Judge denies class action certification over Equifax data breach

A class action suit that sought compensatory and punitive damages against credit-reporting company Equifax Inc. following a massive global data breach that affected more than 143 million people worldwide, including 19,000 Canadians, was refused certification after Quebec Superior Court held that Quebec law does not recognize compensatory damages for data breaches.

The decision, the latest of a rapidly growing body of Quebec jurisprudence dealing with security breaches, underlines that being the victim of a data breach is insufficient to claim damages even though there is prime facie evidence that a fault occurred, according to class action lawyers.

Continue reading “Judge denies class action certification over Equifax data breach”

Ottawa finally proposes regulations on data breach notifications

Private sector organizations following federal privacy law will have to provide breach notifications to customers and the privacy commissioner where it is reasonable to believe that the breach creates a “real risk of significant harm,” under long-awaited proposed regulations to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

The draft regulations, if and when they come in force, are expected to provide Canadians with better protection while providing organizations with yet another compelling incentive to adopt better security practices to thwart a phenomenon that is occurring with alarming frequency, according to privacy experts.

Early this month, a security breach at credit-monitoring company Equifax Inc., one of three major credit bureaus in the United States, could affect up to 143 million Americans and an undisclosed number of Canadians. More recently still, the personal information of some one million users from the news and entertainment website Canoe.ca were exposed after some of its databases were hacked.

“When a data breach takes place it places the individuals whose personal information has been breached at considerable harm at times, depending on the scope of the breach and the sensitivity of the information,” noted Ann Cavoukian, one of the world’s leading privacy experts who served three terms as the Information and Privacy Commissioner of Ontario. “So individuals have a right to know that their information has been breached and what measures they can take to hopefully minimize the harm and take collective action. This is why the proposed regulations are so important.”

The projected changes flesh out the Digital Privacy Act (also known as Bill S-4) which amended PIPEDA, Canada’s privacy law, on June 2015. While the Bill S-4 introduced an explicit obligation to notify individuals and report to the Office of the Privacy Commissioner of Canada (OPC) in cases of breaches, the amendments have not come into force. Published on September 2nd the draft regulations are open for comments for a period of 30 days.

The draft regulations, while widely lauded by privacy experts, also raises questions. Under the proposed regulations, organizations who have been the target of a “breach of security safeguards” have to conduct a risk assessment to determine if the breach poses “a real risk of significant harm” to any individual whose information was involved in the breach. The assessment must consider the sensitivity of the information that was breached, and the probability that the information will be misused.

“That concerns me a little,” said Cavoukian, who is leading the Privacy by Design Centre of Excellence at Ryerson University. “It has to be a real risk, whatever that means, and must cause significant harm, whatever that means. If I was the Commissioner I would urge organizations to err on the side of caution because you don’t know what risks may arise in the future. Guidance will need to be provided so that people just don’t sweep it under the cover.”

When an organization determines that a breach poses real risk of significant harm, they must notify affected individuals either directly or indirectly as well as report to the federal privacy commissioner. The contents of what is expected to be contained in the notifications are “rather standard,” said Eloïse Gratton, the national co-leader of the privacy and data protection practice group with Borden Ladner Gervais LLP.

Besides providing a description of the circumstances of the breach, the day or period in which it occurred, the organization is expected to provide a description of the steps it is has taken to reduce the risk of harm to the affected individual and steps that the affected individual can take to reduce the risk of harm resulting from the breach or to mitigate the harm.

“It would appear to be good business practice for organizations affected by a breach to follow this section of the proposed regulations if they choose to notify affected individuals until the new sections come into force,” said Gratton. These requirements, added Gratton, echo those recommended by the OPC in a document entitled “Key Steps for Organizations in Responding to Privacy Breaches.”

Though it is widely expected that the majority of organizations will provide direct notification such as by emails, the proposed regulations does allow organizations — under certain circumstances — to inform clients indirectly such as by posting information on their website. Under section 5 of the proposed regulations, organizations can provide indirect notification if giving direct notification will cause further harm to the affected individual, if the organization does not have the contact information of the affected individual or if the cost of giving direct notification is “prohibitive” for the organization. “Basically you are going to do an email blast to all of your customers or whoever is implicated and say that we would like to notify you of this breach that happened on this day so how is the cost of that prohibitive,” rhetorically asked Cavoukian.

