Tag: news

In praise of cyber response transparency (and in defence of the “breach coach”)

Wired Magazine published an article last week about school cyber attacks in the United States that was wholly denigrating of the role of cyber incident response counsel – “breach coaches.” Wired’s theme was that schools are using their lawyers to deprive parents, students, and the public of information. Wired has inspired this post, though I will say little more about it than “Don’t believe everything you read.” Rather, I will be positive, and explain that transparency is at the center of good cyber incident response and that breach counsel enable transparency through clear, accurate, and timely communication.

We must communicate to manage

Let us start with the object of incident response. Sure, we want to contain and eradicate quickly. Sure, we want to restore services as fast as possible. But without making light of it, I will say that there is lots of “drama” associated with most major cyber incidents today that renders incident response about more than containment and eradication.

Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You will have many stakeholders descending on you from time zero, and every one of them wants one thing – information. You do not have a lot of that to give them, in the early days at least, but you have got to give them what you can.

In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what has happened and what you are doing about it. It means reporting to law enforcement. It means sharing threat information with peers. It means getting your message out.

This is crises communication best practice. If smoke is billowing from your house and the public has questions, the public will make its own story about your fire if you say nothing, and any obfuscation risks blowback. You must, as best you can, get your message out.

Let’s get privilege straight

Lawyers love privilege, but we may not do a good enough job at helping the public understand why it is so important, and why it is not inimical to transparency.

There are two types of privilege.

Solicitor-client privilege is the strongest form of privilege. A confidential communication between lawyer and client that relates to the giving or receiving of legal advice (in the broadest sense) is privileged.

Litigation privilege works a little differently, and is quite important for giving a person who is in litigation or who contemplates litigation a “zone of privacy” in which to prepare, strategize and plan free from an adversary’s scrutiny.

Privilege is a powerful tool for organizations because it shields communications from everyone – an adversary in litigation, a freedom of information requester, a regulator.

This is for good reason: privilege allows for good legal advice on complicated, high stakes problems. If litigation is pending or anticipated, it also allows for the adversaries to be adversaries, which contributes to the truth seeking function of adjudication. Privileged is hallowed, and recognized by our courts as central to rule of law.

Privilege, though, applies to communications, not to facts that have an independent existence. Is your head exploding yet? Let me explain this tricky idea.

Say an incident leads to the discovery of four facts – Fact A, Fact B, Fact C and Fact D. There is a question about whether those four facts prove data exfiltration of a particular set of data. Lawyer and client can communicate with each other to develop an understanding of that legal question. The lawyer can advise the client about what the evidence means, whether inferences can be drawn, and how the evidence is likely to be interpreted by a judge or a regulator. The lawyer may give an answer – “no exfiltration” – but also explain the strengths and weaknesses of taking that position. All the evaluation and advice – the communication – is privileged, but Fact A, Fact B, Fact C, and Fact D are not. In incident response, those facts are normally embodied in the forensic artifacts collected and preserved by the forensic investigator or collected in communications with the threat actor(s). Those artefacts and communications are producible in litigation and producible to a regulator, which allows others to examine them, engage in analysis (that may replicate the analysis that occurred under privilege), and draw their own conclusions. What an adversary or regulator cannot do is piggyback on solicitor-client communications to understand how the lawyer and client viewed all the nuance of the issue.

This is an important point to understand because it answers some unfounded concerns that privilege is a tool of obfuscation. It is not.

Privilege must be respected, though. There’s a now famous case in Canada in which an organization attempted to claim that recorded dialog with a threat actor was privileged because the communication was conveyed to counsel by an expert retained by counsel. The Court rightly held this was over reach. The threat actor dialog itself is fact. The same goes for forensic timelines. They are privileged because they are recorded in privileged reports. In litigation, this does help put some burden on an adversary to analyze the evidence themselves and develop their own timeline. But it’s unwise to tell a regulator, “I’m not giving you a timeline because the only place its recorded is in my privileged report.” Withhold the precise framing of the timeline in your report. Keep any conclusory elements, evaluations, and qualifications confidential, too. But give the regulator the facts. That’s all they want, and it should spare you a pointless privilege dispute.

From the zone of privilege to the public

I explain to our incident response clients that we work with them in a zone of privacy or privilege that is a safe communication zone. It is like a staging area for evidence, where we can sit with evidence, understand it, and determine what is and is not fact. The picture of an incident is formed slowly over time based on investigation. Things that seem the case are often not the case, and assumptions are to be relied upon cautiously.

