Legal Privilege and Data Security Incident Response – Law and Practice

I’m off to a cyber conference in Montreal this week to sit on a panel about threat exchanges. My role will be to address the legal risks associated with sharing threat information and a university’s ability to effectively assert a confidentiality interest in the same information. I’m genuinely interested in the topic and have prepared not just one, but two papers!

Here is the first one – a nuts and bots presentation on privilege and data security incident response. I hope it is useful to you. Feedback welcome through PMs.

NIST’s recommended password policy evolves

As imperfect a means of authentication as they are, “memorized secrets” like passwords, pass phrases and PINs are common, and indeed are the primary means of authentication for most computer systems. In June, the National Institute of Standards and Technology issued a new publication on digital identity management that, in part, recommends changes to password policy that has become standard in many organizations – policy requiring passwords with special characters.

Here is what the NIST says:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and may be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorize secrets SHOULD be imposed.

The NIST believes that the complexity derived from special characters is of limited benefit to security, yet creates (well known) useability problems and promotes “counterproductive” user behaviour – writing passwords down or storing them electronically in plain text. It’s better, according to the NIST, to allow for long passwords (that may incorporate spaces) and use other protective measures such as password blacklists, secure hashed password storage and limits to the number of failed authentication attempts.

The NIST publication includes other related guidance, including a recommendation against routine password resetting.

NIST Special Publication 800-63B – Digital Identity Guidelines (June 2017)

Saskatchewan health authority criticized for slow incident response

Good incident response involves nailing your timing – not going too fast or too slow. 

On August 17th the Saskstchewan Information and Privacy Commissioner held that a health authority breached the Saskatchewan Health Information Privacy Act by failing to respond to an incident in a timely manner. 

The Commissioner’s report does describe a dilatory response – with a discovery of “snooping” in mid October 2015, an investigation that led to a paid suspension at the end of January 2016, notification to the Commissioner at the end of February 2016, notification to the Commissioner towards the end of March that the breach was bigger than first reported and eventual notification to affected individuals in July 2016. 

Think and don’t react, and you can even pause to momentarily to gain confidence in a next critical step, but always keep the ball moving.

Investigation Report 030-2016 (17 August 2016, Sask OIPC).  

USB key treated as a private receptacle by labour tribunal – but why?

On March 29th the Grievance Settlement Board (Ontario) held that a government employer did not breach its collective agreement or the Charter by examining a USB key that it found in the workplace.

They key belonged to an employee who used it to store over 1000 files, some of which were work-related and allegedly confidential and sensitive. Remarkably, the employee also stored sensitive personal information on the key, including passport applications for his two children and a list of his login credentials and passwords. The key was not password protected and not marked in any way that would identify it as belonging to the employee.

The employee lost the key in the workplace. The employer found it. An HR employee inserted they key in her computer to read its contents. She identified the key as possibly belonging to the employee. She gave the key to the employee’s manager, who inserted it in his computer on several occasions. The manager identified that the key contained confidential and sensitive information belonging to the employer. The manager then ordered a forensic investigation. The investigation led to the discovery of a draft of an e-mail that disparaged the manager and had earlier been distributed from an anonymous e-mail account.

The GSB held that the employee had a reasonable expectation of privacy – one so limited as not to be as “pronounced” as the expectation recognized in R v Cole. The GSB also held, however, that the employer acted with lawful authority and reasonably. The reasonableness analysis contains some helpful statements for employers, most notably the following statement on the examination of “mixed-use receptacles” (my words):

The Association argues that the search conducted by Mr. Tee was “speculative” and constituted “rummaging around” on the USB key. It asserts that if Mr. Tee had been interested in finding files which might contain government data, he would have or should have searched directories which appeared to be work related, such as EPS, TPAS or CR. I do not find this a persuasive argument. As noted in R. v. Vu, in discussing whether search warrants issued in relation to computers should set out detailed conditions under which the search might be carried out, such an approach does not reflect the reality of computers: see paras. 57 and 58. Given the ease with which files can be misfiled or hidden on a computer, it is difficult to predict where a file relevant to an inquiry will be found. It may be filed within a directory bearing a related name, but if the intention is in fact to hide the file it is unlikely that it will be. Further, the type of file, as identified by the filename extension, is not a guarantee of contents. A photograph, for example can be embedded in a Word document. Provided that the Employer had reasonable cause to view the contents of the USB key in the first place (as I have found there was in this case), an employee who uses the same key for both personal and work related purposes creates and thereby assumes the risk that some of their personal documents may be viewed in the course of an otherwise legitimate search by the employer for work related files or documents.