But according to privacy expert Daniel Michaluk, the regulations “make it clear” that direct notification will be the “default way” that organizations will be expected to inform affected individuals of a data breach. “When a corporation wants to provide indirect notification in lieu of direct notification, they will need to meet this prohibitive cost standard,” said Michaluk, a Toronto lawyer whose practice with Hicks Morley Hamilton Stewart Storie LLP focuses on information security and data management, anti-spam, privacy and freedom of information matters.

The draft regulations also introduces requirements over the content, form and manner to report a breach to the OPC. Organizations will have to keep a record of the breach for 24 months after the incident occurred. It also compels organizations to provide, in writing, a description of the circumstances of the breach and, if known, the cause as well as the day or period in which the breach occurred, a description of the personal information that was the subject of the breach and an estimate of the number of individuals that now face a real risk of significant harm following the breach.

Some have speculated whether the record of the breach in the hands of the OPC could be used against organizations before the courts, but Michaluk dismisses that contention. He points out that the reporting and record-keeping obligations under the draft regulations are geared towards the collection and conveyance of facts and not an analysis of those facts or legal or risk-related conclusions about those facts. “That type of information which is far more sensitive can be kept out of these records that are very open to disclosure in any kind of fora,” said Michaluk. “That’s a good thing. That’s done in a manner that respects the kind of difficult issues companies face that have to respond to incidents.”

This article originally appeared in The Lawyer’s Daily, published by LexisNexis Canada Inc.

Ashley Madison agrees to US$1.7 million settlement

A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services.

Just before the Christmas holidays, Toronto-based Avid Life Media Inc. (ALM) agreed to pay US$1.6 million and implement a comprehensive data-security program, including third-party assessments, to settle claims by the FTC who worked in collaboration with 13 U.S. states. According to the FTC complaint, until August 2014, operators of the site “lured” customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members.

ALM, now known as ruby Corp., still faces a slew of class actions stemming from the data breach, and in a move to dismiss the claims, it is arguing that that plaintiffs agreed to an arbitration clause and a class action waiver when they signed up. Plaintiffs attorney counter that the arbitration provision is “buried after pages of legalese.” (Over the past decade thousands of U.S. businesses have used arbitration “to create an alternative system of justice” that tends to favour businesses, according to an investigation by the New York Times).

Closer to home, Canada’s privacy watchdog says that more enforcement powers would have been “useful” to deal with the numerous privacy violations committed by ALM.

A joint year-long probe by Canadian and Australian privacy commissioners, launched after the massive data breach, found that ALM had inadequate or nonexistent security safeguards and policies while marketing itself as a discreet and secure way for consenting adults to have affairs. The company even went so far as to use fictitious security trustmarks on Ashley Madison’s homepage to reassure users and convey the impression that that the website had a high level of security and discretion.

Under a compliance agreement with the Office of the Privacy Commissioner of Canada (OPC) and an enforceable undertaking with the Office of the Australian Information Commissioner (OAIC), the company agreed to conduct a comprehensive review of its information security systems,  strengthen its security framework, document its efforts, ensure adequate training of staff, and provide a report from an independent third party documenting the measures it has taken to come into compliance.

“Theoretically this is the kind of case where additional enforcement powers would have been useful,” said federal Privacy Commissioner Daniel Therrien. “It’s not that in the absence of these powers we do not have influence. But other jurisdictions in the U.S. and Europe have order-making powers and can impose fines so clearly the question whether the OPC should have these powers arises.”

At present, under the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy commissioner can only make non-binding recommendations and has no power to make orders unlike provincial privacy commissioners in Alberta, British Columbia, Ontario and Quebec.

Ann Cavoukian, a three-term Ontario privacy commissioner, is in favour of granting the federal privacy commissioner with more enforcement powers. “When I was Commissioner I felt so grateful and fortunate that I had order-making powers because that gave me the stick I never had to use,” said Cavoukian, the executive director of the Privacy and Big Data Institute at Ryerson University. “Having the stick allowed me to get an organization to agree to things informally because they knew I could pursue this in a much more serious manner.”