It is our role, as counsel, to advise the client on what is safe to treat as fact. Once fact, it can be pushed out of the zone of privilege to the public in communications. It is at this point the communication will live on the public record and be used as evidence, so we carefully vet all such communication by asking four questions:

  • Is there any speculation? Are all facts accurately described? Are all facts clearly described?
  • Are there commitments/promises? Are they achievable?
  • Does the communication accurately convey the risk? If it raises alarm or encourages action, is that justified? Or will we cause stress for no good reason?
  • Does the communication reveal anything said under privilege (which can waive privilege)?

Our duty is to our client, and our filter is to protect our client, but it also benefits the public because it ensures that incident communications are clear and reliable. This is hard work, and the heavy scrutiny that always comes later can reveal weaknesses in word choice, even. But by and whole, organizations with qualified incident response counsel achieve transparency and engender stakeholder and public understanding and confidence.

Good notification takes time

Any organization whose network is compromised can contain the incident, and then an hour later announce, “If you have ever been employed with us or been a client of our your information may have been stolen.” This will almost always be a true statement, but it’s also a meaningless and vast over notification. Good legal counsel lead their clients to investigate.

Investigation takes time. Determining what has been taken, if anything, is the first step. If you do that well, it can take about a week. But that is only the start. Imagine looking at a 453,000 file listing, delivered to you by a threat actor without any file path metadata. The question: who is affected? Your file share is encrypted, so you do not even have readable copies of the files yet.

Is it any wonder that organizations notify weeks and months after they are attacked? You cannot rightly blame the lawyers or their clients for this. It is hard work. If an organization elects to spend six figures and four months on e-discovery to conduct file level analysis, it will be able to send a letter to each affected individual that sets out a tailored list of exposed data elements. Our regulator in Ontario has called this “the standard,” at the same time opening the door to more generalized notifications. We are moving now to population based notifications, while still trying to be meaningful. Consider the following:

All individuals who received service x between date 1 and date 2 are affected. The contact information of all such individuals has been exposed (phone, e-mail and address as provided). About a third of the individuals in this population provided an emergency contact. The identity of this person and their phone number was also exposed.

I am explaining this because time to notify is the easiest thing on which to criticize an organization. Time to notification visible, and far easier to understand than it is to explain to mas audiences with the kind of descriptions I have made here. Believe me, though, it is a very demanding challenge on which incident response counsel spend significant time and energy with their clients and data processing vendors, all with the aim of giving earlier and meaningful notifications.

Conclusion

Cyber incident response counsel are essential for effective and transparent incident management. They facilitate clear communication, crucial for stakeholder confidence and the fulfilment of obligations. Privilege, often misunderstood, enables open lawyer-client communication, improving decision-making. It’s not a tool to hide facts. Counsel guide clients through investigations and notifications, ensuring accuracy and avoiding speculation. Notification delays often stem from the complex process of determining breach scope and identifying affected individuals. Counsel help balance speed and quality of notification, serving their clients first, but also the public.

Alberta Court says Charter precludes statutory compulsion to identify scrap metal sellers

On January 23rd, the Alberta Court of Justice held that the provisions of the Alberta Scrap Metal Dealers and Recyclers Identification Act that require scrap metal dealers to identify scrap metal sellers and transmit their information to government for law enforcement purposes violate the Charter prohibition against unreasonable search.

The Act requires sellers of scrap metal to identify themselves by the provision of the following information: first name, surname, current municipal address, government-approved identification, the name of the individual seller’s business, if applicable, and the specific make, model, colour, and license plate of the vehicle in which the scrap metal was transported to the dealer by the individual.

For, transactions involving “restricted metals” (including materials containing bronze and copper), dealers must transmit this information within 24 hours. To whom this transmission goes is significant. The Act says the transmission is to go to law enforcement in the manner prescribed. The regulation, though, establishes the government as the data holder and stipulates:

The Minister may require that peace officers and law enforcement agencies are granted access to the database referred to in subsection (2), provided that the disclosure of information in the database pertains to the discharge of the peace officer’s or law enforcement agency’s powers, duties or obligations under the Act.

The Court said the defence met its onus to prove the search was unreasonable. It noted that the Crown had not adduced evidence – in the form of “studies” – to justify the scheme, and held that the law that affords government latitude in regulatory searches ought no longer apply and, in any event, did not apply because the scrap metal scheme is targeted at everyone in the province rather than those who choose to enter a regulated sphere. The Court suggested that Albertans have no option to dispose of scrap metal without selling it, ultimately finding a violation and declining to apply the Act because the scheme was overbroad, intrusive and unjustified.

