SlideShare a Scribd company logo

Cyber, secrecy and the public body

Download as PPTX, PDF
Dan Michaluk
Dan Michaluk

1 hours presentation to IT security and law enforcement audience on how access to information legislation and related pressures affect public bodies in Canada.

Law
1 of 23
Cyber, secrecy and the public body Cyber, secrecy and the public body May 5, 2020 Dan Michaluk
Cyber, secrecy and the public body Dan Michaluk I Partner, Toronto
Cyber, secrecy and the public body The problem 3
Cyber, secrecy and the public body And the paradox 4
Cyber, secrecy and the public body Outline • FOI legislation and data security • Transparency and public sector incident response • Privilege protection and incident response 5 416.948.6346
Cyber, secrecy and the public body FOI legislation and data security
Cyber, secrecy and the public body FOI basics • Presumptive right of access to all records in “custody or control” • Security assessments, network maps, log data… • Subject to exemptions that correspond to interests • Economic harm • Endangerment to “system or procedure established for the protection of items” • Advice and recommendations • Legal privilege 7
Cyber, secrecy and the public body Why the FOI burden is onerous • Harms-based exemptions require proof of harm – less than likely but more than a mere possibility (“the Merck standard”) • Advice and recommendations exemption is narrowly construed and does not shield facts • Legal privilege won’t apply to business records, policy documents and most other operational records 8
Cyber, secrecy and the public body “Threat shifting” and other harms • Exploitation of an identified weakness – harm is plain • Threat shifting = the response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures (NIST) • Harder case for harm relates to descriptive facts about your network – the more basic, the more obvious, the harder to make a case for harm 9
Cyber, secrecy and the public body “Threat shifting” and other harms • Information successfully withheld • Security scans, threat evaluations and possible weaknesses (PO-3300) • Specific risks and details from a information system PIA (PO- 2765) • Location of a data centre (PO-3670) • Drive names, LAN schematics, URLs (F17-23) • Network config information and security settings (F15-03) 10
Cyber, secrecy and the public body “Threat shifting” and other harms • Information ordered to be released • Name, model and description of database server (PO-1822) • List of cellphone numbers (F2013-13) • User IDs (F-15-72) 11
Cyber, secrecy and the public body Practical thoughts • Treat information as security-sensitive that is security sensitive (classification schemes will help) • Do not underestimate the burden of proving harm in an FOI appeal 12
Cyber, secrecy and the public body Transparency and public sector incident response
Cyber, secrecy and the public body The impact of transparency • Consider this scenario • SharePoint configuration error • Non-sensitive personal information exposed internally for four months • Fairly hard to discover • No logs, not other evidence of exposure 14
Cyber, secrecy and the public body Hicks Morley’s simple notification framework • Ask: • Statutory duty? • Foreseeable, significant harm? • People may find out anyway? • Very special relationship warrants disclosure? • If yes > 1 notify. 15
Cyber, secrecy and the public body What public sector want • To notify • To work proactively with the regulator • To make a police complaint • To share threat information 16
Cyber, secrecy and the public body Be smart in sharing threat information • You need to share it rapidly to be useful • Consider sharing through an exchange • If shared directly • Mark it confidential • But assume it is no longer confidential • Understand the risks and share away 17
Cyber, secrecy and the public body Privilege and incident response
Cyber, secrecy and the public body Legal privilege basics • No production, exempt from litigation • Two primary types • Legal advice • Litigation • Rest on secrecy – can be waived 19
Cyber, secrecy and the public body Standard privilege and communication protocol • Lawyer at the center of the process (which should be the exception, triggered by reasonably contemplated litigation, and not the rule) • Lawyer as advisor, advising in contemplation of litigation • Lawyer retains vendors, for lawyer’s purpose • Vendor reports to lawyer, lawyer advises client, all team communications highly confidential • Internal communications limited to administrative and other “safe” communications 20
Cyber, secrecy and the public body Hicks Morley’s three boxes • Public box • Track every fact that you disclose to the public in releases and notifications (internal and external) • Record the wording of your representations • Threat sharing box • Reliable facts conveyed in confidence for threat sharing purposes • Private box • Everything else (deliberations, questionable facts and theories) 21
Cyber, secrecy and the public body LifeLabs litigation • Privilege claim is valid, though protection of vendor communications rests (in part) on foreseeability of litigation • Being litigated by LifeLabs in BC and Ontario • Problematic decision in the Ontario litigation turns on how the privilege claim was made 22
Cyber, secrecy and the public body Cyber, secrecy and the public body May 5, 2020 Dan Michaluk

