All About Information

In quite the coincidence, we’ve recently been retained on back-to-back domain name hijacking files, which compelled me to write a client bulletin that has just been published here. I generally try not to be very strident in these types of communications, but its such an aggressive form of malfeasance that I’m afraid its hard to hide the fact that I’m impassioned in my concern. Hope the bulletin is of interest!

On June 11th, the Alberta Court of Appeal held that a judge erred in ordering the production of hard drive images that contained patient files.

The case is about a public health authority’s right to audit files held by one of its former service providers, and in particular, its right of access to files of patients whose treatment the authority only partly funded. These patients also received privately-funded services, but only had one patient record with the service provider, which raised an issue about the authority’s right to look at the files in the course of an audit. This issue was initially litigated up to the Alberta Court of Appeal in 2006.  The Court of Appeal held that the authority had no right of access to the “hybrid files” under public law, but did not consider the authority’s contractual right of audit.

The access dispute was revived again when the service provider sued the authority for unlawfully seeking access to the hybrid files and forcing it to defend its clients’ privacy rights through litigation.  Several computer hard drives containing hybrid files that were imaged in the original dispute and stored at the court were central to the action.  The authority revived its attempt at accessing the hybrid files by filing a counterclaim in which it alleged breach of contract and breach of fiduciary duty. It made a vague allegation in its pleadings that the service provider was double-billing, but did not plead fraud.  (It had no evidence of fraud because any such evidence could only be revealed on an examination of the hybrid files themselves.)

A case management judge ordered the hard drives to be produced to the authority in specie (in their actual form) with a direction not to print or take notes of anything irrelevant and in reliance of the no collateral use rule embedded in the implied undertaking.  The Court of Appeal held this order was made in error and that the authority’s vague pleadings of fraud did not give it a right to the hybrid files.

The Court of Appeal’s judgement (written by Madam Justice Conrad) contains some very principled statements on e-discovery.  She held that a party to litigation will not ordinarily get access to a hard drive, which is simply a receptacle for information.  This is not new, but Madam Justice Conrad also suggested that a judge has a duty to protect irrelevant, confidential and private materials in the event of a production dispute.  She also stressed that orders to inspect a hard drive will only be made on “strong evidence” that a party is attempting to thwart the discovery process and, further, that a court that orders inspection of a hard drive should still ensure that irrelevant and confidential information is protected.  Referring to the order made in 2007 by the Alberta Court of Queen’s Bench in Spar Aerospace (subsequently upheld on appeal), she said:

While I agree with Madam Justice Veit’s decision, I would add a caveat. Even in circumstances where it is clear that a litigant is thwarting the litigation process, and the court deems it appropriate to order production of a hard drive, measures should be taken to protect disclosure of irrelevant and immaterial information which the producing party objects to produce. Although litigation confidentiality exists, many times that will not be sufficient to protect personal, confidential and private material. A judge should always hear representations as to how information that is neither material nor relevant can be protected from exposure, and frame any production order in the least intrusive manner.

Madam Justice Conrad then held that there was no basis justifying an inspection order in the circumstances, that the service provider’s pleading did not put the entire content of the hard drives at issue and that concerns about the cost of separating the records on the hard drive were not established or were at least premature.

The Court also held that the action did not give the authority a right of disclosure that extended to the hybrid files.  It held that the dispute was about the scope of a contractual right of audit and not an allegation of fraud despite the vague allegations pleaded in authority’s counter claim.  It seemed clear to the Court that the authority was attempting to seek what it ultimately wanted (a look at the hybrid files) by the way in which it pleaded its counterclaim.  Madam Justice Conrad said the authority was on a “fishing expedition.”

While an obviously significant e-discovery case, this also says something about records management, the need for third-party access and potential conflicts with personal privacy rights.  If the authority’s funding contract demanded that patient records for funded services be separately maintained, this dispute might have been avoided.

Innovative Health Group v. Calgary Health Region, 2008 ABCA 219 (CanLII).

