An information management update for in house counsel

  • 664 views
Uploaded on

1.5 hour presentation to Canadian in-house legal counsel on information management and privacy issues. Current to September 2012.

1.5 hour presentation to Canadian in-house legal counsel on information management and privacy issues. Current to September 2012.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
664
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. An Information Management Updatefor In-House CounselSeptember 19, 2012F. Cesario, D. Michaluk, A. Tibble
  • 2. Outline• Access to business system information• Privilege issues and recent developments• Data security, breach response and privacy class actions• Workplace threat assessment as information management• Medical information management – essentials and developmentsAn information management update for in-house counsel
  • 3. Access to business systeminformation
  • 4. The ideal – single purpose systems Mine YoursAn information management update for in-house counsel
  • 5. The reality – significant intermingling• Personal use of work systems puts personal information side-by-side work information• BYOD puts work information on personal devices• Cloud computing puts your work system on a computer with others’ work systemsAn information management update for in-house counsel
  • 6. The problem – bad policy• “The content of an email account will only be entered in a case where significant cause exists, or if the company can show that it has some evidence of illegal or serious infractions of policy or applicable legislation.”An information management update for in-house counsel
  • 7. The problem – bad law• CACE asks this Court to re-balance employer and employee interests. To strike a proper balance, the Court should give significant weight to the primary function of a work-issued computer and should recognize that a work-issued computer is only one part of a work information system that must be routinely accessed by an employer for a variety of legitimate reasons. (CACE factum in R v Cole)An information management update for in-house counsel
  • 8. One solution – more law and policy• You deal with data security in your cloud contracts. Have you dealt with audit and investigation requirements?• Your acceptable use policies must be clear that personal use is conditional on specific and detailed rights and requires a sacrifice of personal autonomyAn information management update for in-house counsel
  • 9. Other more fundamental solutions• Revert to a no personal use rule• Segregate the data created by personal use from the data created by work use (this is what BYOD technology and policy attempts to do)An information management update for in-house counsel
  • 10. Privilege issues and recentdevelopments
  • 11. Privilege• Protecting privilege for confidential communications is an important consideration• What is privileged?• How can you protect those communications and avoid pitfalls?An information management update for in-house counsel
  • 12. Reis v CIBC Mortgages Inc (2011, Master)• In response to a human rights complaint, in-house counsel requested an employee to conduct an internal investigation and prepare notes• Notes were relied on in preparing the company’s response to the HRTO … company relied on the response in discovery in the civil action• Plaintiff argued that reliance on the response constituted waiver of privilege with respect to notesAn information management update for in-house counsel
  • 13. Reis v CIBC Mortgages Inc (2011, Master)• Court held that • reliance on response did not waive privilege attaching to the notes • information/facts in notes were not privileged • opinions, conclusions, and recommendations of investigator are privilegedAn information management update for in-house counsel
  • 14. Humberplex Developments (2011, Master)• In response to prospective legal action, the corporation required that all related documents be copied to in-house counsel• The corporation then claimed privilege for all the documents and refused to produce themAn information management update for in-house counsel
  • 15. Humberplex Developments (2011, Master)• Court held that • merely copying a lawyer to the communication did not automatically make it privileged • where documents are prepared for simultaneous review by legal and non-legal personnel, the primary purpose of the document is not the securing of legal adviceAn information management update for in-house counsel
  • 16. L’Abbe v Allen-Vanguard (2011, Master)• Action for misrepresentation arising out of a share purchase agreement – defence of “due diligence”• Plaintiffs claimed privilege for 6,000 documents including all communications with legal advisors (including in-house counsel)An information management update for in-house counsel
  • 17. L’Abbe v Allen-Vanguard (2011, Master)Court held that:• By implicitly putting due diligence at issue, the plaintiff waived privilege over legal advice integral to the pre-closing inquiries and searches• Blanket claims of privilege over communications with general counsel were denied. Privilege could only attach if the content of the document contained legal advice.An information management update for in-house counsel
  • 18. Discussion Scenario 1In-house counsel orders an investigation and a report on aworkplace incident raising allegations of harassment anddiscriminationIssues to consider:• Is the report privileged?• Who prepared the report?• Who conducted the investigation?• Who directed the investigation and reporting process?• Does the privilege attach to the report or the underlying facts?An information management update for in-house counsel
  • 19. Discussion Scenario 2In-house counsel is copied to a variety of internal communications in thelead up to litigation.Issues to consider:• Are the communications privileged?• Are they protected by solicitor-client privilege or litigation privilege?• Which parties are involved in the communication?• What is the subject and purpose of the communication?An information management update for in-house counsel
  • 20. Discussion Scenario 3External counsel is attached to a variety of communications with the client.These communications are also copied to third parties.Issues to consider:• What are the circumstances were privilege can be lost?• Will forwarding opinions or communications to "outside" individuals result in waiver of privilege?• Will forwarding communications to experts or consultants result in waiver?An information management update for in-house counsel
  • 21. Data security, breach response andprivacy class actions – Implications foryou
  • 22. The horror story of the day• Elections Ontario • Two USB keys lost (1.4 to 2.4 million electors) • Middle management signoff on questionable protocol featuring secure use of USB keys • Protocol not followed by employees • Supervisors worked remote from site, didn’t understand what encryption was • IPC report focuses on systemic failuresAn information management update for in-house counsel
