Dan Michaluk, profile picture
Uploaded byDan Michaluk
PPTX, PDF1,743 views

The internet as a corporate security resource

The document discusses the legal framework and tactics involved in using the internet as a corporate security resource, focusing on privacy laws such as PIPEDA and investigation tactics like background checks and intelligence gathering. It emphasizes the importance of balancing privacy rights with corporate investigation needs, outlining various tactics and their associated risk scores. Additionally, it highlights the need for ethical considerations and legal compliance in information collection processes.

Embed presentation

Download to read offline
The internet as a corporate security resource – tactics, tools and techniques Dan Michaluk March 19, 2015 This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.
Outline • Legal framework • Tactics
Legal framework • Statutory, common law and criminal • Very contextual analysis about what is and is not permitted, without a bright line • Law reduces to one question – is the investigation tactic reasonable in light of all the circumstances? • Judges must recognize that investigation requires some "exploration," but we can't expect a blessing for aimless probing into private matters ("fishing")
Legal framework • PIPEDA section 7(1)(b) permits collections • it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
Legal framework • PIPEDA section 7(1)(d) permits collections of some kinds of publicly available information • personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information
Legal framework • PIPEDA 7(1)(d) • The "appears in a publication" requirement will limit, but there is a question of how much – doesn’t expressly say "formal publication" • Addressed in one case that doesn't say much • Argument – implied consent to collection for some purposes (e.g., to conduct a threat assessment) • Consider – applicability of Charter expression right
Legal framework • Labour arbitrators often recognize privacy interest and balance management rights against a privacy interest • Courts now can hear a privacy tort claim • Unauthorized intrusion • Upon a reasonable expectation of privacy • Highly offensive to the reasonable person
Legal framework • Criminal Code • Section 342.1 – Hacking • Section 402.2 – Identity theft • Section 403 – Identity fraud
Legal framework • Law Society – General rules
Legal framework • Law Society – Rule 5.1-2 • When acting as an advocate, a lawyer shall not
Legal framework • Law Society – Rule 7.2-6
Legal framework • Law Society – Rules 5.1-5 and 5.3-1
Tactics • Nine tactics in the following slides • Three purposes • Investigations • Background checks • Intelligence • Assigned a risk score (1 = low risk, 10 = high risk)
Tactics (Investigations) • Receiving unsolicited evidence from a friend
Tactics (Investigations) • Receiving unsolicited evidence from a friend • Risk score = 1 • An employer may often have a duty to receive and "process" this evidence • Numerous cases in which this evidence has been used without dispute – e.g. Sheridan College (Rowe)
Tactics (Investigations) • Wait, confront and ask for production
Tactics (Investigations) • Wait, confront and ask for production • Risk score = 1 • Mixed law on "right to silence," but non-cooperators open themselves to an adverse inference • Privacy likely to be a weak defence for social media publications (see M Picher cell record cases) • Think about scope of request, manner of production and risk of modification
Tactics (Investigations) • Searching open internet for evidence
Tactics (Investigations) • Searching open internet for evidence • Risk score = 3 • Permitted but may be challenged • Cleanest defence = reasonable for investigation • Document purposes • What is the relevant evidence? • Or, is the search to test veracity/credibility of statements/defences? to identify witnesses?
Tactics (Investigations) • Requesting "protected" evidence from a friend
Tactics (Investigations) • Requesting "protected" evidence from a friend • Risk score = 7 • The employee may become your agent in allowing unauthorized and unexpected access • By all means question to gather evidence • Then say, "Thank you. If you have anything else you wish to bring to our attention please let us know."
Tactics (Investigations) • Gaining unauthorized access to a SM account
Tactics (Investigations) • Gaining unauthorized access to a SM account • Any means (finding login credentials, under false pretenses) • Risk score = 10 • It happens • Calgary Police Service • Moore's Industrial Service Ltd
Tactics (Background Checks) • Background check of open internet w consent
Tactics (Background Checks) • Background check of open internet w consent • Risk score (1 to 10) = 1 • Until amended, PIPEDA arguably does not apply • Risks are manageable: (a) defer, (b) demonstrable need, (c) objective criteria, (d) not decision-maker, (e) written report and (f) validate negative information
Tactics (Background Checks) • Background check of open internet w/o consent
Tactics (Background Checks) • Background check of open internet w/o consent • Risk score (1 to 10) = 3 • Risks arguably increase when PIPEDA is amended to apply to candidates for employment • Manage risks per the suggestions above
Tactics (Background Checks) • Background check of protected spaces w consent
Tactics (Background Checks) • Background check of protected spaces w consent • Risk score = 7 • Conduct a supervised search, don't take login credentials • Permissible, but significant non-legal risks • Awkward, employee relations and public affairs risk
Tactics (Intelligence) • Using internet data for preventative purposes
Tactics (Intelligence) • Using internet data for preventative purposes • Risk score = 5 • Primary risk is derived from PIPEDA consent rule • Risk mitigation • Target activity (e.g. event monitoring), not people (e.g. adversarial group reports) • Favour surveillance (looking for exceptions) over intelligence gathering (building a dossier)
The internet as a corporate security resource – tactics, tools and techniques Dan Michaluk March 19, 2015 This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.