I had the honour of presenting today at the Canadian Association of Career Educators and Employers national conference. My topic was called “The law and ethics of recruiting in a wired world,” and we spent most of the session talking about online speech. The discussion ranged and was great throughout, but the time we spent on recruiting and online speech was extremely enlightening thanks to the great attendee input.

I broke the recruiting and online speech issues into privacy issues and employment issues.

On privacy, I suggested that authorization, accuracy and openness are the most relevant fair information practices. I urged the participants to consider what reasonable steps a recruiter should take to ensure the accuracy of personal information collected from online sources and used in making recruiting decisions. I also suggested that the openness requirement demands that candidates know that their publicly available information may be collected in the recruiting process. On further thought, the necessity principle is also highly relevant, and I think recruiters are naturally inclined to respect the rule, “If the information is not needed, don’t ask the question.” Applying the necessity principle to the online search issue, it seems to me that such a recruiting tactic can only be justified where the job raises a reasonable possibility of conflict between an employee’s online presence and his or her job duties.

On employment law, I started with a thought about addressing foreseeable conflicts of interest at the outset of the employment relationship. For employees who have personal blogs, for example, I suggested that employers would benefit by assessing them for potential conflicting interests and resolving potential conflicts as part of contracting for employment. Sensible and fair, but doesn’t this entail looking into candidates’ online presence as part of the recruiting process? In this regard, my suggestion caught the audience slightly off-guard because they were all very wary of the potential for human rights liability associated with using the internet to screen candidates. True enough!

You see, recruiting processes are typically structured to minimize the risk of considering irrelevant and discriminatory factors. They are also purposely staged so that discriminatory factors that are relevant are considered later in the hiring process. Based on anecdotes from members of the audience, it seems to be that the online speech phenomenon is disrupting these processes and causing recruiters to lose control of the information that becomes part of an assessment. We heard stories of recruiters who are being sent information from groups supporting student candidates that use new media very creatively, but contain pictures and all sorts of personal information that a recruiter would never require of candidates. It’s not that this information is necessarily related to one or more of the personal characteristics protected under human rights legislation, but when you don’t know exactly what information you’re going to get there’s certainly a heightened risk of of poisoning your pool of assessment information with irrelevant information that could be used as the basis for a discrimination complaint.

The idea of Google searching candidates also raises difficult records management issues. A defendant in a hiring dispute wants to be able to say, “Everything we considered is in the file.” Add an internet search into the assessment process and, unless there is a rigorously-enforced and forensically sound protocol for recording the search on the formal record, the electronic discovery burden of defending a hiring dispute will be relatively significant.

Despite all the risks, I’m hesitant to take an absolute position against collecting information about candidates’ online presence. If a candidate has an online presence that could conflict with the fulfillment of his or her job duties, doesn’t the diligent employer take reasonable steps to find that out before entering an employment contract? One way to reduce the human rights risk is to conduct the search near the end of the assessment process as a form of background check. There are likely other means of managing the human rights risk, which is not to discount the steps that should also be taken in order to ensure respect fair information practices.

If anyone can work out a model that enables employers to use relevant and available information about candidates in a manner that respects individual privacy and human rights, it has got to be the great group of professionals from CACEE that I was able to join today. Again, it was an honour!

On February 27th, the New Brunswick Court of Queen’s bench dismissed a counterclaim because the plaintiff (by counterclaim) had allowed documents that the defendant required for its defence to be destroyed.

After terminating its franchise agreement with the defendant, the plaintiff transferred a job order file on an over-bid construction project to the new franchisee, who destroyed the file. The defendant (by counterclaim) did not allege bad faith, but alleged that the plaintiff ought to have instructed the new franchisee to safeguard the files, which were essential to its defence. The Court rejected the plaintiff’s claim that the defendant did not call an available witness in favour of raising its spoliation defence. It also held that the plaintiff had a duty to preserve the job order files that was bolstered by its own termination letter, which said it would make the records available to the defendant in the event of litigation.

Elliott v. Trane Canada Inc., 2008 NBQB 79.