I’m prepared to assume a scrap metal theft problem in Alberta, and don’t have a conceptual problem with the identification of scrap metal sellers. I am not convinced by the Court’s handling of the regulatory context jurisprudence. The idea of routine transmission of transaction data directly to law enforcement does cause me pause, but the statute doesn’t quite invite that given the provision I’ve quoted above. This is a a point the Court did not address.

The decision is reminiscent of the Court Court of Appeal for Ontario’s decision in Cash Converters, in which it nullified a City of Oshawa bylaw as conflicting with MFIPPA, at the same time adopting and endorsing the IPC’s strict necessity test. The onus in Cash Converters, notably, was on the City.

R v Khairullah, 2025 ABCJ 14 (CanLII).

Court shields file path information from the public (and threat actors), addresses scope of s-c privilege

On November 7th, the Newfoundland and Labrador Supreme Court issued an access to information decision with some notable points.

First, the Court held that a public body validly redacted file path information from a document set based on the security of a computer system exemption to the public right of access. The public body adduced good evidence that the paths could be used by threat actors to (a) randomly generate usernames amendable to brute forcing or similar attacks (b) identify domain administrators, and (c) map the network, all creating a real and non-speculative risk of attack. The finding is based on the evidence, but there is nothing unique about the the risk that the Court recognized.

Second, the Court affirmed a decision to apply the privilege exemption based on a solicitor-client privilege claim and despite a dispute between the public body and the Newfoundland Information and Privacy Commissioner about the scope of the so called “continuum of communication.” The Court held the following communications were within the protected continuum:

  • E-mail messages between non-lawyers that were subsequent to the direct giving and receiving of legal advice about “process and timing” (and up the e-mail thread).
  • Drafts of documents known to be subject to editing by legal counsel and from which “an informed reader could readily infer what legal counsel had advised.”
  • Notes, questions and references in documents made by an individual who gave evidence that she received legal advice in relation to all the notes, questions and references.

This finding is as sound as it is protective in my view.

Newfoundland and Labrador (Treasury Board) v. Newfoundland and Labrador (Information and Privacy Commissioner), 2024 NLSC 147 (CanLII)

BC arbitrator finds privacy violation arises out of employer investigation

On October 31, British Columbia labour arbitrator Chris Sullivan awarded $30,000 to a union based on a finding that an employer unnecessarily investigated statements made by a union president in a video that the union claimed to be confidential. He based this award on a breach of the anti-union discrimination provision in the Collective agreement, the union interference provision in the BC Labour Relations Code, and a breach of the BC Freedom of Information and Protection of Privacy Act.

The union posted the video on YouTube without password protection. The union president testified, “that he first attempted to use the private setting for posting videos to the website, but this proved difficult to use as he had to manually enter a great deal of information in order to utilize this setting.” He posted the video openly, but rendered it unsearchable, and posted a confidentiality warning on the YouTube account and embedded a confidentiality warning in the video. The latter warning stated, “[this] video content is considered confidential and intended solely for ATU members.”

A union member leaked the URL for the video to someone in management who did not wish to be identified, who in turn reported the video to another member of management, stating, “you should check this out, it goes against what you are trying to build at transit.” That manager used the URL to watch the video and make a copy, ultimately disciplining the president for what he said in the video (later settling for a without prejudice disciplinary withdrawal). When the union demanded the employer destroy its copy, the employer asserted that it had obtained the video from a union member and that it was searchable on YouTube, both proven to be incorrect.

The crux of Arbitrator Sullivan’s finding is that the employer had no basis for investigating. He said:

Mr. Henegar had received only the Post-it note, followed by a conversation, with a supervisor/manager of the Employer, who did not want their identity revealed. On its own terms, the Employer’s Harassment and Respectful Workplace Policy was not engaged against Mr. Neagu, as no formal complaint was ever made against him, nor was he provided with any details of a complaint including the identity of a complainant as is required by that Policy. Mr. Neagu’s comments as Local Union President in the YouTube Video did not warrant an Employer investigation on any reasonable basis.

The employer and union had agreed that the video contained the union president’s personal information, so it followed from the above finding that the employer had collected the video in breach of FIPPA given the collection was not “necessary.”

This was a debacle. If the employer had watched the video and stopped I suspect it would have been found to be blameless. (Recall that it withdrew its disciplinary charge in a without prejudice settlement that had a plainly prejudicial impact on the outcome.) There were also too many other bad facts that bore upon the employer, including the fact it did not (or felt it could not) disclose the identity of the management employee who raised the video as a concern, and the facts that showed its entire premise for proceeding with investigation and discipline was flawed – my reading of the facts, not that of Arbitrator Sullivan, who held that management’s assertions were intentionally dishonest.