Recommended

Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resourceDan Michaluk
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacyDan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOIDan Michaluk
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Dan Michaluk
 
Cyber class action claims at an inflection point
Cyber class action claims at an inflection pointCyber class action claims at an inflection point
Cyber class action claims at an inflection pointDan Michaluk
 

Recommended

Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resourceDan Michaluk
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacyDan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOIDan Michaluk
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Dan Michaluk
 
Cyber class action claims at an inflection point
Cyber class action claims at an inflection pointCyber class action claims at an inflection point
Cyber class action claims at an inflection pointDan Michaluk
 
Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Dan Michaluk
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board informationAprio
 
Higher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationHigher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationDan Michaluk
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prezDan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionShawn Tuma
 
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...Shawn Tuma
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Dan Michaluk
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsDan Michaluk
 

More Related Content

What's hot

Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Dan Michaluk
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board informationAprio
 
Higher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationHigher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationDan Michaluk
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionShawn Tuma
 
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...Shawn Tuma
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 

What's hot (20)

Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Social media – issues and trends caus 2014
Social media – issues and trends caus 2014
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board information
 
Higher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationHigher Education Sexual Violence Presentation
Higher Education Sexual Violence Presentation
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data Encryption
 
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 

Similar to Cyber, secrecy and the public body

Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Dan Michaluk
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsDan Michaluk
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Functional anonymisation - risk management in a data environment
Functional anonymisation - risk management in a data environmentFunctional anonymisation - risk management in a data environment
Functional anonymisation - risk management in a data environmentJisc
 
Thierer Internet Privacy Regulation
Thierer Internet Privacy RegulationThierer Internet Privacy Regulation
Thierer Internet Privacy RegulationMercatus Center
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesAdam Thierer
 
Freedom of Information Act requests - HR and employment conference for school...
Freedom of Information Act requests - HR and employment conference for school...Freedom of Information Act requests - HR and employment conference for school...
Freedom of Information Act requests - HR and employment conference for school...Browne Jacobson LLP
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataUlf Mattsson
 
Chp 05 anonymity, security, privacy and civil liberties (shared)
Chp 05 anonymity, security, privacy and civil liberties (shared)Chp 05 anonymity, security, privacy and civil liberties (shared)
Chp 05 anonymity, security, privacy and civil liberties (shared)YUSRA FERNANDO
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingRebecca Leitch
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
The Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityThe Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityARDC
 

Similar to Cyber, secrecy and the public body (20)

Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
IoT PPT Deck
IoT PPT DeckIoT PPT Deck
IoT PPT Deck
 
Functional anonymisation - risk management in a data environment
Functional anonymisation - risk management in a data environmentFunctional anonymisation - risk management in a data environment
Functional anonymisation - risk management in a data environment
 
Thierer Internet Privacy Regulation
Thierer Internet Privacy RegulationThierer Internet Privacy Regulation
Thierer Internet Privacy Regulation
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key Issues
 
Freedom of Information Act requests - HR and employment conference for school...
Freedom of Information Act requests - HR and employment conference for school...Freedom of Information Act requests - HR and employment conference for school...
Freedom of Information Act requests - HR and employment conference for school...
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big data
 