On November 23rd, the Saskatchewan Court of Queen’s Bench held there is no independent tort of spoliation in dismissing a claim against a doctor for destroying patient charts and other hospital records.

The Court dismissed the claim because there was no duty to preserve the records at the time they were destroyed, which was before litigation was filed, apparently pursuant to a routine records management process and in accordance with a compliant records retention period. The Court did not comment on whether litigation was reasonably foreseeable at the time the records were destroyed.

In the alternative, the Court cited the British Columbia Court of Appeal’s decision in Endean v. Canadian Red Cross Society for the proposition that spoliation is only a rule of evidence, not an independent tort. It did not deal with the Ontario Court of Appeal’s decision in Spasic (Estate) v. Imperial Tobacco Ltd., where the Court held it was not plain and obvious that a pleading based on the tort of spoliation discloses no reasonable cause of action and therefore that claims based on the tort should be allowed to proceed to trial.

Galenzoski v. Awad, 2007 SKQB 436 (CanLII).

Here’s a new feature that I’ll resolve to keep with for the next while. Every one or two weeks I’ll post a handful of articles or blog posts that have caught my interest and are related to the subject matter of this blog. Here are some from my holiday readings (in no particular order):

• Alan Taneja, Buying typical storage for video surveillance? Rethink that! A nice synopsis of new records management issues associated with video surveillance.
• David Hecheler, Lockheed Employee’s YouTube Video Sounds Ethics Alarm. A thorough account of the story of whistleblower Michael DeKort.
• Ron Ashkenas, Simplicity-Minded Management from the December 2007 Harvard Business Review. About simplifying business structures, products and business processes. The processes part has a bit about information management, which reminded me of a comment that came up in a recent conversation with a friend of mine who’s a GC. It went something like, “The mass of available information and the pace of business is leading to a crises of quality decision making.” I like this topic.
• Kelly D. Talcott, Cutting out Privacy in the Office. Locking down work e-mail systems, the subject of this article, is a hugely important issue. I’d like to thank my managing partner, Stephen Shamie, for passing this one on.
• Joe Bartling, Post-Termination Employment Forensics. Very prescriptive blog post on an important topic.
• Ralph Losey, Best Buy Wins Key e-Discovery Ruling in Fraud Case. Here’s Mr. Losey’s summary of the much-discussed Best Buy Stores L.P. v. Developers Diversified Realty Corp. e-discovery award, a case on the duty to preserve a litigation database that is likely to be useful in subsequent litigation.

Enjoy!

On December 15th, the federal Minister of Labour proposed a regulation that will permit federally-regulated employers to issue electronic pay statements. Currently, employers without seeking a ministerial exemption.

The government is relying on the provision in Part 2 of the Personal Information Protection and Electronic Documents Act that deems a legal requirement that a document be in writing to be satisfied by an electronic document where (among other things) a regulation establishing the conditions for use of an electronic document is put in place.

The proposed regulation establishes the following conditions for use:

• the employer must inform each employee where electronic pay statements are stored
• the pay statement must be readable and printable only by the employee
• the pay statement must remain accessible by the employee through electronic means for a period of at least three years from the first date it is made available
• the pay statement must be readable and printable on a computer and printer to which the employer shall provide the employee with private access

The Regulatory Impact Analysis Statement and the proposed regulation can be found here.

What happens when someone puts his or her electronic documents on another’s computer system, gets locked out and then wants the documents back?

This is a common problem today, and often arises in the context of departing employee disputes. It also engages one of the more interesting developing legal issues within this blog’s domain: do the traditional property torts - trespass, detinue and conversion - protect rights associated with intangible property?

While this could be the subject of a good paper, I’d simply like to point out a couple of developments South and North of the border.

In the United States, the New York Court of Appeals recently issued an opinion in Thyroff v. Nationwide Mutual Assurance Company in which it held that the tort of conversion should apply to intangible property - an insurance agent’s customer list in the circumstances in dispute.

