The Five Whys, the discomfort of root cause analysis and the discipline of incident response

Here is a non-law post to pass on some ideas about root cause analysis, The Five Whys, and incident response.

This is inspired by having finished reading The Lean Startup by Eric Ries. It’s a good book end-to-end, but Ries’ chapter on adaptive organizations and The Five Whys was most interesting to me – inspiring even!

The Five Whys is a well-known analytical tool that supports root cause analysis. Taichii Ohno, the father of the Toyota Production System, described it as “the basis of Toyota’s scientific approach.” By asking why a problem has occurred five times – therefore probing five causes deep – Ohno says, “the nature of the problem as well as its solution becomes clear.” Pushing to deeper causes of a failure is plainly important; if only the surface causes of a failure are addressed, the failure is near certain to recur.

Reis, in a book geared to startups, explains how to use The Five Whys as an “automatic speed regulator” in businesses that face failures in driving rapidly to market. The outcome of The Five Whys process, according to Ries, is to make a “proportional” investment in corrections at each five layers of the causal analysis – proportional in relation to to the significance of the problem.

Of course, root cause analysis is part of security incident response. The National Institute of Standards and Technology suggests that taking steps to prevent recurrences is both part of eradication and recovery and the post-incident phase. My own experience is that root cause analysis in incident response is often done poorly – with remedial measures almost always targeted at surface level causes. What I did not understand until reading Ries, is that conducting the kind of good root cause analysis associated with The Five Whys is HARD.

Ries explains that conducting root cause analysis without a strong culture of mutual trust can devolve into The Five Blames. He gives some good tips on how to implement The Five Whys despite this challenge: establishing norms around accepting the first mistake, starting with less than the full analytical process and using a “master” from the executive ranks to sponsor root cause analysis.

From my perspective, I’ll now expect a little less insight out of clients who are in the heat of crises. It may be okay to go a couple levels deep while an incident is still live and while some process owners are not even apprised of the incident – just deep enough to find some meaningful resolutions to communicate to regulators and other stakeholders. It may be okay to tell these stakeholders “we will [also] look into our processes and make appropriate improvements to prevent a recurrence” – text frequently proposed by clients for notification letters and reports.

What clients should do, however is commit to conducting good root cause analysis as part of the post-incident phase:

*Write The Five Whys into your incident response policy.

*Stipulate that a meeting will be held.

*Stipulate that everyone with a share of the problem will be invited.

*Commit to making a proportional investment to address each identified cause.

Ries would lead us to believe that this will be both unenjoyable yet invaluable – good reason to use your incident response policy to help it become part of your organization’s discipline.

Federal Court of Appeal – litigation database privileged, no production based on balancing

On October 20th, the Federal Court of Appeal set aside an order that required the federal Crown to disclose the field names it had used in its litigation database along with the rules used to populate the fields. It held the order infringed the Crown’s litigation privilege.

The case management judge made the order in a residential schools abuse class action. The Crown had produced approximately 50,000 documents, with many more to come. The plaintiffs sought the fields and rules (and not the data in the fields) to facilitate their review. The case management judge, though acknowledging litigation privilege, judged the fields and rules as less revealing than the data in the fields and ordered production in the name of efficient procedure.

The Court of Appeal held that the case management judge erred because they “subordinated the Crown’s substantive right to litigation privilege to procedural rules and practice principles.” It also held, “a party attempting to defeat litigation privilege must identify an exception to litigation privilege and not simply urge the Court to engage in a balancing exercise on a case-by-case basis.”

Canada v. Tk’emlúps te Secwépemc First Nation, 2020 FCA 179 (CanLII).

Sask QB addresses willfulness requirement in a privacy claim

You might be surprised how often lawyers get sued for invading others’ privacy. On October 5th, the Saskatchewan Court of Queen’s Bench struck such a claim on the basis it disclosed no reasonable cause of action.

The defendant lawyer delivered a divorce petition and related documents to another law firm that had represented the plaintiff in the past, but the law firm was not authorized to receive the documents, and the applicable procedural rules called for personal service. The plaintiff pleaded a failure – i.e. that “the defendants failed to do their due diligence in ensuring McKercher LLP represented the plaintiff on the divorce matter.” The plaintiff said this failure caused a privacy violation given the documents contained information about the plaintiff’s income, property and the grounds for divorce.

