Agency case, the right to information is qualified in significant respects and appropriate weight must be given to those qualifications as the “scope and nature of the various exemptions plays a key role within the Act’s complex analytical framework” (see paragraph 34 above). A similar approach to FOIA has been recognised by Lord Walker in BBC v Sugar (No.2) [2012] UKSC 4, [2012] 1 WLR 439, especially at paragraphs 76 to 84 and in Kennedy by Lord Mance and Lord Sumption (with whom Lord Neuberger and Lord Clarke agreed) in the quotations set out at paragraphs 35 and 36 above. Rather, the wording of section 2(2) should be considered, in the light of the statutory context, to determine how Parliament intended the system of exempting information from disclosure to operate.
Bear in mind that the purpose sections in Ontario’s freedom of information statutes expressly state that statutory “exemptions” from the public right of access should be “limited and specific.” The Divisional Court, however, has also held that the statutory purpose of FIPPA and MFIPPA weights in favour of narrowly construing exclusions – the provisions that remove certain records entirely from the scope of the right of access. I question that approach for the reasons articulated by Lord Justice Lewis; it is too simplistic an approach to discerning legislative intent.
On November 6th, the Supreme Court of British Columbia affirmed a British Columbia OIPC finding that a university was in possession and control of e-mails sent and received by a faculty member that the University claimed related to research. The Court nonetheless quashed the OIPC’s order to issue a decision in respect of the e-mails on the basis that they were not excluded from the public right of access.
The request was for e-mail correspondence between a faculty member and his research collaborator in Japan over a lengthy time period. The University denied the request based on the statutory exclusion for “research information” in British Columbia FIPPA – an exclusion meant to safeguard academic freedom.
On appeal to the OIPC, the University relied on an affidavit from the targeted professor that stated all of the requested communications were related to ongoing research. The affidavit also described the general nature of the communciations, but did not include an index.
The requester responded that the faculty member and his colleague from Japan “have collaborated on numerous formal complaints to TRU about Dr. Pyne’s professional work and behavior” and indicated that they were seeking correspondence that established an improper leak of related information by the faculty member to the colleague – an act of “professional activism.” The OPIC held that the records were under the University’s possession and control and that the University failed to meet its onus of establishing that they were excluded. It ordered it to make a decision as to their release under FIPPA.
The Court affirmed the OIPC’s possession and control finding, dismissing the University’s argument that academic freedom rendered the e-mails beyond its possession and control. The Court said:
[49] Much of TRU’s argument on both arms of the custody and control issue is an attempt to characterize the academic university setting as one in which ordinary analysis does not apply. The argument is that academic faculty members are special: they have academic freedom, which is to say, a protected sphere of individual autonomy, within which they are free from oversight and direction by the university, and their email correspondence within that sphere should be no more subject to disclosure under FIPPA than would be purely personal correspondence.
[50] Counsel for OIPC submits that both arms of TRU’s argument are analytically misplaced because, while FIPPA recognizes the importance of academic freedom, it does so under the aegis of the research information (or research materials) exception in s. 3(1)(e) (now s. 3(3)(i)). I agree with this submission. The research information exception makes room for TRU’s argument. It is unhelpful to have to deal with it separately as an argument about custody or control.
The suggestion in the last sentence above is that the existence of the statutory exclusion lends support to institutional possession and control – i.e., that academic freedom is protected by the exclusion but does not restrict a University’s ability to handle faculty records in processing requests.
The Court nonetheless quashed the OIPC’s order. It held that the University’s evidence established that at least some of the responsive e-mails were excluded, and that the resulting order to issue a decision in respect of all responsive records was over-broad. In making this finding, it held that the OPIC had a reasonable basis for doubting the faculty member’s “blanket assertion” given the competing evidence about “professional activism.”
IMHO the University’s affidavit ought to have carried the day. It may make sense to require better, more particular evidence to support an exclusion claim when the claimant’s evidence is rebutted, but I don’t believe it was rebutted in this case. The only assertion by the requester is that the set of responsive e-mails likely contained information about a research misconduct matter, and research misconduct is typically treated as within the scope of academic freedom and subject to academic self governance and freedom.
It was an honour and pleasure to speak today at the Canadian SecuR&E Forum, a research and education community-building event event hosted by CANARIE. My object was to spread the gospel of threat information sharing and debunk some myths about legal privilege as a barrier to it. Here are my slides, and I’ve also included the text of my address below.
Slide one
I am here today as a representative of my profession – the legal profession.
I’m an incident response lawyer or so-called “breach coach.” Lawyers like me are often used in an advisory capacity on major cyber incidents. Insurers encourage this. They feel we add consistency of approach mitigate downside risk.
I’ve done some very difficult and rewarding things with IT leaders in responding to incidents, and genuinely believe in the value of using an incident response lawyer. But I am also aware of a discomfort with the lawyer’s role, and the discomfort is typically expressed in relation to the topic of threat information sharing.
