An information management update for in house counsel

An Information Management Update for In-House Counsel

September 19, 2012F. Cesario, D. Michaluk, A. Tibble

An information management update for in-house counsel

Outline

• Access to business system information• Privilege issues and recent developments• Data security, breach response and privacy class

actions• Workplace threat assessment as information

management• Medical information management – essentials

and developments

Access to business system information


Mine Yours

The ideal – single purpose systems


The reality – significant intermingling

• Personal use of work systems puts personal information side-by-side work information

• BYOD puts work information on personal devices• Cloud computing puts your work system on a computer with

others’ work systems


The problem – bad policy

• “The content of an email account will only be entered in a case where significant cause exists, or if the company can show that it has some evidence of illegal or serious infractions of policy or applicable legislation.”


The problem – bad law

• CACE asks this Court to re-balance employer and employee interests. To strike a proper balance, the Court should give significant weight to the primary function of a work-issued computer and should recognize that a work-issued computer is only one part of a work information system that must be routinely accessed by an employer for a variety of legitimate reasons.

(CACE factum in R v Cole)


One solution – more law and policy

• You deal with data security in your cloud contracts. Have you dealt with audit and investigation requirements?

• Your acceptable use policies must be clear that personal use is conditional on specific and detailed rights and requires a sacrifice of personal autonomy


Other more fundamental solutions

• Revert to a no personal use rule• Segregate the data created by personal use from

the data created by work use (this is what BYOD technology and policy attempts to do)

Privilege issues and recent developments


Privilege

• Protecting privilege for confidential communications is an important consideration

• What is privileged?• How can you protect those communications and

avoid pitfalls?


Reis v CIBC Mortgages Inc (2011, Master)

• In response to a human rights complaint, in-house counsel requested an employee to conduct an internal investigation and prepare notes

• Notes were relied on in preparing the company’s response to the HRTO … company relied on the response in discovery in the civil action

• Plaintiff argued that reliance on the response constituted waiver of privilege with respect to notes


Reis v CIBC Mortgages Inc (2011, Master)

• Court held that

• reliance on response did not waive privilege

attaching to the notes

• information/facts in notes were not privileged

• opinions, conclusions, and recommendations

of investigator are privileged


Humberplex Developments (2011, Master)

• In response to prospective legal action, the corporation required that all related documents be copied to in-house counsel

• The corporation then claimed privilege for all the documents and refused to produce them


Humberplex Developments (2011, Master)

• Court held that • merely copying a lawyer to the communication did

not automatically make it privileged

• where documents are prepared for simultaneous

review by legal and non-legal personnel, the primary

purpose of the document is not the securing of legal

advice


L’Abbe v Allen-Vanguard (2011, Master)

• Action for misrepresentation arising out of a share purchase agreement – defence of “due diligence”

• Plaintiffs claimed privilege for 6,000 documents including all communications with legal advisors (including in-house counsel)


L’Abbe v Allen-Vanguard (2011, Master)

Court held that:• By implicitly putting due diligence at issue, the

plaintiff waived privilege over legal advice integral to the pre-closing inquiries and searches

• Blanket claims of privilege over communications with general counsel were denied. Privilege could only attach if the content of the document contained legal advice.


Discussion Scenario 1

In-house counsel orders an investigation and a report on a workplace incident raising allegations of harassment and discrimination

Issues to consider:• Is the report privileged?• Who prepared the report?• Who conducted the investigation?• Who directed the investigation and reporting process?• Does the privilege attach to the report or the underlying facts?



In-house counsel is copied to a variety of internal communications in the lead up to litigation.

Issues to consider:

• Are the communications privileged?• Are they protected by solicitor-client privilege or litigation privilege?• Which parties are involved in the communication?

• What is the subject and purpose of the communication?



External counsel is attached to a variety of communications with the client. These communications are also copied to third parties.

Issues to consider:

• What are the circumstances were privilege can be lost?• Will forwarding opinions or communications to "outside" individuals

result in waiver of privilege?• Will forwarding communications to experts or consultants result in

waiver?

Data security, breach response and privacy class actions – Implications for you


The horror story of the day

• Elections Ontario• Two USB keys lost (1.4 to 2.4 million electors)

• Middle management signoff on questionable

protocol featuring secure use of USB keys

• Protocol not followed by employees

• Supervisors worked remote from site, didn’t

understand what encryption was

• IPC report focuses on systemic failures


Information governance best practices

• Risk assessment structures• Intrusion detection and security audit structures• Records management• Human resources policy• Physical transfer of persona information policy• Disposal procedures• Privacy breach procedures


Then there’s the low hanging fruit

• Company issued• USB keys

• Laptops and portable devices

• Sending work home• Bad actors in IT• Recycling versus shredding

What are you doing to prevent a breach?Have you met the reasonable in-house lawyer standard?