Notwithstanding the disclosure of this information, the Court held that the the information disclosed by the plaintiff “was not the plaintiff’s to protect.” This is best viewed a finding based on context. The court punctuated the finding nicely by stating:

The point is this. Service of his wife’s petition on counsel who, as the plaintiff states, is a member of a firm with whom he has a solicitor-client relationship cannot reasonably be perceived to be a violation of his privacy.

The Court also held that the disclosure was not “willful,” as required by the Saskatchewan Privacy Act. Justice Klatt reviewed the law and said:

It is fair to say that there is no firm agreement across the country as to what “willfully” entails in the context of privacy legislation (see, for example, Agnew-Americano v Equifax Canada Co., 2019 ONSC 7110). However, I agree with Halvorson J.’s comments in Peters-Brown that “willfully” requires something more than the intentional commission of an act that has the result of violating privacy. In my view, it is more than recklessness, inadvertence or accident.

This narrow view is an authoritative statement on the law of Saskatchewan, though as noted, the requirement varies across Canada. In Ontario, privacy claims can be based on alleged recklessness (a concept with boundaries in the civil context that are still up for debate).

Kumar v Korpan, 2020 SKQB 256 (CanLII).

Cyber defence basics – Maritime Connections

I was pleased to do a cyber defence basics presentation to privacy professionals attending the Public Service Information Community Connection “Maritime Connections” event yesterday. The presentation (below) is based off of recent publications by the New York Department of Financial Services and the Information Commissioner’s Office (UK) as as the (significant) Coveware Q3 ransomware report.

As I said to the attendees, I am not a technical expert and no substitute for one, but those of us outside of IT and IT security who work in this space (along with the predominantly non-technical management teams we serve) must engage with the key technical concepts underpinning IT security if we are to succeed at cyber defence.

I’ll do an updated version next week at Saskatchewan Connections next week. Join us!

View this document on Scribd

The role of legal counsel in ransomware response – cyber divergence on display

Two publications released earlier this month illustrate different views on how to structure ransomware response, and in particular on how to structure the involvement of legal counsel.

On Wednesday of last week, the Ontario Ministry of Government Services issued a bulletin entitled “What is Ransomware and How to Prevent Ransomware Attacks” to the broader public sector. It features a preparation and response playbook that will be much appreciated by the hospitals, universities, colleges, school boards and municipalities targeted by the MGS.

The playbook treats ransomware response as primarily a technical problem – i.e., a problem about restoration of IT services. Legal counsel is mentioned in a statement about incident preparation, but is assigned no role in the heart of the response process. Indeed, the MGS suggests that the Information and Privacy Commissioner/Ontario is the source of advice, even “early on” in an incident:

If you are unable to rule out whether or not PII was compromised (which will likely be the case early on in an incident), contact the Privacy Commissioner of Ontario (416) 326-3333.

Contrast this with what Coveware says in its very significant Q3 ransomware trends report that it released on November 4th. Coveware – arguably the best source of ransomware data – explains that data exfiltration threats now feature in 50% of ransomware incidents and that ransom payments are a poor (and becoming poorer) method of preventing threat actors from leaking what they take. Coveware says:

Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel. Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set.

The Coveware view, shared by Canadian cyber-insurers, is that ransomware is primarily a legal and reputational problem, with significant downside legal risks for institutions who do not engage early with legal counsel.

I favor this latter view, and will say quite clearly that it is bad practice to call a privacy regulator about a potentially significant privacy problem before calling a privacy lawyer. A regulator is not an advisor in this context.

This is not a position I take out of self-interest, nor do I believe that lawyers should always be engaged to coordinate incident response. As I’ve argued, the routine use of lawyers as incident coordinators can create problems in claiming privilege when lawyer engagement truly is for the “dominant purpose of existing or anticipated litigation.” My point is that ransomware attacks, especially how they are trending, leave institutions in a legal minefield. Institutions – though they may not know it – have a deep need to involve trusted counsel from the very start.

Developmental service agency not a health information custodian

On October 29th, the Information and Privacy Commissioner/Ontario held that an organization operating as service agency under the Services and Supports to Promote the Social Inclusion of Persons with Developmental Disabilities Act is not a health information custodian under the Personal Health Information Protection Act.

The issue of the organization’s status came up in an appeal of its access decision. The organization acted as if subject to PHIPA, but the adjudicator raised its status as a preliminary issue, and ultimately held that PHIPA did not govern the request because the organization was not providing a service for community health “whose primary purpose is the provision of ‘health care’.”

