Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector
Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector. It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.
Today I did short update-style presentation at a session jointly-sponsored by the Canadian Insurance Adjusters Association, the Canadian Defence Lawyers and the Canadian Insurance Claims Managers Association. It includes content on breach notification statutory changes and notable case law. Slides below.
Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.
On June 27, the Superior Court of Québec certified a class action about the alleged intrusive nature of free applications offered through Apple’s “App Store.”
The petitioner alleges that Apple breached various Québec statutes by failing to inform users that free applications would facilitate the collection and use of their personal information, including their “geolocation.” The petitioner also claims that individuals were harmed (a) by the loss of computing resources and (b) by being led to overpay for their Apple devices, such devices being “inextricably linked” to undesirable characteristics associated with free applications distributed through the App Store. The petitioner asked the Court to grant certification so he could prosecute Apple on on behalf of all residents in Canada who downloaded free applications from December 1, 2008 to present.
Apple attacked the action’s suitability for certification on a number of bases. Most fundamentally, it complained that the action provided for an “infinite variety of classes” – for example (and at the least), classes of individuals who were exposed to applications with different information-gathering characteristics. Nonetheless, the Court granted certification of a Québec only class. Its analysis is very forgiving, especially in addressing Apple’s (very valid) concerns about the individualized nature of a consent dispute, which the Court dismissed as follows:
In the Court’s view, all of the Respondents’ arguments regarding the consent or lack thereof, the voluntary provision of information by Class Members and other similar elements that distinguish Class Members between them can be raised by them in their defence or alternatively when dealing with the « lien de causalité ».
Hat tip to BLG and its privacy law blog for this post.
On June 10th, the Ontario Superior Court of Justice approved a settlement in a class action brought against Sony of Canada Ltd. and others. The action (for breach of contract) followed an April 2011 cyber attack that targeted accountholder information of approximately 4.5 million individuals enrolled in various Sony online services. The following is the Court’s summary of the settlement:
- Class Members who had a credit balance in their PSN or SOE account at the time of the Intrusions but have not used any of their accounts shall receive cash payments for credit balances.
- The Sony Entities will make available online game and service benefits to class members geared principally to the type of account (PSN, Qriocity, and/or SOE) held by the class member at the time of the Intrusions.
- The settlement benefits are available through a simple process. To become entitled to benefits, Class Members need only to complete a claim form.
- The Sony Entities will reimburse any Class Members who can demonstrate that they suffered Actual Identity Theft, as defined in the Settlement Agreement. Class Members that prove Identity Theft can submit claims for reimbursement of out-of-pocket payments (not otherwise reimbursed) for expenses that are incurred as a direct result of the Actual Identity Theft, up to a maximum of $2,500.00 per claim.
- The Sony Entities are to pay for the costs associated with providing notice of the Settlement Agreement and the settlement approval hearing, all administration costs, as well as an agreed amount for plaintiffs’ lawyers’ fees and expenses ($265,000).
The parties sent a notice of certification and notice of motion for settlement approval to 3.5 million e-mail addresses. Fifteen percent of the e-mails were returned as undeliverable, 28 individuals opted out and nobody objected.
Justice Perell noted that the agreement was premised on the understanding that there has in fact been no improper use of personal information resulting in identity theft. He also said, “The Settlement Agreement reflects the state of the law, including possible damage awards, for breach of privacy/intrusion upon seclusion and loss/denial of service claims.”
Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.
Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.