I learned about this case shortly before it was decided and remarked that it was quite bizarre. I couldn’t fathom why anyone would be so utterly irresponsible to store such sensitive information on a USB key. This is one reason why I’m critical of this decision, which treats this employee’s careless information handling practice as something worthy of protection. The other reason I’m critical of  this decision is that it suggests the expectation of privacy recognized in Cole is higher than contemplated by the Supreme Court of Canada – which remarked that Richard Cole’s expectation of privacy was not “entirely eliminated” by the operational realities of the workplace. Not all of our dealings with information demand privacy protection, and in my view we need to make the reasonable expectation of privacy threshold a real, meaningful threshold so management can exercise its rights without unwarranted scrutiny and litigation.

I also should say that it’s very bad to stick USB keys found lying around (even in the workplace) into work computers (or home computers), at least without being very careful about the malware risk. That’s another reason why USB keys are evil.

Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v Ontario (Government and Consumer Services), 2016 CanLII 17002 (ON GSB).

Criminal reference checks for current hospital employees ruled improper

In a decision from last May that just came to my attention, Arbitrator Stout ruled that a hospital’s policy that required all current employees to undertake vulnerable sector criminal record checks violated its nurses collective agreement. 

Although British Columbia legislation supports periodic checks on vulnerable sector employees, the hospital’s policy was first of its kind in the Ontario hospital sector. Ontario employer’s have had difficulty justifying such checks. Arbitrator Picher’s comment about the distinction between pre-employment and in-employment checks in City of Ottawa is both authoritative and restrictive. 

The person who presents himself or herself at the door of a business or other institution to be hired does so as a stranger. At that point the employer knows little or nothing about the person who is no more than a job applicant. In my view, the same cannot be said of an individual who has, for a significant period of time, been an employee under the supervision of management. The employment relationship presupposes a degree of ongoing, and arguably increasing, familiarity with the qualities and personality of the individual employee. The employer, through its managers and supervisors, is not without reasonable means to make an ongoing assessment of the fitness of the individual for continued employment, including such factors as his or her moral rectitude, to the extent that it can be determined from job performance, relationships with supervisors and other employees, and such other information as may incidentally come to the attention of the employer through the normal social exchanges that are common to most workplaces. On the whole, therefore, the extraordinary waiver of privacy which may be justified when a stranger is hired is substantially less compelling as applied to an employee with many months, or indeed many years, of service.

Mr. Picher did state that in-employment checks can be used for employees exercising “particularly sensitive functions.” 

In this case, Arbitrator Stout held that the employer had not proven a “current problem” or “real risk.” Arbitrator Stout was also significantly influenced by the structural problem with vulnerable sector checks – i.e. they return sensitive “non-conviction information” for which employers generally have no need.

Rouge Valley Health System v Ontario Nurses’ Association, 2015 CanLII 24422 (ON LA).

Cybersecurity and data loss (short presentation)

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

How to manage a data security incident – Ten tips from a breach practitioner

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

  1. Initiate response ASAP
  2. Don’t rest on assumptions
  3. Keep the ball moving
  4. Don’t rush
  5. Obtain objective input
  6. Obtain technical input
  7. Take a broad view of notification
  8. Put yourself in their shoes
  9. Demonstrate commitment to doing better
  10. Apologize

Enjoy!

Ontario arbitration award addresses remedy for privacy violation

On February 24th the Grievance Settlement Board (Ontario) held that an employer should provide a grievor with three days’ paid vacation as a remedy for the consequences of an (admitted) security breach. The breach apparently allowed other employees to read incident reports involving the grievor, who alleged this caused him psychological distress. The GSB made its finding after conducting an informal med-arb process.

Ontario Public Service Employees Union (Grievor) v Ontario (Liquor Control Board of Ontario), 2015 CanLII 14198 (ON GSB).

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee

On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.

Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.

The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.

Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:

41      Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.
42      The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.
43      Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.
44      This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.
45      Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.

Ontario and OPSEU, Re, 2015 CarswellOnt 3885.

BC OIPC addresses network security and endpoint monitoring

Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.

The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”

The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).

The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.

The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.

Investigation Report F15-01, 2015 BCIPC No. 15.