Although the organization both handles medical information in providing its services and contributes to the enhancement of individual health, the IPC held that its primary role is the coordination of service and not the provision of health care. It explained:

[34] In my view, what is common to each of the six services offered by SCS is SCS’ role as a coordinator for, or link to, a wide range of services offered by third parties to individuals with developmental disabilities and/or autism. It is a role of coordination between these individuals (or their family members) and third-party services, which may include assessing each individual’s needs and/or preferences, and matching them to various types of programs in the community. The effect of the individuals’ participation in those third-party programs may well be that it enhances their health, but that does not transform SCS’ role into one that can be described as having a primary purpose of providing health care. In my view, it would be too broad a reading of “health care” to find that SCS’ primary purpose is the provision of health care.
[35] It is true that SCS serves members of the community who have health challenges. The complainant states that these individuals “have other health issues including mental and neurological diagnoses, speech-language impairments and complex health needs often requiring 24 hours supervision.” However, the fact SCS’ client base has health challenges does not mean that SCS’ primary purpose is the delivery of health care. With respect to the status of third party entities to whom SCS refers for services, I am not satisfied that their status is relevant to the question of whether SCS itself is a HIC. Assuming, without deciding, that at least some of those third party entities are HICs under PHIPA, that does not mean that SCS itself, as a coordinating agency, is a HIC.

This is a good reminder that organizations do not become health information custodians merely by handling medical information or by employing regulated health professionals. They must engage in the provision of “health care,” which the IPC has defined narrowly in this decision and others.

Service Coordination Support (Re), 2020 CanLII 85021 (ON IPC).

Three (literal) highlights from the IPC Ontario submission

If Ontario follows through with its commitment to enact privacy legislation, the IPC/Ontario will break from her current constraints to become a privacy regulator with global relevance. We ought to listen carefully to what she is saying about reform and build a strong sense as to how she is inclined.

On October 16th, Commissioner Kosseim filed her submission to the province. It is detailed, thoughtful and strikingly moderate. It has no talk of the concept of “fundamental human rights” that has drawn the attention of the federal commissioner. Rather, the Commissioner says that balancing privacy rights with legitimate business needs is a “virtue.”

Read the submission yourself, but here are the three parts of it that I highlighted in my own read.

First, the Commissioner says we need to reframe the role of consent and develop more principled exceptions, but consent should still be at the top of the hierarchy of the bases for processing:

Some might propose that the solution lies in a GDPR-like architecture by adopting multiple grounds for lawful processing of data, whereby consent is only one such ground on the same and equal footing as other alternative bases. However, we believe that non-governmental organizations should first be required to consider whether they can obtain meaningful consent and stand ready – if asked – to demonstrate why they cannot or should not do so before turning to permissible exceptions for processing. This approach would be more in keeping with Ontario values that promote individual autonomy and respect consumer choice. Whenever it is reasonable, appropriate, and practicable for people to decide for themselves, they should be given the opportunity to do so.

Second, the Commissioner is clearly interested in AI and its implications and clearly sees value in fostering data-driven innovation, though does not propose any solutions, calling the handling of data-driven innovation “the most challenging piece to get right in any new private sector privacy law.” Here’s my highlight on this issue:

While Purpose Specification, Consent, and Collection Limitation continue to be relevant principles, a more modern private sector privacy law would need to reconsider the weight ascribed to them relative to other principles in certain circumstances. For example, in an era of artificial intelligence and advanced data analytics, organizations must rely on enormous volumes of data, which runs directly counter to collection limitation. Data are obtained, observed, inferred, and/or created from many sources other than the individual, rendering individual consent less practicable than it once was. The very object of these advanced data processes is to discover the unknown, identify patterns and derive insights that cannot be anticipated, let alone described at the outset, making highly detailed purpose specification virtually impossible.

Finally, nobody should underestimate the significance of the potential for Ontario employers to become regulated in respect of their employees. On this issue, the Commissioner’s position is clear:

Individuals should have the ability to perform their jobs with the confidence that their employer will keep them safe, while also respecting their privacy rights. Accordingly, we recommend that any private sector privacy law in Ontario should apply to all employee personal information to fill this glaring gap in privacy protection.

IPC Comments on the Ontario Government’s Discussion Paper, IPC/Ontario, 16 October 2020.