We often hear organizations say, “The lawyer told us not to share.”
I’m here as a lawyer who is an ally to IT leadership, and to reinforce the very premise of CanSSOC – that no single institution can tackle cybersecurity issues alone.
Here’s my five-part argument in favour of threat information sharing:
Organizations must communicate to manage
The art is in communicating well
Working within a zone of privilege is important
But privilege does not protect fact
And threat information is fact
My plan is to walk you through this argument, taking a little detour along the way to teach you about the concept of privilege.
Slide 2
Let’s first define what we are talking about – define “threat information.”
NIST is the National Institute for Standards and Technology, an agency of the US Department of Commerce whose cybersecurity framework is something many of your institutions use.
NIST says threat information is, “Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor.”
Indicators (of compromise) are pieces of evidence that indicate a network has been attacked: traffic from malicious IP addresses and malware signatures, for example.
“TTPs” are threat actor “tactics, techniques and procedures.” These are behaviours, processes, actions, and strategies used by a threat actor. Of course, if one knows threat actor measures, one can employ countermeasures.
Beyond indicators and TTPs, we have more contextualized information about an incident, information that connects the pieces together and helps give it meaning. It all fits within this definition, however.
Slide 3
Argument 1 – we must communicate to manage
Let’s start with the object of incident response. Sure we want to contain and eradicate quickly. Sure we want to restore services as fast as possible. Without making light of it, I’ll say that there is lots of “drama” associated with most major cyber incidents today,
Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You’ll have many, many stakeholders descending on you from time zero, and every one of them wants one thing – information. You don’t have a lot of that to give them, in the early days at least, but you’ve got to give them what you can.
In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what’s happened and what you’re doing about it. It means reporting to law enforcement. And it means sharing threat information with peers.
We’re stronger together is the CanSSOC tag line, and it’s bang on. NIST says that Tier 4 or “adaptive” organizations – the most mature in its framework – understand their part in the cyber ecosystem share threat information with external collaborators. There’s no debate: sharing threat information is part of a widely accepted cybersecurity standard.
Slide 4
Argument 2 – the art is in communicating well
People have a broad right to remain silent under our law.
And anything they say can be used as evidence against them in a court of law.
These are plain truths that are taught to lawyers first year constitutional and criminal law classes across the country.
And the right to remain silent ought to be to be adhered to strictly in some scenarios – when one faces criminal jeopardy, for example
Incident scenarios are far, far from that.
The most realistic downside scenario in most incidents is getting sued.
In theory, you can avoid civil liability by not being transparent about your bad facts.
In reality, hiding your bad facts is almost always an unwise approach.
This is because bad facts will come out:
because you’ll notify individuals affected by a privacy breach in accordance with norms or because it’s legally required; or
because you’re a public body subject to FOI legislation.
So you’ve got to do what the communications pros say: get ahead of it the issue, control the message and communicate well.
Slide 5
Let’s detour from the argument for a moment to do some important background learning.
What is legal privilege?
Short answer – It is a very helpful tool for incident responders.
It’s a helpful tool because it shields communications from pretty much everyone. Adversaries in litigation are the main concern, but also the public – who, again, has a presumptive right of access to every record in the custody or control of a university.
There are two types of privilege.
Solicitor-client. This is the strongest form of privilege. You see the definition here. Invoking privilege is not as simple as copying your lawyer on a communication. But if you send a communication to a lawyer and your decision-making team at the same time, and your lawyer is a legal advisor to the team, the communication is privileged.
Litigation privilege works a little differently, and is quite important. I specify in engagement letters that my engagement is both as an advisor and “in contemplation of litigation” so reports produced by the investigators we hire are more likely to survive a privilege challenge.
Invoking privilege is why you want to call your incident response counsel at the outset. If the investigator comes in first, you can always have a late-arriving lawyer say that the investigation is now for their purpose and in contemplation of litigation, but that assertion could be questioned given the timing. In other words, the investigation will look operational and routine and not for the very special purposes that support a privilege claim.
Slide 6
Back to the argument
Argument 3 – Working within a zone of privilege is important
Here’s an illustration of the power of privilege and why you want to establish it.
The left-hand column is within the zone of privilege. I’m in that zone. The experts I retain for you are in that zone. And you’re in that zone along with other key decision-makers. We keep the team small so our confidential communication is more secure.
And we can speak freely within the zone. Have a look at the nuanced situation set out in the left-hand column. The forensic investigator can present evidence gathered over hours and hours of work in one clear and cogent report. We can deal with fine points about what that evidence may or may not prove and what you ought to do about it. I’ll tell you where you can and should go, but I’ll also tell you about the frailties in those directions and other options you shouldn’t and won’t take.