I don’t like this privacy finding for two reasons. First, having not seen the video, I question whether a speech from a union president to union members contains the president’s personal information. Second, Arbitrator Sullivan affirmed the president’s expectation of privacy despite the president’s election not to secure the video through the best means possible. As those who follow this blog know, I’m a fan of using the waiver/abandonment doctrine to incentivize good security practices and hold users accountable for bad security practices. That was not done in this case, though Arbitrator Sullivan’s affirmation was obiter.

The damages award is large for a privacy case, but it was driven by a finding that the employer engaged in a serious interference with union rights.

Corporation of The District of West Vancouver v Amalgamated Transit Union, Local 134, 2024 CanLII 124405 (BC LA)

New privacy framework for Charter-bound employers

I was up at the crack of dawn today to burn down to Cape May, New Jersey for the DeSatnick Foundation Paddle Around the Cape Race this Sunday. (It’s still not to late to donate.) I listened to the Supreme Court of Canada’s York Region District School Board decision between Allentown PA and the NJ border. It’s significant, but thankfully only in a technical sense – not changing the balance between employee privacy and management rights. I’ll explain.

Of course, this is the case about a series of “searches” conducted by a school principal in an attempt to manage a workplace called “toxic” by labour arbitrator Gail Misra, who held the principal’s searches were justified. I put “searches” in quotes because the term is a technical one in the section 8 Charter jurisprudence, which Arbitrator Misra referred to but didn’t apply very well. Any criminal lawyer or judge reading her decision would quickly pick out Arbitrator Mirsa’s jurisprudential flaws. These flaws are what ultimately led the majority of the Supreme Court of Canada to quash her decision.

Along the way the Court unanimously (and finally?) held that the Charter applies to school boards (Ontario ones, at least). It said, “Public education is inherently a governmental function. It has a unique constitutional quality, as exemplified by s. 93 of the Constitution Act, 1867 and by s. 23 of the Charter. Ontario public school boards are manifestations of government and, thus, they are subject to the Charter under Eldridge’s first branch.”

Given Charter application, the majority held that Arbitrator Misra erred by balancing interests under the privacy test long employed by arbitrators and endorsed by the Supreme Court of Canada in Irving Pulp and Paper – a derivative of the famous KVP test. She was bound to apply the section 8 Charter framework, the majority said, and do so correctly.

So Charter-bound employers, like law enforcement, must not conduct unreasonable searches. The test is two part. There must be a “search,” which will only be so if there is a “reasonable expectation of privacy.” And then the search must be “reasonable.” This is a highly contextual test that encompasses a balancing of interests, and a labour arbitrators’ balancing will be subject to review on the correctness standard.

Non Charter-bound employers – like Irving – will continue to live under the balancing of interest test and KVP. As to whether that will result in different outcomes, the majority suggests it may not: “The existing arbitral jurisprudence on the “balancing of interests”, including the consideration of management rights under the terms of the collective agreement, may properly inform the balanced analysis.”

I’ve said here before that privacy law should be unified such that the concepts that bear upon section 8 analysis are used by labour arbitrators. This judgement grants my very wish. It should lend predictability to otherwise unpredictable balancing by labour arbitrators, as should correctness review. And although non Charter-bound employers will have a notionally different framework, I expect that arbitrators will strive for unification.

And there is nothing in the judgement that alters the management-employee balance or elevates workplace privacy rights. To the contrary, it erases a Court of Appeal for Ontario judgement that one could argue was too insensitive to the principal’s interest in dealing with a serious workplace problem.

This very short and informal post is made (that is plainly influenced by my one day vacation) is made strictly in my personal capacity.

York Region District School Board v. Elementary Teachers’ Federation of Ontario, 2024 SCC 22 (CanLII).

Online proctoring report a must read for Ontario institutions

Online proctoring software was critical to higher education institutions during the heart of the pandemic. Though less signficant today, the report of findings issued by the Information and Privacy Commissioner/Ontario last week about McMaster University’s use of online proctoring is an important read for Ontario public sector institutions – with relevant guidance on IT contracting, the use of generative AI tools and even the public sector necessity test itself.

The necessity test

To be lawful, the collection of personal information by Ontario public sector institutions must be “necessary to the proper administration of a lawfully authorized activity.” The Court of Appeal for Ontario adopted the IPC’s interpretation of the test in Cash Converters in 2007. It is strict, requiring justification to collect each data element, and the necessity standard requires an institution to establish that a collection is more than “merely helpful.”

