An information management update for in house counsel

An Information Management Update
for In-House Counsel

September 19, 2012
F. Cesario, D. Michaluk, A. Tibble

Outline

• Access to business system information
• Privilege issues and recent developments
• Data security, breach response and privacy class
actions
• Workplace threat assessment as information
management
• Medical information management – essentials
and developments

An information management update for in-house counsel

Access to business system
information

The ideal – single purpose systems

Mine Yours


The reality – significant intermingling
• Personal use of work systems puts personal
information side-by-side work information
• BYOD puts work information on personal devices
• Cloud computing puts your work system on a computer with
others’ work systems


The problem – bad policy
• “The content of an email account will only be entered
in a case where significant cause exists, or if the
company can show that it has some evidence of
illegal or serious infractions of policy or applicable
legislation.”


The problem – bad law
• CACE asks this Court to re-balance employer and
employee interests. To strike a proper balance, the
Court should give significant weight to the primary
function of a work-issued computer and should
recognize that a work-issued computer is only one
part of a work information system that must be
routinely accessed by an employer for a variety of
legitimate reasons.
(CACE factum in R v Cole)


One solution – more law and policy

• You deal with data security in your cloud
contracts. Have you dealt with audit and
investigation requirements?
• Your acceptable use policies must be clear that
personal use is conditional on specific and
detailed rights and requires a sacrifice of personal
autonomy


Other more fundamental solutions

• Revert to a no personal use rule
• Segregate the data created by personal use from
the data created by work use (this is what BYOD
technology and policy attempts to do)


Privilege issues and recent
developments

Privilege

• Protecting privilege for confidential
communications is an important consideration
• What is privileged?
• How can you protect those communications and
avoid pitfalls?


Reis v CIBC Mortgages Inc (2011, Master)

• In response to a human rights complaint, in-house
counsel requested an employee to conduct an
internal investigation and prepare notes
• Notes were relied on in preparing the company’s
response to the HRTO … company relied on the
response in discovery in the civil action
• Plaintiff argued that reliance on the response
constituted waiver of privilege with respect to notes


Reis v CIBC Mortgages Inc (2011, Master)

• Court held that
• reliance on response did not waive privilege
attaching to the notes
• information/facts in notes were not privileged
• opinions, conclusions, and recommendations
of investigator are privileged


Humberplex Developments (2011, Master)

• In response to prospective legal action, the
corporation required that all related documents be
copied to in-house counsel
• The corporation then claimed privilege for all the
documents and refused to produce them


Humberplex Developments (2011, Master)

• Court held that
• merely copying a lawyer to the communication did
not automatically make it privileged

• where documents are prepared for simultaneous
review by legal and non-legal personnel, the primary
purpose of the document is not the securing of legal
advice


L’Abbe v Allen-Vanguard (2011, Master)

• Action for misrepresentation arising out of a share
purchase agreement – defence of “due diligence”
• Plaintiffs claimed privilege for 6,000 documents
including all communications with legal advisors
(including in-house counsel)


L’Abbe v Allen-Vanguard (2011, Master)

Court held that:
• By implicitly putting due diligence at issue, the
plaintiff waived privilege over legal advice integral
to the pre-closing inquiries and searches
• Blanket claims of privilege over communications
with general counsel were denied. Privilege could
only attach if the content of the document contained
legal advice.


Discussion Scenario 1
In-house counsel orders an investigation and a report on a
workplace incident raising allegations of harassment and
discrimination

Issues to consider:
• Is the report privileged?
• Who prepared the report?
• Who conducted the investigation?
• Who directed the investigation and reporting process?
• Does the privilege attach to the report or the underlying facts?


In-house counsel is copied to a variety of internal communications in the
lead up to litigation.

Issues to consider:

• Are the communications privileged?
• Are they protected by solicitor-client privilege or litigation privilege?
• Which parties are involved in the communication?
• What is the subject and purpose of the communication?


External counsel is attached to a variety of communications with the client.
These communications are also copied to third parties.

Issues to consider:

• What are the circumstances were privilege can be lost?
• Will forwarding opinions or communications to "outside" individuals
result in waiver of privilege?
• Will forwarding communications to experts or consultants result in
waiver?


Data security, breach response and
privacy class actions – Implications for
you

The horror story of the day

• Elections Ontario
• Two USB keys lost (1.4 to 2.4 million electors)
• Middle management signoff on questionable
protocol featuring secure use of USB keys
• Protocol not followed by employees
• Supervisors worked remote from site, didn’t
understand what encryption was
• IPC report focuses on systemic failures


Information governance best practices

• Risk assessment structures
• Intrusion detection and security audit structures
• Records management
• Human resources policy
• Physical transfer of persona information policy
• Disposal procedures
• Privacy breach procedures


Then there’s the low hanging fruit

• Company issued
• USB keys
• Laptops and portable devices
• Sending work home
• Bad actors in IT
• Recycling versus shredding
What are you doing to prevent a breach?
Have you met the reasonable in-house lawyer standard?


