On October 11th, the Court of Appeal for Saskatchewan ordered a defendant to produce an un-redacted copy of an e-mail, thereby providing the plaintiff with the identity of an individual who had reported him as a potential threat.
The Court reviewed the Canadian jurisprudence on redacting information from producible documents, and adopted a modified version of the prevailing view (outside of Alberta and Nova Scotia):
The underlying action was brought by a former employee of SaskPower . SaskPower had received a bomb threat, and as part of its response, identified the plaintiff as a suspect to the local police. The plaintiff sued SaskPower for malicious prosecution and breach of privacy.
SaskPower produced the internal e-mail that identified the plaintiff as a threat, but redacted the name of an employee who had earlier raised concerns – “However [redacted text] came to me with concerns (even before we were aware other the threat came from someone with an accent).”
The Court dismissed the defendant’s argument that relied on informer privilege because SaskPower was not the police and held (in a rather cursory manner) that SaskPower had not met its burden.
The outcome is a good illustration of the test, which is a one-way test that puts the burden on the party resisting production. If the test put more emphasis on the value of the evidence to the proceeding (and balancing), there may have been a different outcome given the public interest in fostering the making of these types of reports.
SaskPower has nice, simple facts for an attempted appeal, the law of production has been in flux in the last decade, and the differing Alberta and Nova Scotia law might help.
On October 3rd, the Ontario’s cyber security Expert Panel issued its report to Minister of Public and Business Service Delivery, Kaleed Rasheed.
His Honour said, “The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors as well as inform future targeted investments in our cyber capabilities and defences.”
Those recommendations are:
Regarding governance: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.
Regarding education and training: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.
Regarding communication: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.
Regarding shared services: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.
Here are three issues of significance to public sector instutions and their insurers.
FIRST, the governance recommendation contemplates more government oversight, including through “a single oversight body, employing a common operating model [and] clearly establishing accountabilities.”
Institutions require more funding to address cyber security risks. This recommendation is positive because it will lay the necessary groundwork.
As suggested by the Expert Panel, the current relationship between government and institutions is somewhat confused. Government is engaged an informal kind of oversight that lacks effectiveness and can rightly put institutions on guard because its measures are unclear. Institutions will benefit from clear and simple accountabilities and – did I say it already? – the funding to meet those accountabilities.
SECOND, the communication recommendation encompasses threat information sharing, with the Expert Panel stating, “Ontario should establish a unified critical information sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.”
This is to rectify what the Expert Panel says is the “unidirectional” flow of threat information, which is reported to government but is not yet “broadly shared across the BPS.” Institutions know that government currently craves the early reporting of threat information, but the perceived benefit is still minimal. The Expert Panel recommendation is positive in that it may lead to their receipt of more timely, more enriched threat information.
THIRD, the shared services recommendation addresses the cyber insurance coverage problem now faced by the public sector. The expert panel states:
There is a form of self-funded cyber coverage available various parts of the Ontario public sector through insurance reciprocals. This coverage is expanding, and the role of reciprocals is becoming more important now that the insurance market has become so hard. Primary coverage by reciprocals, even if limited in scope, can make secondary coverage more obtainable for public sector institutions.
The “breach coaching” reference above gives me pause, though I understand it to be indicative of how the role of expert legal counsel in incident response was borne out of the cyber insurance market (with the term coined by cyber risk and insurance company NetDiligence, I believe).
Breach coaching is simply expert legal advice by another name. It is funded by cyber insurance for those who have coverage, and insurers have required their insureds to use vetted and approved legal advisors in responding to incidents because they understand the risk mitigating (and cost reducing) value of this specialized legal service. Public sector institutions without coverage bear all the same risks as those with coverage, and without proper advice are at great peril. The need for proper legal advice one reason is why it is so important to solve the public sector coverage problem, though institutions dealing with a major cyber incident should not consider legal advice to be optional.