More Related Content

PPTX
Cyber Incident Response - When it happens, will you be ready?
byDan Michaluk
 
PPTX
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
byDan Michaluk
 
PPTX
Cyber, secrecy and the public body
byDan Michaluk
 
PPTX
Cyber Insurance and Incident Response Practice
byDan Michaluk
 
PPTX
Social media – issues and trends caus 2014
byDan Michaluk
 
PPTX
The pandemic and privacy
byDan Michaluk
 
PPTX
One hour cyber july 2013
byDan Michaluk
 
PPTX
How to manage a data breach
byDan Michaluk
 
Cyber Incident Response - When it happens, will you be ready?
byDan Michaluk
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
byDan Michaluk
 
Cyber, secrecy and the public body
byDan Michaluk
 
Cyber Insurance and Incident Response Practice
byDan Michaluk
 
Social media – issues and trends caus 2014
byDan Michaluk
 
The pandemic and privacy
byDan Michaluk
 
One hour cyber july 2013
byDan Michaluk
 
How to manage a data breach
byDan Michaluk
 

What's hot

PPTX
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
PPTX
Cyber legal update oct 7 2015
byDan Michaluk
 
PPTX
Cyber class action claims at an inflection point
byDan Michaluk
 
PPTX
Advantage ppt data breaches km approved - final (djm notes)
byDan Michaluk
 
PPTX
The Current State of FOI
byDan Michaluk
 
PPTX
Canadian Association of University Solicitors - Privacy Update 2016
byDan Michaluk
 
PPTX
Cas cyber prez
byDan Michaluk
 
PPTX
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
byTechSoup Canada
 
PPTX
How your nonprofit can avoid data breaches and ensure privacy
byTechSoup Canada
 
PPTX
Higher Education Sexual Violence Presentation
byDan Michaluk
 
PPTX
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
byPaul C. Van Slyke
 
PDF
The Hacking Team Hack: Lessons Learned for Enterprise Security
byStephen Cobb
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PPT
Studentsat Risk Managingon Campus Violence
byDan Michaluk
 
PPTX
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
PPTX
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
PPT
The Future of Employment Law
byDan Michaluk
 
PPTX
Privacy, Data Security and Anti-Spam Compliance
byDan Michaluk
 
PDF
Data Breach Response: Before and After the Breach
byFinancial Poise
 
PPTX
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
Cyber legal update oct 7 2015
byDan Michaluk
 
Cyber class action claims at an inflection point
byDan Michaluk
 
Advantage ppt data breaches km approved - final (djm notes)
byDan Michaluk
 
The Current State of FOI
byDan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
byDan Michaluk
 
Cas cyber prez
byDan Michaluk
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
byTechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
byTechSoup Canada
 