But while Ottawa privacy lawyer Kris Klein too bemoans the fact that the OPC does not have powers that have “bite,” he commends the federal privacy watchdog for using the high profile case as a springboard to serve a strong reminder to business and organizations that they must put in place safeguards that take into account the sensitivity and amount of information that they collect and use. The comprehensive report, unlike the vast majority of reports penned by the OPC, also provides solid guidance that will help privacy lawyers, added Klein. “The report is extremely helpful as it helps privacy practitioners better understand what the privacy commissioner expects in terms of information security standards,” said Klein of Nnovation LLP. “So going forward I’ve got a lot more concrete things to point to when I’m advising clients as to what should and shouldn’t be done from a security perspective when it comes to dealing with personal information.” That is a harbinger of things to come, said Therrien. “One of my objectives is to increase the privacy of Canadians and to give practical guidance to companies as we have done here,” added Therrien.

Privacy experts are however concerned that many organizations will not pay heed to the findings and guidance yielded by the report because they don’t manage personal information as sensitive as the one collected and used by Ashley Madison. That would be a mistake, said Cavoukian. “Many companies obviously won’t be exactly in the same situation in terms of the sensitivity of the data collected in this site but in this day and age of cybersecurity attacks that occur almost on a daily basis, if you are dealing with any personal information, meaning any data that contains personal identifiers either directly or indirectly, security has to be top of mind,” said Cavoukian.

The report was “careful to point out” that a data breach or a security compromise does not necessarily mean that an organization failed to establish adequate safeguards under PIPEDA, noted Klein. In order to determine whether a PIPEDA contravention took place, the OPC will perform a contextual analysis that will examine whether the safeguards in place at the time of the data breach were “sufficient” given the sensitivity of the information. That is a finding that will reassure organizations, particularly American ones, as many are wary of having to deal with a regulator when a data breach occurs, “particularly in situations where they feel they have been victimized,” said Klein.

Organizations should also be aware that the OPC’s definition of harm is broad, extending beyond financial loss to individuals due to fraud or identify theft, said Fazila Nurani, a privacy and information management lawyer. The OPC also takes into account subjective types of harm such as reputational harm as it could potentially have a profound impact on an individual’s ability to access and maintain employment, relationships or even safety depending on the information, said the report. “This is such an important point,” noted Nurani. “The courts have started to recognize that privacy is a right in and of itself regardless of whether you have been financially impacted or not – and the regulator in this case is on the same wavelength.”

Retention policies were also examined by the OPC in the report. ALM’s practice was to keep all information contained in inactive or deactivated profiles indefinitely in case an individual wished to reactivate their profile in the future, despite the fact that 99.9 per cent of people who did reactivate their account did so within 29 days of deactivation. The OPC makes it clear that retention policies should be based on a “demonstrable rationale” and timeline. “A lot of organizations just don’t put enough time into developing retention policies,” remarked Nurani. “They just keep the information indefinitely on an electronic system so the guidance about retention is a really big takeaway for business.”

But perhaps the most important lesson that can be drawn from the Ashley Madison case is the importance of adopting clear and appropriate processes, procedures and systems to handle information security risks, supported by internal or external expertise, said Therrien. Organizations whose business model rely on vast amounts of personal information should “think hard” about what kind of information it collects, assess the risks it poses – and plan accordingly, said Therrien. Documenting security policies and procedures is key as it provides clarity around security-related expectations for staff as is conducting regular and documented risk assessments, added Therrien.

“To be systematic about it means that you’re more likely to take effective measures to reduce the risk of a privacy breach,” said Therrien. “If you are not systematic then things will fall through the cracks, and you will be more at risk of these privacy breaches. Hopefully people will listen because clearly this is not (an) isolated (case).”

