This document provides an information management update for in-house counsel. It summarizes recent developments in several areas: privilege issues and recent case law developments around when communications are protected; data security, privacy breaches, and the rise of privacy class actions; assessing threats and violence prevention as an information management issue; and managing medical information with clear roles and consent processes. It also discusses challenges around personal use of work systems and accessing business information.
RSA Conference Exhibitor List 2024 - Exhibitors Data
An information management update for in house counsel
1. An Information Management Update
for In-House Counsel
September 19, 2012
F. Cesario, D. Michaluk, A. Tibble
2. Outline
• Access to business system information
• Privilege issues and recent developments
• Data security, breach response and privacy class
actions
• Workplace threat assessment as information
management
• Medical information management – essentials
and developments
An information management update for in-house counsel
4. The ideal – single purpose systems
Mine Yours
An information management update for in-house counsel
5. The reality – significant intermingling
• Personal use of work systems puts personal
information side-by-side work information
• BYOD puts work information on personal devices
• Cloud computing puts your work system on a computer with
others’ work systems
An information management update for in-house counsel
6. The problem – bad policy
• “The content of an email account will only be entered
in a case where significant cause exists, or if the
company can show that it has some evidence of
illegal or serious infractions of policy or applicable
legislation.”
An information management update for in-house counsel
7. The problem – bad law
• CACE asks this Court to re-balance employer and
employee interests. To strike a proper balance, the
Court should give significant weight to the primary
function of a work-issued computer and should
recognize that a work-issued computer is only one
part of a work information system that must be
routinely accessed by an employer for a variety of
legitimate reasons.
(CACE factum in R v Cole)
An information management update for in-house counsel
8. One solution – more law and policy
• You deal with data security in your cloud
contracts. Have you dealt with audit and
investigation requirements?
• Your acceptable use policies must be clear that
personal use is conditional on specific and
detailed rights and requires a sacrifice of personal
autonomy
An information management update for in-house counsel
9. Other more fundamental solutions
• Revert to a no personal use rule
• Segregate the data created by personal use from
the data created by work use (this is what BYOD
technology and policy attempts to do)
An information management update for in-house counsel
11. Privilege
• Protecting privilege for confidential
communications is an important consideration
• What is privileged?
• How can you protect those communications and
avoid pitfalls?
An information management update for in-house counsel
12. Reis v CIBC Mortgages Inc (2011, Master)
• In response to a human rights complaint, in-house
counsel requested an employee to conduct an
internal investigation and prepare notes
• Notes were relied on in preparing the company’s
response to the HRTO … company relied on the
response in discovery in the civil action
• Plaintiff argued that reliance on the response
constituted waiver of privilege with respect to notes
An information management update for in-house counsel
13. Reis v CIBC Mortgages Inc (2011, Master)
• Court held that
• reliance on response did not waive privilege
attaching to the notes
• information/facts in notes were not privileged
• opinions, conclusions, and recommendations
of investigator are privileged
An information management update for in-house counsel
14. Humberplex Developments (2011, Master)
• In response to prospective legal action, the
corporation required that all related documents be
copied to in-house counsel
• The corporation then claimed privilege for all the
documents and refused to produce them
An information management update for in-house counsel
15. Humberplex Developments (2011, Master)
• Court held that
• merely copying a lawyer to the communication did
not automatically make it privileged
• where documents are prepared for simultaneous
review by legal and non-legal personnel, the primary
purpose of the document is not the securing of legal
advice
An information management update for in-house counsel
16. L’Abbe v Allen-Vanguard (2011, Master)
• Action for misrepresentation arising out of a share
purchase agreement – defence of “due diligence”
• Plaintiffs claimed privilege for 6,000 documents
including all communications with legal advisors
(including in-house counsel)
An information management update for in-house counsel
17. L’Abbe v Allen-Vanguard (2011, Master)
Court held that:
• By implicitly putting due diligence at issue, the
plaintiff waived privilege over legal advice integral
to the pre-closing inquiries and searches
• Blanket claims of privilege over communications
with general counsel were denied. Privilege could
only attach if the content of the document contained
legal advice.
An information management update for in-house counsel
18. Discussion Scenario 1
In-house counsel orders an investigation and a report on a
workplace incident raising allegations of harassment and
discrimination
Issues to consider:
• Is the report privileged?
• Who prepared the report?
• Who conducted the investigation?
• Who directed the investigation and reporting process?
• Does the privilege attach to the report or the underlying facts?
An information management update for in-house counsel
19. Discussion Scenario 2
In-house counsel is copied to a variety of internal communications in the
lead up to litigation.
Issues to consider:
• Are the communications privileged?
• Are they protected by solicitor-client privilege or litigation privilege?
• Which parties are involved in the communication?
• What is the subject and purpose of the communication?
An information management update for in-house counsel
20. Discussion Scenario 3
External counsel is attached to a variety of communications with the client.
These communications are also copied to third parties.
Issues to consider:
• What are the circumstances were privilege can be lost?
• Will forwarding opinions or communications to "outside" individuals
result in waiver of privilege?
• Will forwarding communications to experts or consultants result in
waiver?
An information management update for in-house counsel
22. The horror story of the day
• Elections Ontario
• Two USB keys lost (1.4 to 2.4 million electors)
• Middle management signoff on questionable
protocol featuring secure use of USB keys
• Protocol not followed by employees
• Supervisors worked remote from site, didn’t
understand what encryption was
• IPC report focuses on systemic failures
An information management update for in-house counsel
23. Information governance best practices
• Risk assessment structures
• Intrusion detection and security audit structures
• Records management
• Human resources policy
• Physical transfer of persona information policy
• Disposal procedures
• Privacy breach procedures
An information management update for in-house counsel
24. Then there’s the low hanging fruit
• Company issued
• USB keys
• Laptops and portable devices
• Sending work home
• Bad actors in IT
• Recycling versus shredding
What are you doing to prevent a breach?