Higher Education Sexual Violence Presentation
byDan Michaluk
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
byPaul C. Van Slyke
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
byStephen Cobb
 
How to assess and manage cyber risk
byStephen Cobb
 
Studentsat Risk Managingon Campus Violence
byDan Michaluk
 
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
The Future of Employment Law
byDan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
byDan Michaluk
 
Data Breach Response: Before and After the Breach
byFinancial Poise
 
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 

Similar to The internet as a corporate security resource

PPTX
Investigating without running afoul of privacy laws
byDan Michaluk
 
DOCX
InstructionsPaper A Application of a decision making framework
bylauricesatu
 
DOCX
Paper A Application of a decision making framework to an IT-related.docx
byhoney690131
 
DOCX
This assignment is an opportunity to explore and apply a decisio.docx
byrhetttrevannion
 
PDF
Cissp notes
byJagbir Singh
 
PDF
Spoliation Wars & Other ESI Highlights (2010)
byAntigone Peyton
 
DOCX
Application of a decision making framework to an IT-related ethical
bymallisonshavon
 
DOCX
Paper A Application of a decision making framework to an IT-related.docx
bydunnramage
 
DOCX
Paper A Application of a decision making framework to an IT-rel.docx
byhoney690131
 
DOCX
Paper A Application of a decision making framework to an IT-rel.docx
bysmile790243
 
PDF
New Technologies in the Workplace: Privacy Issues
bylgarib
 
PDF
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
byGohsuke Takama
 
PDF
Internet searches for vetting investigations and open source intelligence 1st...
byhamoudandeka
 
PPTX
New Law on Access to Public Information:
byFUSADES
 
PPTX
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
byCapitolTechU
 
PPTX
Introduction to FOI law (the law of information)
byDan Michaluk
 
PPTX
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
byLegal Services National Technology Assistance Project (LSNTAP)
 
PDF
Research paper-a-synopsis-on-cyber-terrorism-and-warfare-by-shreedeep-rayamajhi
byShreedeep Rayamajhi
 
PPT
Legal Research in the Age of Cloud Computing
byNeal Axton
 
PPT
Government Policy Needs in a Web 2.0 World
byFranciel
 
Investigating without running afoul of privacy laws
byDan Michaluk
 
InstructionsPaper A Application of a decision making framework
bylauricesatu
 
Paper A Application of a decision making framework to an IT-related.docx
byhoney690131
 
This assignment is an opportunity to explore and apply a decisio.docx
byrhetttrevannion
 
Cissp notes
byJagbir Singh
 
Spoliation Wars & Other ESI Highlights (2010)
byAntigone Peyton
 
Application of a decision making framework to an IT-related ethical
bymallisonshavon
 
Paper A Application of a decision making framework to an IT-related.docx
bydunnramage
 
Paper A Application of a decision making framework to an IT-rel.docx
byhoney690131
 
Paper A Application of a decision making framework to an IT-rel.docx
bysmile790243
 
New Technologies in the Workplace: Privacy Issues
bylgarib
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
byGohsuke Takama
 
Internet searches for vetting investigations and open source intelligence 1st...
byhamoudandeka
 
New Law on Access to Public Information:
byFUSADES
 
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptx
byCapitolTechU
 
Introduction to FOI law (the law of information)
byDan Michaluk
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
byLegal Services National Technology Assistance Project (LSNTAP)
 
Research paper-a-synopsis-on-cyber-terrorism-and-warfare-by-shreedeep-rayamajhi
byShreedeep Rayamajhi
 
Legal Research in the Age of Cloud Computing
byNeal Axton
 
Government Policy Needs in a Web 2.0 World
byFranciel
 

More from Dan Michaluk

PPTX
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
byDan Michaluk
 
PPTX
Critical Issues in School Board Cyber Security
byDan Michaluk
 
PPTX
Union access to information
byDan Michaluk
 
PPTX
Cybersecurity Risk Governance
byDan Michaluk
 
PPTX
The privacy and security implications of AI, big data and predictive analytics
byDan Michaluk
 
