1 hours presentation to IT security and law enforcement audience on how access to information legislation and related pressures affect public bodies in Canada.
5. Cyber, secrecy and the public body
Outline
• FOI legislation and data security
• Transparency and public sector incident response
• Privilege protection and incident response
5
416.948.6346
7. Cyber, secrecy and the public body
FOI basics
• Presumptive right of access to all records in “custody or control”
• Security assessments, network maps, log data…
• Subject to exemptions that correspond to interests
• Economic harm
• Endangerment to “system or procedure established for the
protection of items”
• Advice and recommendations
• Legal privilege
7
8. Cyber, secrecy and the public body
Why the FOI burden is onerous
• Harms-based exemptions require proof of harm – less
than likely but more than a mere possibility (“the Merck
standard”)
• Advice and recommendations exemption is narrowly
construed and does not shield facts
• Legal privilege won’t apply to business records, policy
documents and most other operational records
8
9. Cyber, secrecy and the public body
“Threat shifting” and other harms
• Exploitation of an identified weakness – harm is plain
• Threat shifting = the response of adversaries to perceived
safeguards and/or countermeasures (i.e., security controls),
in which adversaries change some characteristic of their
intent/targeting in order to avoid and/or overcome those
safeguards/countermeasures (NIST)
• Harder case for harm relates to descriptive facts about your
network – the more basic, the more obvious, the harder to
make a case for harm
9
10. Cyber, secrecy and the public body
“Threat shifting” and other harms
• Information successfully withheld
• Security scans, threat evaluations and possible weaknesses
(PO-3300)
• Specific risks and details from a information system PIA (PO-
2765)
• Location of a data centre (PO-3670)
• Drive names, LAN schematics, URLs (F17-23)
• Network config information and security settings (F15-03)
10
11. Cyber, secrecy and the public body
“Threat shifting” and other harms
• Information ordered to be released
• Name, model and description of database server
(PO-1822)
• List of cellphone numbers (F2013-13)
• User IDs (F-15-72)
11
12. Cyber, secrecy and the public body
Practical thoughts
• Treat information as security-sensitive that is security
sensitive (classification schemes will help)
• Do not underestimate the burden of proving harm in an
FOI appeal
12
13. Cyber, secrecy and the public body
Transparency and public sector
incident response
14. Cyber, secrecy and the public body
The impact of transparency
• Consider this scenario
• SharePoint configuration error
• Non-sensitive personal
information exposed internally
for four months
• Fairly hard to discover
• No logs, not other evidence of
exposure
14
15. Cyber, secrecy and the public body
Hicks Morley’s simple notification framework
• Ask:
• Statutory duty?
• Foreseeable, significant harm?
• People may find out anyway?
• Very special relationship warrants disclosure?
• If yes > 1 notify.
15
16. Cyber, secrecy and the public body
What public sector want
• To notify
• To work proactively with the regulator
• To make a police complaint
• To share threat information
16
17. Cyber, secrecy and the public body
Be smart in sharing threat information
• You need to share it rapidly to be useful
• Consider sharing through an exchange
• If shared directly
• Mark it confidential
• But assume it is no longer confidential
• Understand the risks and share away
17
19. Cyber, secrecy and the public body
Legal privilege basics
• No production, exempt from
litigation
• Two primary types
• Legal advice
• Litigation
• Rest on secrecy – can be waived
19
20. Cyber, secrecy and the public body
Standard privilege and communication protocol
• Lawyer at the center of the process (which should be the
exception, triggered by reasonably contemplated litigation, and not
the rule)
• Lawyer as advisor, advising in contemplation of litigation
• Lawyer retains vendors, for lawyer’s purpose
• Vendor reports to lawyer, lawyer advises client, all team
communications highly confidential
• Internal communications limited to administrative and other “safe”
communications
20
21. Cyber, secrecy and the public body
Hicks Morley’s three boxes
• Public box
• Track every fact that you
disclose to the public in
releases and notifications
(internal and external)
• Record the wording of your
representations
• Threat sharing box
• Reliable facts conveyed in
confidence for threat sharing
purposes
• Private box
• Everything else
(deliberations, questionable
facts and theories)
21
22. Cyber, secrecy and the public body
LifeLabs litigation
• Privilege claim is valid, though protection of vendor
communications rests (in part) on foreseeability of
litigation
• Being litigated by LifeLabs in BC and Ontario
• Problematic decision in the Ontario litigation turns on
how the privilege claim was made
22
23. Cyber, secrecy and the public body
Cyber, secrecy and the public body
May 5, 2020
Dan Michaluk