Chp 05 anonymity, security, privacy and civil liberties (shared)
Chp 05 anonymity, security, privacy and civil liberties (shared)Chp 05 anonymity, security, privacy and civil liberties (shared)
Chp 05 anonymity, security, privacy and civil liberties (shared)
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
The Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityThe Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research community
 

More from Dan Michaluk

Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxEcno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxDan Michaluk
 
Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityDan Michaluk
 
Union access to information
Union access to informationUnion access to information
Union access to informationDan Michaluk
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy UpdateAdvocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy UpdateDan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
Role of a breach coach
Role of a breach coachRole of a breach coach
Role of a breach coachDan Michaluk
 
PHIPA for school boards
PHIPA for school boardsPHIPA for school boards
PHIPA for school boardsDan Michaluk
 
Finding internet evidence
Finding internet evidenceFinding internet evidence
Finding internet evidenceDan Michaluk
 
Sexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and PracticeSexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and PracticeDan Michaluk
 
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining CredibiliityStudent Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining CredibiliityDan Michaluk
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayDan Michaluk
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
Privacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal updatePrivacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal updateDan Michaluk
 
Cacuss 2015 sexual violence
Cacuss 2015 sexual violenceCacuss 2015 sexual violence
Cacuss 2015 sexual violenceDan Michaluk
 
Responding to Data Breaches
Responding to Data BreachesResponding to Data Breaches
Responding to Data BreachesDan Michaluk
 

More from Dan Michaluk (16)

Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxEcno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
 
Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber Security
 
Union access to information
Union access to informationUnion access to information
Union access to information
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy UpdateAdvocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Role of a breach coach
Role of a breach coachRole of a breach coach
Role of a breach coach
 
PHIPA for school boards
PHIPA for school boardsPHIPA for school boards
PHIPA for school boards
 
Finding internet evidence
Finding internet evidenceFinding internet evidence
Finding internet evidence
 
Sexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and PracticeSexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and Practice
 
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining CredibiliityStudent Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys today
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
 
Privacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal updatePrivacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal update
 
Cacuss 2015 sexual violence
Cacuss 2015 sexual violenceCacuss 2015 sexual violence
Cacuss 2015 sexual violence
 
Responding to Data Breaches
Responding to Data BreachesResponding to Data Breaches
Responding to Data Breaches
 

Recently uploaded

Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一st Las
 
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书SD DS
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书SD DS
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsAbdul-Hakim Shabazz
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书Fir sss
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书SD DS
 
Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791BlayneRush1
 
The Prevention Of Corruption Act Presentation.pptx
The Prevention Of Corruption Act Presentation.pptxThe Prevention Of Corruption Act Presentation.pptx
The Prevention Of Corruption Act Presentation.pptxNeeteshKumar71
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书SD DS
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书SD DS
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaAbheet Mangleek
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfDrNiteshSaraswat
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxAdityasinhRana4
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeBlayneRush1
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiBlayneRush1
 

Recently uploaded (20)

Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
 
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
 
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Serviceyoung Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
 
Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791
 
The Prevention Of Corruption Act Presentation.pptx
The Prevention Of Corruption Act Presentation.pptxThe Prevention Of Corruption Act Presentation.pptx
The Prevention Of Corruption Act Presentation.pptx
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in India
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdf
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptx
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
 