PPTX
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
byDan Michaluk
 
PPTX
Privacy, Data Security and Anti-Spam Compliance
byDan Michaluk
 
PPTX
Role of a breach coach
byDan Michaluk
 
PPTX
PHIPA for school boards
byDan Michaluk
 
PPTX
Finding internet evidence
byDan Michaluk
 
PPTX
Sexual Assault in Higher Education - Law Policy and Practice
byDan Michaluk
 
PPTX
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
byDan Michaluk
 
PPTX
Cybersecurity and data loss - It's not just about lost USB keys today
byDan Michaluk
 
PPTX
Privacy and breaches in health care - a legal update
byDan Michaluk
 
PPTX
Cacuss 2015 sexual violence
byDan Michaluk
 
PPTX
Responding to Data Breaches
byDan Michaluk
 
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
byDan Michaluk
 
Critical Issues in School Board Cyber Security
byDan Michaluk
 
Union access to information
byDan Michaluk
 
Cybersecurity Risk Governance
byDan Michaluk
 
The privacy and security implications of AI, big data and predictive analytics
byDan Michaluk
 
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
byDan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
byDan Michaluk
 
Role of a breach coach
byDan Michaluk
 
PHIPA for school boards
byDan Michaluk
 
Finding internet evidence
byDan Michaluk
 
Sexual Assault in Higher Education - Law Policy and Practice
byDan Michaluk
 
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
byDan Michaluk
 
Cybersecurity and data loss - It's not just about lost USB keys today
byDan Michaluk
 