There’s no judgement of equivalent strength in Canada yet, but the Prince Edward Island Supreme Court - Trial Division issued a decision in July called HZPC Americas Corp. that is consistent with the direction endorsed in Thyroff. (HZPC has not yet been published on CanLII.) In rejecting the defendant’s motion to strike a conversion claim, the Court challenged the traditional idea that an owner’s ability to control intangible property (including confidential business information) is not sufficient to justify application of the tort. It said:

The Defendants refer to infringement of intellectual property while the Plaintiff refers to conversion of commercial property interests. The Plaintiff’s claim is not based on infringement of a statutory right in intellectual property; but rather is classified by it as a proprietary right in commercial property. It is not necessary for the Plaintiff to plead or rely upon legislative provisions to pursue its claim based on a common law tort. The federal legislation can be viewed as providing additional benefits, and not exhausting a person’s civil remedies.

The Court quoted Professor David Vaver, who says that the traditional view is “pettifoggery” - a sure signal that there will be more on this issue to come.

In this United Kingdom departing employee case from this June, the High Court held that an employer had exclusive ownership of a contact list alleged by an employee to be his personal contact list because it was maintained on its computer system.

The defendant was a journalist who worked in trade publication and conference buisnesses for a number of years before joining the claimant, who operated a similar business. He gave evidence that he maintaned a personal contact list, updated it from time to time, and had over eight years of editorial and industry contacts amassed when he commenced employment with the claimant. Nine years later, and after transferring the list to an MS Outlook database maintained by the claimant and adding work-related contacts, the defendant left with two other employees to start a competing business. In addition to suing to recover damages for the defendant’s pre-departure breach of loyalty and fidelity, the claimant disputed his ownership of the list.

Although it held that the company had not effectively incorporated its computer use policy into the defendant’s contract of employment, the court nonetheless found it had exclusive ownership of the list. It made the following broad statement:

I am satisfied that where an address list is contained on Outlook or some similar program which is part of the employer’s e-mail system and backed up by the employer or by arrangement made with the employer, the database or list of information (depending whether one is applying the Database Regulations or the general law) will belong to the employer…

In all those circumstances, I find that such lists will be the property of the employer and may not be copied or removed in their entirety by employees for use outside their employment or after their employment comes to an end.

Because this is not likely to be appreciated by many employees, it is in my judgment highly desirable that employers should devise and publish an e-mail policy…

In the absence of such a laid down policy, I next have to consider the status of contact details which have been put on to an employer’s system by an employee for their own use outside their employment, in ignorance of the fact that they would thereby become part of the Claimant’s property…

In my judgment it is reasonable to imply in the absence of any laid down guidance a term that an employee will at the end of their employment be entitled to take copies of their own personal information and, where the information is person [sic.] and confidential to them, such as details of their doctor, banker or legal adviser, to remove them from the employer’s system.

Most forms of e-mail system will permit the creation of compartmentalised address books, so that ordinarily an employee will be able to put their own personal contact details of friends, relations, and the like into a personal address book. In those circumstances, in the absence of clear evidence of an e-mail policy, I would be inclined to the view that ownership of that part of the database resided with the employee…

In assessing the facts, the Court held that the defendant copied the entire mixed list for the purpose of competing with the defendant and that it would not be appropriate for it to parse the list. It ordered the sequestered database to be delivered up to the claimant and enjoined the defendant from using it except for contact information “known by other means.”

Pennwell Publishing (UK) Ltd v. Ornstien, [2007] EWHC 1570 (QB).

In some chance timing given the release of the report on the Canadian investigation into the TJX breach, I presented today at a lunch meeting of the Association of Certified Forensic Investigators of Canada together with David Malamed of Grant Thonrton. We called the presentation “Data Breach Response: A Multidisciplinary Perspective.”

This is the first presentation David and I have given on an project we started at the beginning of the summer together with Karen Gordon, an expert crises communicator from Squeaky Wheel Communications. The idea we are promoting is that organizations should be using multi-disciplinary teams to manage breach response and, whether internal or external experts are used, the team should be defined in a formal breach response plan.

I’ve posted a copy of the presentation here.