Cyber, secrecy and the public body

  • 1. Cyber, secrecy and the public body Cyber, secrecy and the public body May 5, 2020 Dan Michaluk
  • 2. Cyber, secrecy and the public body Dan Michaluk I Partner, Toronto
  • 3. Cyber, secrecy and the public body The problem 3
  • 4. Cyber, secrecy and the public body And the paradox 4
  • 5. Cyber, secrecy and the public body Outline • FOI legislation and data security • Transparency and public sector incident response • Privilege protection and incident response 5 416.948.6346
  • 6. Cyber, secrecy and the public body FOI legislation and data security
  • 7. Cyber, secrecy and the public body FOI basics • Presumptive right of access to all records in “custody or control” • Security assessments, network maps, log data… • Subject to exemptions that correspond to interests • Economic harm • Endangerment to “system or procedure established for the protection of items” • Advice and recommendations • Legal privilege 7
  • 8. Cyber, secrecy and the public body Why the FOI burden is onerous • Harms-based exemptions require proof of harm – less than likely but more than a mere possibility (“the Merck standard”) • Advice and recommendations exemption is narrowly construed and does not shield facts • Legal privilege won’t apply to business records, policy documents and most other operational records 8
  • 9. Cyber, secrecy and the public body “Threat shifting” and other harms • Exploitation of an identified weakness – harm is plain • Threat shifting = the response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures (NIST) • Harder case for harm relates to descriptive facts about your network – the more basic, the more obvious, the harder to make a case for harm 9
  • 10. Cyber, secrecy and the public body “Threat shifting” and other harms • Information successfully withheld • Security scans, threat evaluations and possible weaknesses (PO-3300) • Specific risks and details from a information system PIA (PO- 2765) • Location of a data centre (PO-3670) • Drive names, LAN schematics, URLs (F17-23) • Network config information and security settings (F15-03) 10
  • 11. Cyber, secrecy and the public body “Threat shifting” and other harms • Information ordered to be released • Name, model and description of database server (PO-1822) • List of cellphone numbers (F2013-13) • User IDs (F-15-72) 11
  • 12. Cyber, secrecy and the public body Practical thoughts • Treat information as security-sensitive that is security sensitive (classification schemes will help) • Do not underestimate the burden of proving harm in an FOI appeal 12
  • 13. Cyber, secrecy and the public body Transparency and public sector incident response
  • 14. Cyber, secrecy and the public body The impact of transparency • Consider this scenario • SharePoint configuration error • Non-sensitive personal information exposed internally for four months • Fairly hard to discover • No logs, not other evidence of exposure 14
  • 15. Cyber, secrecy and the public body Hicks Morley’s simple notification framework • Ask: • Statutory duty? • Foreseeable, significant harm? • People may find out anyway? • Very special relationship warrants disclosure? • If yes > 1 notify. 15
  • 16. Cyber, secrecy and the public body What public sector want • To notify • To work proactively with the regulator • To make a police complaint • To share threat information 16
  • 17. Cyber, secrecy and the public body Be smart in sharing threat information • You need to share it rapidly to be useful • Consider sharing through an exchange • If shared directly • Mark it confidential • But assume it is no longer confidential • Understand the risks and share away 17
  • 18. Cyber, secrecy and the public body Privilege and incident response
  • 19. Cyber, secrecy and the public body Legal privilege basics • No production, exempt from litigation • Two primary types • Legal advice • Litigation • Rest on secrecy – can be waived 19
  • 20. Cyber, secrecy and the public body Standard privilege and communication protocol • Lawyer at the center of the process (which should be the exception, triggered by reasonably contemplated litigation, and not the rule) • Lawyer as advisor, advising in contemplation of litigation • Lawyer retains vendors, for lawyer’s purpose • Vendor reports to lawyer, lawyer advises client, all team communications highly confidential • Internal communications limited to administrative and other “safe” communications 20
  • 21. Cyber, secrecy and the public body Hicks Morley’s three boxes • Public box • Track every fact that you disclose to the public in releases and notifications (internal and external) • Record the wording of your representations • Threat sharing box • Reliable facts conveyed in confidence for threat sharing purposes • Private box • Everything else (deliberations, questionable facts and theories) 21
  • 22. Cyber, secrecy and the public body LifeLabs litigation • Privilege claim is valid, though protection of vendor communications rests (in part) on foreseeability of litigation • Being litigated by LifeLabs in BC and Ontario • Problematic decision in the Ontario litigation turns on how the privilege claim was made 22
  • 23. Cyber, secrecy and the public body Cyber, secrecy and the public body May 5, 2020 Dan Michaluk

Editor's Notes

  1. 1
  2. 2
  3. 23