Privacy and breaches in health care - a legal update
byDan Michaluk
 
Cacuss 2015 sexual violence
byDan Michaluk
 
Responding to Data Breaches
byDan Michaluk
 

The internet as a corporate security resource

  • 1.
    The internet asa corporate security resource – tactics, tools and techniques Dan Michaluk March 19, 2015 This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.
  • 2.
  • 3.
    Legal framework • Statutory,common law and criminal • Very contextual analysis about what is and is not permitted, without a bright line • Law reduces to one question – is the investigation tactic reasonable in light of all the circumstances? • Judges must recognize that investigation requires some "exploration," but we can't expect a blessing for aimless probing into private matters ("fishing")
  • 4.
    Legal framework • PIPEDAsection 7(1)(b) permits collections • it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
  • 5.
    Legal framework • PIPEDAsection 7(1)(d) permits collections of some kinds of publicly available information • personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information
  • 6.
    Legal framework • PIPEDA7(1)(d) • The "appears in a publication" requirement will limit, but there is a question of how much – doesn’t expressly say "formal publication" • Addressed in one case that doesn't say much • Argument – implied consent to collection for some purposes (e.g., to conduct a threat assessment) • Consider – applicability of Charter expression right
  • 7.
    Legal framework • Labourarbitrators often recognize privacy interest and balance management rights against a privacy interest • Courts now can hear a privacy tort claim • Unauthorized intrusion • Upon a reasonable expectation of privacy • Highly offensive to the reasonable person
  • 8.
    Legal framework • CriminalCode • Section 342.1 – Hacking • Section 402.2 – Identity theft • Section 403 – Identity fraud
  • 9.
    Legal framework • LawSociety – General rules
  • 10.
    Legal framework • LawSociety – Rule 5.1-2 • When acting as an advocate, a lawyer shall not
  • 11.
    Legal framework • LawSociety – Rule 7.2-6
  • 12.
    Legal framework • LawSociety – Rules 5.1-5 and 5.3-1
  • 13.
    Tactics • Nine tacticsin the following slides • Three purposes • Investigations • Background checks • Intelligence • Assigned a risk score (1 = low risk, 10 = high risk)
  • 14.
    Tactics (Investigations) • Receivingunsolicited evidence from a friend
  • 15.
    Tactics (Investigations) • Receivingunsolicited evidence from a friend • Risk score = 1 • An employer may often have a duty to receive and "process" this evidence • Numerous cases in which this evidence has been used without dispute – e.g. Sheridan College (Rowe)
  • 16.
    Tactics (Investigations) • Wait,confront and ask for production
  • 17.
    Tactics (Investigations) • Wait,confront and ask for production • Risk score = 1 • Mixed law on "right to silence," but non-cooperators open themselves to an adverse inference • Privacy likely to be a weak defence for social media publications (see M Picher cell record cases) • Think about scope of request, manner of production and risk of modification
  • 18.
    Tactics (Investigations) • Searchingopen internet for evidence
  • 19.
    Tactics (Investigations) • Searchingopen internet for evidence • Risk score = 3 • Permitted but may be challenged • Cleanest defence = reasonable for investigation • Document purposes • What is the relevant evidence? • Or, is the search to test veracity/credibility of statements/defences? to identify witnesses?
  • 20.
    Tactics (Investigations) • Requesting"protected" evidence from a friend
  • 21.
    Tactics (Investigations) • Requesting"protected" evidence from a friend • Risk score = 7 • The employee may become your agent in allowing unauthorized and unexpected access • By all means question to gather evidence • Then say, "Thank you. If you have anything else you wish to bring to our attention please let us know."
  • 22.
    Tactics (Investigations) • Gainingunauthorized access to a SM account
  • 23.
    Tactics (Investigations) • Gainingunauthorized access to a SM account • Any means (finding login credentials, under false pretenses) • Risk score = 10 • It happens • Calgary Police Service • Moore's Industrial Service Ltd
  • 24.
    Tactics (Background Checks) •Background check of open internet w consent
  • 25.
    Tactics (Background Checks) •Background check of open internet w consent • Risk score (1 to 10) = 1 • Until amended, PIPEDA arguably does not apply • Risks are manageable: (a) defer, (b) demonstrable need, (c) objective criteria, (d) not decision-maker, (e) written report and (f) validate negative information
  • 26.
    Tactics (Background Checks) •Background check of open internet w/o consent
  • 27.
    Tactics (Background Checks) •Background check of open internet w/o consent • Risk score (1 to 10) = 3 • Risks arguably increase when PIPEDA is amended to apply to candidates for employment • Manage risks per the suggestions above
  • 28.
    Tactics (Background Checks) •Background check of protected spaces w consent
  • 29.
    Tactics (Background Checks) •Background check of protected spaces w consent • Risk score = 7 • Conduct a supervised search, don't take login credentials • Permissible, but significant non-legal risks • Awkward, employee relations and public affairs risk
  • 30.
    Tactics (Intelligence) • Usinginternet data for preventative purposes
  • 31.
    Tactics (Intelligence) • Usinginternet data for preventative purposes • Risk score = 5 • Primary risk is derived from PIPEDA consent rule • Risk mitigation • Target activity (e.g. event monitoring), not people (e.g. adversarial group reports) • Favour surveillance (looking for exceptions) over intelligence gathering (building a dossier)
  • 32.
    The internet asa corporate security resource – tactics, tools and techniques Dan Michaluk March 19, 2015 This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.