The service provider risk

• An organization is accountable for the handling of
personal information by its service providers
• Key providers to legal = external counsel,
litigation support and forensic support
• Due diligence = duly diligent selection, contracting
and relationship administration


The service provider risk

• Questions
• To what degree does the reasonable organization
trust its external counsel because they are external
counsel?
• Is it reasonable to let external counsel subcontract
parts of the discovery process without becoming
engaged? What are the appropriate controls?


Data security, breach response and
privacy class actions – Implications for
your organization

Data breach class action activity

• We are aware of eight claims issued in 2012
• Seven for data loss
• One for improper collection
• We are aware of five claims issues in 2011
• Three for data loss
• Two for improper collection
• The CBA national class action database shows
comparatively little activity before 2010


Rowlands v Durham Region (2012, ONSC)
• Lost USB key – personal and confidential info of 83,524
people who had received H1N1 shot
• Claim that info could be used to facilitate identity theft
• Class action certified and settlement approved
• “It is now probable that no one has the missing USB key . . .
This case, it bears emphasizing, would look far different
if information from the lost USB key had been abused
by a wrongdoer.”


Mazzonna v DaimlerChrysler (2012, QSC)

• Lost data tape: personal info (name, address,
SIN)
• Petitioner alleged “inconvenience, pain, suffering
and/or fear” due to the loss of personal info
• motion for certification of class action dismissed
• Petitioner did not meet test that she suffered
damages: “inconveniences were negligible”
• NB: other elements of test were satisfied


Implications for in-house counsel
• Move the data loss risk up on your list
• How will the company demonstrate due diligence?
• Should we be conducting periodic audits?
• Does the company have adequate insurance coverage?
• Take control of the potential liability through your breach
reporting protocol
• Have a strong internal reporting duty
• Set out clear decision-making accountability
• Set out authority to promptly obtain expert assistance


Violence prevention as information
management

An organization’s duty of care

• Worker protection duties
• Take all reasonable precautions
• Acquaint worker and supervisors with hazards
• Duty to warn workers about the risk of violence in
narrow circumstances
• Parallel duties to others (students, customers…)
under common law and Occupiers’ Liability Act


Violence prevention as info management
• Violence prevention through employment screening, physical security and crises
response
• Plus duty to process information (threat assessment)

Threat
Threat Inquiry
Threat Assessment Management
(Reliable Process
(Defensible Thought) (Sound
Evidence) (Threat Assessment) Response)
Event that
reasonably
reveals a
safety threat


Violence prevention as info management

• Getting the “input” right is a challenge. The
standard of care probably requires a form of
surveillance, but what’s the scope?


Threat assessment process must be sound

• Reasonable assessment in all the circumstances,
especially considering time
• Fact based and investigative
• Team based and multi-disciplinary (HR, Legal,
Security, OH&S)
• Qualified by knowledge and experience of assessors
• Collaborative (with subject) when feasible
• Documented


Recent lessons – set mandate very clearly


Recent lessons – careful handoff to police

• When you don’t have the control normally
associated with internal matters
• What to do
• Convey all relevant facts (behaviors, risk factors,
victim impact)
• May convey defensible opinions (with credentials)
• Outline the limits of your resources, your jurisdiction


Key readings
• The Final Report and Findings of the Safe School
Initiative (US Secret Service and DOE, 2002)
• Workplace Violence – Issues in Response (US FBI,
2004)
• Workplace Violence Prevention and Intervention
(ASIS/SHRM WVP1.1-2011)
• Clinical Risk Management (Sainsbury Centre for
Mental Health, 2000)


Medical information management

Key considerations

• Define the roles - employer, employee, third party
administrator
• Education - inform employees of party roles
• Consent forms
• File management


Role definition

Medical
Employer
Advisor

Employee HCP


Telus Inc and TWA (2011, Goodfellow)
• Arbitrator says grievor retains fundamental control over
highlight private information in custody of employer
• To prepare for arbitration, an employer should seek
employee consent
• Question – Why can’t an employer rely on the its prior
obtained consent to receive and use the information for
employment-related purposes?
• In practice – We need to get better about the consent
obtained at the time information is received.


Complex Services Inc (2012, Surdykowski)

• Arbitrator Surdykowski says
• Jones v Tsige does not alter the rules for obtaining
employee medical information in employees’ favour
• Law is clear and is set out in
• Hamilton Health Sciences (2007, Surdykowski)
• Providence Care (2011, Surdykowski)


An information management update for in house counsel

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à An information management update for in house counsel

Similaire à An information management update for in house counsel (20)

Plus de Dan Michaluk

Plus de Dan Michaluk (20)

Dernier

Dernier (20)

An information management update for in house counsel