The service provider risk

• An organization is accountable for the handling of personal information by its service providers

• Key providers to legal = external counsel, litigation support and forensic support

• Due diligence = duly diligent selection, contracting and relationship administration


The service provider risk

• Questions• To what degree does the reasonable organization

trust its external counsel because they are external

counsel?

• Is it reasonable to let external counsel subcontract

parts of the discovery process without becoming

engaged? What are the appropriate controls?

Data security, breach response and privacy class actions – Implications for your organization


Data breach class action activity

• We are aware of eight claims issued in 2012• Seven for data loss

• One for improper collection

• We are aware of five claims issues in 2011• Three for data loss

• Two for improper collection

• The CBA national class action database shows comparatively little activity before 2010


Rowlands v Durham Region (2012, ONSC)

• Lost USB key – personal and confidential info of 83,524 people who had received H1N1 shot

• Claim that info could be used to facilitate identity theft• Class action certified and settlement approved• “It is now probable that no one has the missing USB key . . .

This case, it bears emphasizing, would look far different if information from the lost USB key had been abused by a wrongdoer.”


Mazzonna v DaimlerChrysler (2012, QSC)

• Lost data tape: personal info (name, address, SIN)

• Petitioner alleged “inconvenience, pain, suffering and/or fear” due to the loss of personal info

• motion for certification of class action dismissed• Petitioner did not meet test that she suffered

damages: “inconveniences were negligible”• NB: other elements of test were satisfied


Implications for in-house counsel

• Move the data loss risk up on your list

• How will the company demonstrate due diligence?

• Should we be conducting periodic audits?

• Does the company have adequate insurance coverage?• Take control of the potential liability through your breach

reporting protocol

• Have a strong internal reporting duty

• Set out clear decision-making accountability

• Set out authority to promptly obtain expert assistance

Violence prevention as information management


An organization’s duty of care

• Worker protection duties• Take all reasonable precautions

• Acquaint worker and supervisors with hazards

• Duty to warn workers about the risk of violence in

narrow circumstances

• Parallel duties to others (students, customers…) under common law and Occupiers’ Liability Act


Violence prevention as info management

• Violence prevention through employment screening, physical security and crises response

• Plus duty to process information (threat assessment)

Process(Threat Assessment)

Event that reasonably

reveals a safety threat

Threat Inquiry(Reliable Evidence)

Threat Assessment(Defensible Thought)

Threat Management

(SoundResponse)


Violence prevention as info management

• Getting the “input” right is a challenge. The standard of care probably requires a form of surveillance, but what’s the scope?


Threat assessment process must be sound

• Reasonable assessment in all the circumstances, especially considering time• Fact based and investigative

• Team based and multi-disciplinary (HR, Legal,

Security, OH&S)

• Qualified by knowledge and experience of

assessors

• Collaborative (with subject) when feasible

• Documented


Recent lessons – set mandate very clearly


Recent lessons – careful handoff to police

• When you don’t have the control normally associated with internal matters

• What to do• Convey all relevant facts (behaviors, risk factors,

victim impact)

• May convey defensible opinions (with credentials)

• Outline the limits of your resources, your jurisdiction


Key readings

• The Final Report and Findings of the Safe School Initiative (US Secret Service and DOE, 2002)

• Workplace Violence – Issues in Response (US FBI, 2004)

• Workplace Violence Prevention and Intervention (ASIS/SHRM WVP1.1-2011)

• Clinical Risk Management (Sainsbury Centre for Mental Health, 2000)

Medical information management


Key considerations

• Define the roles - employer, employee, third party administrator

• Education - inform employees of party roles• Consent forms• File management


Role definition

Employer

Employee HCP

Medical Advisor


Telus Inc and TWA (2011, Goodfellow)

• Arbitrator says grievor retains fundamental control over highlight private information in custody of employer

• To prepare for arbitration, an employer should seek employee consent

• Question – Why can’t an employer rely on the its prior obtained consent to receive and use the information for employment-related purposes?

• In practice – We need to get better about the consent obtained at the time information is received.


Complex Services Inc (2012, Surdykowski)

• Arbitrator Surdykowski says• Jones v Tsige does not alter the rules for obtaining

employee medical information in employees’ favour

• Law is clear and is set out in• Hamilton Health Sciences (2007, Surdykowski)• Providence Care (2011, Surdykowski)

An Information Management Update for In-House Counsel

September 19, 2012F. Cesario, D. Michaluk, A. Tibble

An information management update for in house counsel

Business

inhouse counsel

work information system

work information byod

work use

notes notes

personal use fromthe

personal use rule

clear thatpersonal use