None of that need ever see the light of day, and in the right-hand column, in public, you can tell your story in the clearest, plainest and most favorable way possible: “We do not believe there has been any unauthorized access to student and employee personal information.” If plaintiff counsel or anyone else wishes to disprove that, they can’t go to your forensic report for a road map to the evidence and for something to mine for facts that might seal your fate in court. They must gather all the evidence gathered by your investigator themselves, re-do the analysis and then figure out on their own what it means.
Privilege is of powerful benefit.
Slide 7
Argument 4 – privilege doesn’t protect facts
I often hear, “We need to keep things confidential because of privilege.” Let me tell you what that means.
The privilege belongs to the client, not the lawyer. Clients can waive privilege, so they need to keep their privileged communications and documents confidential. Institutions do this all the time, but it’s risky to say, “We’re doing this because our lawyer said so.” That’s arguably an implicit waiver.
The easy rule is, “Don’t publish anything you’ve said to your lawyer or that your lawyer has said to you.” Don’t state it directly. Don’t even hint at it!
The same goes for your forensic investigator. Saying “Our forensic investigator told us this.” is also a risk. Just say that you’ve done your investigation, and these are the facts, or you that you believe this to be the case.
If you do that. If you talk about the facts, you won’t waive privilege. You’ll be using the privilege to derive the facts you publish, and will be safe.
This is what your lawyer is working so hard on in an incident. One of our main roles is to work within that zone of privilege on the evidence and to determine what is and isn’t fact. If it really is fact, and you are in transparency mode, you will get the fact out whether it’s a good fact or a bad fact. And I’ll agonize with you about what that right hand column should say and make sure it is safe. I’ll ask myself continuously, “If my client gets into a fight later, will that be what is ultimately proven to be the truth?”
Slide 8
Argument 5 – threat information is fact
It is. And if you can convey facts without waiving privilege, you can convey threat information without waiving privilege.
So don’t listen to anyone that tells you that you can’t share threat information because it will waive privilege. It’s not a valid argument.
You’ll have a very clear view of indicators of compromise fairly early into an incident and should share them immediately because their value is time limited.
It takes longer to identify TTPs, but they are safe to share too because they are factual.
That’s my argument. I’ve been talking tough, but will end with a qualification – a qualification and a challenge!
The qualification. You should be wary of the unstructured sharing of information with context, particularly early on in an incident: CISOs call CISOs, Presidents call Presidents, I understand. I get it, and think that the risk of oral conversations with trusted individuals can be low. Nonetheless, this kind of informal sharing is not visible, and does represent a risk that is unknown and unmanaged. I’d rather you bring it into the formal incident response process and do it right. For example, I was part of an incident last year in which CanSSOC took an unprecedented and and creative step in brining together two universities who were simultaneously under attack by the same threat actor so they could compare notes.
This is the, challenge, then: how do we – IT, leaders, lawyers and CANSSOC together – enable better sharing in a safe manner. There’s a real opportunity to lead the nation on this point, and I welcome it.
On April 17, Nova Scotia labour arbitrator Augustus Richardson admitted audio recording evidence that a union objected to even though the employer failed to give proper notice of recording.
The grievors were correctional officers discharged for behaving offensively and unprofessionally in transporting an inmate to a hospital. A hospital social worker complained of misconduct that occurred in the hospital. This led the employer to speak with the inmate, who did not provide a statement, but said something – it’s unclear what – that led the employer to download and review audio-visual recordings from the vehicle the grievors used to transport the inmate.
The vehicle had visible cameras that faced its two inmate compartments, but the union and the grievors claimed they were unaware the cameras recorded audio. The employer had issued a bulletin about the cameras that explained that they recoded audio, but didn’t have a policy or post signage. Arbitrator Richardson heard evidence, and accepted that the grievors and the union were unaware.
Arbitrator Richardson nonetheless admitted the evidence. Relying on the Supreme Court of Canada decision in Syndicat des employé professionnels de l’Université du Québec à Trois-Rivières v. Université du Québec à Trois-Rivières and Alain Larocque1993 CanLII 162 (SCC), [1993] 1 SCR 471, he held that declining to admit such central evidence would invite a breach of natural justice. Arbitrator Richardson also held that the employer’s access to and use of the evidence was not unreasonable, and was separate from the employer’s recording of the evidence (which the union had not grieved).
There are two points of significance in this case.
First, recording audio with video is risky because it captures private communications. Providing clear notice is important to protect against potential criminal liability (for breach of the Criminal Code wiretap prohibition), and also to avoid disputes like the one adjudicated by Arbitrator Richardson.
Second, Arbitrator Richardson’s approach to the union’s objection is to be preferred to any approach to the exclusion of evidence that does not consider and weigh the impact of exclusion on hearing fairness. He does not a say that a labour arbitrator has no jurisdiction to exclude evidence obtained in breach of privacy but, rather, says that such exclusion must be “appropriate” – i.e., not work an unfairness or bring the administration of (arbitral) justice into disrepute [my words].
All About Information 
You must be logged in to post a comment.