  • 23. Information governance best practices• Risk assessment structures• Intrusion detection and security audit structures• Records management• Human resources policy• Physical transfer of persona information policy• Disposal procedures• Privacy breach proceduresAn information management update for in-house counsel
  • 24. Then there’s the low hanging fruit• Company issued • USB keys • Laptops and portable devices• Sending work home• Bad actors in IT• Recycling versus shredding What are you doing to prevent a breach? Have you met the reasonable in-house lawyer standard?An information management update for in-house counsel
  • 25. The service provider risk• An organization is accountable for the handling of personal information by its service providers• Key providers to legal = external counsel, litigation support and forensic support• Due diligence = duly diligent selection, contracting and relationship administrationAn information management update for in-house counsel
  • 26. The service provider risk• Questions • To what degree does the reasonable organization trust its external counsel because they are external counsel? • Is it reasonable to let external counsel subcontract parts of the discovery process without becoming engaged? What are the appropriate controls?An information management update for in-house counsel
  • 27. Data security, breach response andprivacy class actions – Implications foryour organization
  • 28. Data breach class action activity• We are aware of eight claims issued in 2012 • Seven for data loss • One for improper collection• We are aware of five claims issues in 2011 • Three for data loss • Two for improper collection• The CBA national class action database shows comparatively little activity before 2010An information management update for in-house counsel
  • 29. Rowlands v Durham Region (2012, ONSC)• Lost USB key – personal and confidential info of 83,524 people who had received H1N1 shot• Claim that info could be used to facilitate identity theft• Class action certified and settlement approved• “It is now probable that no one has the missing USB key . . . This case, it bears emphasizing, would look far different if information from the lost USB key had been abused by a wrongdoer.”An information management update for in-house counsel
  • 30. Mazzonna v DaimlerChrysler (2012, QSC)• Lost data tape: personal info (name, address, SIN)• Petitioner alleged “inconvenience, pain, suffering and/or fear” due to the loss of personal info• motion for certification of class action dismissed• Petitioner did not meet test that she suffered damages: “inconveniences were negligible”• NB: other elements of test were satisfiedAn information management update for in-house counsel
  • 31. Implications for in-house counsel• Move the data loss risk up on your list • How will the company demonstrate due diligence? • Should we be conducting periodic audits? • Does the company have adequate insurance coverage?• Take control of the potential liability through your breach reporting protocol • Have a strong internal reporting duty • Set out clear decision-making accountability • Set out authority to promptly obtain expert assistanceAn information management update for in-house counsel
  • 32. Violence prevention as informationmanagement
  • 33. An organization’s duty of care• Worker protection duties • Take all reasonable precautions • Acquaint worker and supervisors with hazards • Duty to warn workers about the risk of violence in narrow circumstances• Parallel duties to others (students, customers…) under common law and Occupiers’ Liability ActAn information management update for in-house counsel
  • 34. Violence prevention as info management• Violence prevention through employment screening, physical security and crises response• Plus duty to process information (threat assessment) Threat Threat Inquiry Threat Assessment Management (Reliable Process (Defensible Thought) (Sound Evidence) (Threat Assessment) Response) Event that reasonably reveals a safety threatAn information management update for in-house counsel
  • 35. Violence prevention as info management• Getting the “input” right is a challenge. The standard of care probably requires a form of surveillance, but what’s the scope?An information management update for in-house counsel
  • 36. Threat assessment process must be sound• Reasonable assessment in all the circumstances, especially considering time • Fact based and investigative • Team based and multi-disciplinary (HR, Legal, Security, OH&S) • Qualified by knowledge and experience of assessors • Collaborative (with subject) when feasible • DocumentedAn information management update for in-house counsel
  • 37. Recent lessons – set mandate very clearlyAn information management update for in-house counsel
  • 38. Recent lessons – careful handoff to police• When you don’t have the control normally associated with internal matters• What to do • Convey all relevant facts (behaviors, risk factors, victim impact) • May convey defensible opinions (with credentials) • Outline the limits of your resources, your jurisdictionAn information management update for in-house counsel
  • 39. Key readings• The Final Report and Findings of the Safe School Initiative (US Secret Service and DOE, 2002)• Workplace Violence – Issues in Response (US FBI, 2004)• Workplace Violence Prevention and Intervention (ASIS/SHRM WVP1.1-2011)• Clinical Risk Management (Sainsbury Centre for Mental Health, 2000)An information management update for in-house counsel
  • 40. Medical information management
  • 41. Key considerations• Define the roles - employer, employee, third party administrator• Education - inform employees of party roles• Consent forms• File managementAn information management update for in-house counsel
  • 42. Role definition Medical Employer Advisor Employee HCPAn information management update for in-house counsel
  • 43. Telus Inc and TWA (2011, Goodfellow)• Arbitrator says grievor retains fundamental control over highlight private information in custody of employer• To prepare for arbitration, an employer should seek employee consent• Question – Why can’t an employer rely on the its prior obtained consent to receive and use the information for employment-related purposes?• In practice – We need to get better about the consent obtained at the time information is received.An information management update for in-house counsel
  • 44. Complex Services Inc (2012, Surdykowski)• Arbitrator Surdykowski says • Jones v Tsige does not alter the rules for obtaining employee medical information in employees’ favour • Law is clear and is set out in • Hamilton Health Sciences (2007, Surdykowski) • Providence Care (2011, Surdykowski)An information management update for in-house counsel
  • 45. An Information Management Updatefor In-House CounselSeptember 19, 2012F. Cesario, D. Michaluk, A. Tibble