Editor's Notes

  • #2 Relevant topic Given to corporate security team last summer Found it helpful
  • #3 1.0 hours Condensed presentation Rules that govern the use of Invite question and answer as we go
  • #4 Statute – PIPEDA (nuclear), not FIPPA (exclusion) Common law -arbitral principles -civil tort Big qualifier – very grey area – today we're dealing with degrees of risk Be pragmatic -what's the risk? -are we likely to obtain information of value? -does that justify taking the risk? Fishing is a useful metaphor -e.g. three grounds – look at emails to find a fourth ground -there's risk that will vary with sensitivity of information
  • #5 PIPEDA -applies to activities of a federally-regulated employer -regulates collection, use and disclosure of personal information -requires consent unless there's an exception -main exception you rely on is 7(1)(b) -two requirements -first requirement will often fit with social media evidence (disappears) -second requirement -not reasonable and probable grounds -not even reasonable suspicion -but opens up a broad review jurisdiction -burden of justification
  • #6 Do we even need to worry about justification when it's online? Is it a publication? Did the individual provide it? -Autobiographical article in online magazine – YES -Malingering employee windsurfing photo on page 1 of paper – ARGUABLY NOT (!) -Mommy blog – ARGUABLY YES -Twitter stream - DEBATEABLE -Facebook - DEBATEABLE
  • #7 This slide is for your defence lawyer Practically – 7(1)(d) will only cut down your risk a little Practically – don't assume it is not a privacy issue because it is posted online Pending interpretation and unless it clearly applies keep 7(1)(d) in your back pocket Focus on 7(1)(b) and justification in deciding what to do
  • #8 Common law claim Is there a reasonable expectation of privacy in online information? If no, there's no privacy issue from a common law perspective R v Spencer, 2014 SCC 43 – protectable interest in surfing the internet anonymously Not the same as surfing the net "in the open" Typical judge may not "get" the privacy issue, an arbitrator might Example – Murphy v Perger, [2007] OJ No 5511 – 366 friends = no REP But… Ontario courts have arguably backed away from that position. Again, just because it is online doesn't mean you are out of the woods.
  • #9 See handout Hacking -possession of a password (searching your system for login credentials) -obtaining access to a shielded SM account without authorization Identity theft (deals with acquiring information to impersonate) -doesn't rest on proof of false pretenses -dumpster diving, spyware, exercise of legitimate system rights -possession of password for purpose of gaining unauthorized access Identity fraud -fraudulent personating of another non-ficticious person -using someone's identity to gain access -e.g. creating a fake social media account of a real "trusted" person
  • #10 -very aggressive tactics by security will engage these duties -we can't counsel in assistance of illegality ……….. -Do you violate 3.2-7 if advise an investigator on whether it is lawful to create a fictitious but appealing SM profile? -No -Though I think you may be prohibited by creating the profile yourself
  • #12 ABA guidance -you (or your agent) can "friend" an unrepresented party but must fully disclose your proper identity and provide accurate answers to questions -under our Rules, you likely need to disclose your interest (see next slide, see 7.2-9) ABA guidance -don't friend a represented person -warns against inadvertent communications with represented parties (e.g. LinkedIN notifications)
  • #13 -so you can friend a witness -but must disclose your interest
  • #14 Apply the law and talk about tactics Investigations -gone wrong -looking for evidence Background checks -typically hiring Intelligence -preventative focus
  • #16 -strange fit with PIPEDA -but your defence, if challenged, is 7(1)(b)
  • #18 -quite obviously fine from a privacy perspective -risks a. compromise the availability b. say no -
  • #20 -this one depends if privacy legislation applies -if it does you need to fit within the publicly available information exception OR -(better) the investigation exception ……….. -THE BEST POLICY FOR RISK MITIGATION PURPOSES IS TO RELY ON 7(1)(B) EVEN IF PUBLICLY AVAILABLE
  • #22 -probably legal but could be the subject of good analysis -inducing breach of confidence? -inducing some other breach? -lawyers directing the collection -borderline -is this counselling "dishonesty" -you can talk to a witness without restriction – is this not the same?
  • #24 -illegal, can be criminal
  • #26 -PIPEDA may not apply -if it does you have consent ……. -the risks are related to human rights legislation
  • #28 privacy risks are pretty low if no legislation applies if legislation applies you must carefully consider the scope of the publicly available information defence
  • #30 -just awkward and aggressive from an HR perspective -legal risks are quite manageable
  • #32 -risk here is that you can't collect under 7(1)(b) and, as discussed, the publicly available information exception is limited -but, if you don't target people and target activity you can argue you have not "collected" PI even if you gather information that would be about individuals in another argument -there is law that supports this argument
  • #33 Privacy lawyer Employment lawyer Internet user … Not a PI Not a technologist