Understanding the Employment-Related Records Exclusion

Here is a copy of the presentation I delivered yesterday at the at the PISCC’s 2020 Ontario Connections Conference. As I told the audience, I’m a confessed FOI nerd. The exclusion is such a unique, important and misunderstood part of our Ontario FOI law that it was good to dive deep on it while in good company.

ALSO, BLG is launching a new webinar series for the provincial public sector called “nuts and bolts.” The first webinar will run in late November, please sign up here, or if you can’t attend in November and want me to put you on our mailing list please DM me.

View this document on Scribd

DFS report shows how to double down on remote access security

On October 15th, the New York State Department of Financial Services issued a report on the June 2020 cybersecurity incident in which a 17-year old hacker his friends gained access to Twitter’s account management tools and hijacked over 100 accounts.

The report stresses the critical risk against which social media companies employ their security measures and the simplicity of the hacker’s methods. The DFS raises the link between social media account security and election security and also notes that the S&P500 lost $135.5 billion in value in 2013 when hackers tweeted false information from the Associated Press’s Twitter account. Despite this risk, the 2020 hackers gained access based on a well-executed but simple social engineering campaign, without the aide of malware, exploits or backdoors.

The hackers conducted intelligence. They impersonated the Twitter IT department and called employees to help with VPN problems, which were prevalent following Twitter’s shift to remote work. The hackers directed employees to a fake login page, which allowed them to capture credentials and circumvent multifactor authentication.

The event lasted about 24 hours. The DFS explains that Twitter employed a password re-set protocol that required every employee to attend a video conference with a supervisor and manually change their passwords.

The event and the report are about the remote workforce risk we face today. Twitter had all the components of a good defence in place, but according to the DFS it could have done better given the high consequences of a failure. Here is a summary of some of the DFS recommendations:

Employ stricter privilege limitations, with access being re-certified regularly. Following the incident Twitter did just this, even though it apparently slowed down some job functions.
While multifactor authentication is a given, the DFS noted, “Another possible control for high-risk functions is to require certification or approval by a second employee before the action can be taken.”
The DFS points out that not all multifactor authentication is created equal: “The most secure form of MFA is a physical security key, or hardware MFA, involving a USB key that is plugged into a computer to authenticate users.”
The DFS says organizations should establish uniform standards of communications and educate employees about them. Employees should know, for example, exactly how the organization will contact them about suspicious account activity.
The DFS endorses “robust” monitoring via security information and event management systems – monitoring in “near real-time.”

These recommendations could make for very strong remote access and account security, but are worth note.

Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security.

OPC issues significant findings in response to online reputation complaint

The IPC recently responded to a complaint by a dentist about the the RateMDs review site, at which several individuals purporting to be her patients had posted anonymous reviews. The OPC findings are significant favor the public’s right of expression over doctors’ interest in personal privacy.

The OPC first held that RateMDs did not need the complainant’s consent to publish the reviews because the reviews constituted so-called “mixed personal information” – a term used by the IPC/Ontario to refer to personal information that relates to more than one individual. The Federal Court of Appeal test from Pirrie calls for a very contextual balancing of interests in addressing access requests for such information. In this case, the OPC applied a similar approach to deny the complainant the ability to block the publication of others’ opinions about her. It said:

Giving effect to the Complainant’s lack of consent would mean the interests of the patients who are consenting to the publication of their reviews and ratings would not be respected, and the benefits to the public more broadly would be negated. We are therefore of the view, based on a balancing of interests of the Complainant with those of the reviewers and the public more generally, that this aspect of the complaint is not well-founded.

The OPC held that RateMDs’ accuracy and correction obligations under PIPEDA require it to correct ratings that are inaccurate, incomplete or out-of-date. However, it also acknowledged that challenging the inaccuracy of an anonymous review is difficult and held that that PIPEDA will “generally” prohibit review sites like RateMDs from disclosing the identity of anonymous reviewers.

Finally, OPC held, that RateMDs should discontinue a paid service that allowed doctors to hide up to three reviews “deemed to be suspicious.” While this finding is understandable, it is ironic that a privacy regulator has applied our commercial privacy statute to take away a potential privacy remedy. All in all, that is what this finding does: it makes clear that PIPEDA is not an effective remedy for challenging seemingly fair reviews posted on a bona fide review site. Those aggrieved must go to court and sue in defamation or (if they are up for a challenge) breach of privacy.

PIPEDA Report of Findings #2020-002, June 30, 2020.