The strictness of the test leaves one to wonder whether institutions’ business judgment carries any weight. This is a particular concern for universities, whose judgement in academic matters has been given special deference by courts and administrative decision-makers and is protected by a FIPPA exclusion that carves out teaching and research records from the scope of the Act. It does not appear that McMaster argued that the teaching and research records exclusion limited the IPC’s jurisdiction to scrutinize its use of online proctoring, but McMaster did argue that it, “retains complete autonomy, authority, and discretion to employ proctored online exams, prioritizing administrative efficiency and commercial viability, irrespective of necessity.”

The IPC rejected this argument, but applied a form of deference nonetheless. Specifically, the IPC did not question whether the University’s use of online proctoring was necessary. It held that the University’s decision to employ online proctoring was lawfully authorized, and only considered whether the University’s online proctoring tool collected personal information that was necessary for the University to employ online proctoring.

This deferential approach to the Ontario necessity test is not self-evident, though it is the same point that the University of Western Ontario prevailed on in2022 in successfully defeating a challenge to its vaccination policy. In Hawke v Western University, the Court declined to scrutinize the necessity of the University’s vaccination policy itself; the only questions invited by FIPPA were (a) whether the the University’s chosen policy was a lawful exercise of its authority, and (b) whether the collection of vaccination status information to enforce the chosen and lawful policy was necessary.

To summarize, the authority now makes clear that Ontario institutions get to set their own “policy” within the scope of their legal mandates, even if the policy invites the collection of personal information. The necessity of the collection is then measured against the purposes of the chosen lawful policy.

IT contracting

It is common for IT service providers to reserve a right to use the information they process in providing services to institutions. Institutions should appreciate whether the right reserved is a right to use aggregate or de-identified information, or a right to use personal information.

The relevant term of use in McMaster’s case was as follows:

Random samples of video and/or audio recordings may be collected via Respondus Monitor and used by Respondus to improve the Respondus Monitor capabilities for institutions and students. The recordings may be shared with researchers under contract with Respondus to assist in such research. The researchers are consultants or contractors to Respondus and are under written obligation to maintain the video and/or audio recordings in confidence and under terms at least as strict as these Terms. The written agreements with the researchers also expressly limit their access and use of the data to work being done for Respondus and the researchers do not have the right to use the data for any other purposes. No personally identifiable information for students is provided with the video and/or audio recordings to researchers, such as the student’s name, course name, institution, grades, or student identification photos submitted as part of the Respondus Monitor exam session.

Despite the (dubious) last sentence of this text, the IPC held that this contemplated a use of test taker personal information was for a secondary purpose that was not a “consistent purpose.” It was therefore not authorized by FIPPA.

In recommending that the University secure a written undertaking from the service provider that it would cease to use student personal information for system improvement purposes without consent, the IPC carefully noted that the service provider had published information that indicated it refrains from this use in certain jurisdictions.

In addition to this finding and a number of related findings about the use of test taker personal information for the vendor’s secondary purposes, the IPC held:

  • the vendor contract was deficient because it did not require the vendor to notify the University in the event that it is required to disclose a test taker’s personal data to authorities; and
  • that the University should contractually require the vendor to delete audio and video recordings from its servers on, at minimum, an annual basis and that the vendor provide confirmation of this deletion.

The McMaster case adds to the body of IPC guidance on data protection terms. The IPC appears to be accepting of vendor de-identification rights, but not of vendor rights to use personal information.

Generative AI

While the IPC recognized that Ontario does not have law or binding policy specifically governing the use of artificial intelligence in the public sector, it nonetheless recommended that the University build in “guardrails” to protect its students from the risks of AI-enabled proctoring software. Specifically, the IPC recommended that the University:

  • conduct an algorithmic impact assessment and scritinize the source or provenance of the data used to train the vendors algorithms;
  • engage and consult with affected parties (including those from vulnerable or historically marginalized groups) and those with relevant expertise;
  • provide an opt out as a matter of accommodating students with disabilities and “students having serious apprehensions about the AI- enabled software and the significant impacts it can have on them and their personal information”;
  • reinforce human oversight of outcomes by formalizing and communicating about an informal process for challenging outcomes (separate and apart from formal academic appeal processes);
  • conduct greater scrutiny over how the vendor’s software was developed to ensure that any source data used to train its algorithms was obtained in compliance with Canadian laws and in keeping with Ontarians’ reasonable expectations; and
  • specifically prohibit the vendor from using students’ personal information for algorithmic training purposes without their consent.

The IPC’s approach suggests that it expects institutions to employ a higher level of due diligence in approaching AI-enabled tools given their inherent risks.

Privacy Complaint Report PI21-00001.