Have you met the reasonable in-house lawyer standard?
An information management update for in-house counsel
25. The service provider risk
• An organization is accountable for the handling of
personal information by its service providers
• Key providers to legal = external counsel,
litigation support and forensic support
• Due diligence = duly diligent selection, contracting
and relationship administration
An information management update for in-house counsel
26. The service provider risk
• Questions
• To what degree does the reasonable organization
trust its external counsel because they are external
counsel?
• Is it reasonable to let external counsel subcontract
parts of the discovery process without becoming
engaged? What are the appropriate controls?
An information management update for in-house counsel
27. Data security, breach response and
privacy class actions – Implications for
your organization
28. Data breach class action activity
• We are aware of eight claims issued in 2012
• Seven for data loss
• One for improper collection
• We are aware of five claims issues in 2011
• Three for data loss
• Two for improper collection
• The CBA national class action database shows
comparatively little activity before 2010
An information management update for in-house counsel
29. Rowlands v Durham Region (2012, ONSC)
• Lost USB key – personal and confidential info of 83,524
people who had received H1N1 shot
• Claim that info could be used to facilitate identity theft
• Class action certified and settlement approved
• “It is now probable that no one has the missing USB key . . .
This case, it bears emphasizing, would look far different
if information from the lost USB key had been abused
by a wrongdoer.”
An information management update for in-house counsel
30. Mazzonna v DaimlerChrysler (2012, QSC)
• Lost data tape: personal info (name, address,
SIN)
• Petitioner alleged “inconvenience, pain, suffering
and/or fear” due to the loss of personal info
• motion for certification of class action dismissed
• Petitioner did not meet test that she suffered
damages: “inconveniences were negligible”
• NB: other elements of test were satisfied
An information management update for in-house counsel
31. Implications for in-house counsel
• Move the data loss risk up on your list
• How will the company demonstrate due diligence?
• Should we be conducting periodic audits?
• Does the company have adequate insurance coverage?
• Take control of the potential liability through your breach
reporting protocol
• Have a strong internal reporting duty
• Set out clear decision-making accountability
• Set out authority to promptly obtain expert assistance
An information management update for in-house counsel
33. An organization’s duty of care
• Worker protection duties
• Take all reasonable precautions
• Acquaint worker and supervisors with hazards
• Duty to warn workers about the risk of violence in
narrow circumstances
• Parallel duties to others (students, customers…)
under common law and Occupiers’ Liability Act
An information management update for in-house counsel
34. Violence prevention as info management
• Violence prevention through employment screening, physical security and crises
response
• Plus duty to process information (threat assessment)
Threat
Threat Inquiry
Threat Assessment Management
(Reliable Process
(Defensible Thought) (Sound
Evidence) (Threat Assessment) Response)
Event that
reasonably
reveals a
safety threat
An information management update for in-house counsel
35. Violence prevention as info management
• Getting the “input” right is a challenge. The
standard of care probably requires a form of
surveillance, but what’s the scope?
An information management update for in-house counsel
36. Threat assessment process must be sound
• Reasonable assessment in all the circumstances,
especially considering time
• Fact based and investigative
• Team based and multi-disciplinary (HR, Legal,
Security, OH&S)
• Qualified by knowledge and experience of assessors
• Collaborative (with subject) when feasible
• Documented
An information management update for in-house counsel
37. Recent lessons – set mandate very clearly
An information management update for in-house counsel
38. Recent lessons – careful handoff to police
• When you don’t have the control normally
associated with internal matters
• What to do
• Convey all relevant facts (behaviors, risk factors,
victim impact)
• May convey defensible opinions (with credentials)
• Outline the limits of your resources, your jurisdiction
An information management update for in-house counsel
39. Key readings
• The Final Report and Findings of the Safe School
Initiative (US Secret Service and DOE, 2002)
• Workplace Violence – Issues in Response (US FBI,
2004)
• Workplace Violence Prevention and Intervention
(ASIS/SHRM WVP1.1-2011)
• Clinical Risk Management (Sainsbury Centre for
Mental Health, 2000)
An information management update for in-house counsel
41. Key considerations
• Define the roles - employer, employee, third party
administrator
• Education - inform employees of party roles
• Consent forms
• File management
An information management update for in-house counsel
42. Role definition
Medical
Employer
Advisor
Employee HCP
An information management update for in-house counsel
43. Telus Inc and TWA (2011, Goodfellow)
• Arbitrator says grievor retains fundamental control over
highlight private information in custody of employer
• To prepare for arbitration, an employer should seek
employee consent
• Question – Why can’t an employer rely on the its prior
obtained consent to receive and use the information for
employment-related purposes?
• In practice – We need to get better about the consent
obtained at the time information is received.
An information management update for in-house counsel
44. Complex Services Inc (2012, Surdykowski)
• Arbitrator Surdykowski says
• Jones v Tsige does not alter the rules for obtaining
employee medical information in employees’ favour
• Law is clear and is set out in
• Hamilton Health Sciences (2007, Surdykowski)
• Providence Care (2011, Surdykowski)
An information management update for in-house counsel
45. An Information Management Update
for In-House Counsel
September 19, 2012
F. Cesario, D. Michaluk, A. Tibble