Information Governance: Taming a world of chaos

It appears to have become the new norm. Not a week seems to go by without a report about a data breach. America’s largest bank, JP Morgan Chase, is the latest high-profile victim, and it is still reeling from this summer’s cyber attack that compromised the accounts of 76 million households — the equivalent of 65% of all U.S. households — and seven million businesses. Law firms are far from immune. An American multi-state criminal firm discreetly filed a report in late June with California authorities, the first U.S. state to adopt data breach notification legislation, after a hard drive containing backup files for one of the firm’s servers was stolen from the locked trunk of an employee’s vehicle.

Closer to home, hackers three years ago compromised the security of seven major Canadian law firms involved in BHP Billiton’s proposed takeover of Saskatchewan’s Potash Corp. All told, 15 per cent of U.S. law firms experienced a security breach in 2012, either through hackers, a break-in, a website exploit, or a lost or stolen computer or smartphone, according to the 2013 American Bar Association Legal Technology Survey Report. In Canada it’s likely more of the same. Thousands of attempts to breach Ontario law firm systems were likely attempted last year, and most probably, some succeeded. “But we will likely never hear about them because firms that experience breaches usually try to keep their names out of the news,” points out Dan Pinnington, vice president, claims prevention and stakeholder relations at LawPRO.

Almost overnight, cyber security has gone from a niche information technology issue to an explosive consumer issue to a top-of-mind business issue that is increasingly becoming a boardroom priority. None of which is surprising. Information is the lifeblood of modern business, and data is its new currency. Indeed, a report by World Economic Forum goes further and describes data as a new asset class and personal data as “the new oil.” “It’s an asset that has value and therefore it needs to be governed in the same way that we look at our assets like our people, our equipment, and our money,” says Martin Felsky, the national e-discovery counsel at Borden Ladner Gervais LLP in Toronto. But the mounting spate of high-profile data security breaches, along with rampant identity theft and a general lack of transparency in how personal data is monetized, is threatening to undermine the digital economy, adds the international think-tank.

Information security and risk management, however, are complicated by the staggering amount of data generated by the average business today. Indeed, the digital universe is doubling in size every two years, according to global market intelligence firm International Data Corp. What’s more, 90 per cent of the data in the world today was created in the last two years alone, and it has been estimated that more information is being generated now every two days than was from the dawn of civilization until 2003. With law firms, it’s even more problematic because they have to deal with their own business information and the client’s information, which is of course subject to confidentiality and solicitor-client privilege provisions. “There is no doubt that law firms are huge repositories of information,” says Barry Sookman, a senior partner and former chair of the technology law group with McCarthy Tétrault LLP in Toronto. “Depending on the areas of practice, they are collecting information, they are generating information, they are storing information. So in a sense information is our critical resource, and it necessarily has to be managed.”

Thanks to the alarming surge of breaches and the inconceivable reams of data, clients are increasingly putting pressure – and in many cases demanding – higher standards on how outside counsel secure their data and manage access to it. A growing number of law firms determined to keep pace with the new challenges created by mounting security requirements and the data deluge are tackling the issues through a different prism, and turning their attention towards becoming shepherds of all the information in their hands by embracing a relatively new approach — information governance.

Up until recently known generally within narrow technical circles, the enterprise-wide approach to the management and protection of a law firm’s client and business information assets has gained increasing attention, especially over the past year. It is a business process that covers the management of all facets of information during its lifecycle, from its creation, use, processing, protection, management, all the way to its disposition.

Information governance is much more than electronic records management on steroids. It encompasses data security, electronic discovery requirements, storage optimization, and privacy — and tries to foster efficient and appropriate data management that enables defensible disposal by effectively aligning information value to information cost. “Information governance basically describes how organizations can better manage their information, their data, their knowledge, all of the things that in the world today are really how we work in the business world,” says Kathryn Manning, legal counsel at Wortzmans, a Toronto law firm that provides legal advice to law firms, corporations and government regarding e-discovery, litigation readiness, information governance and privacy law.

Proponents maintain that it can mitigate law firms’ risk of security breaches, add efficiencies to search and retrieval processes, and lead to operational efficiencies through cost savings in areas ranging from discovery to litigation to human resources. “Absolutely no question data security and privacy compliance and litigation readiness are all improved as you improve information governance because the specialists who concern themselves with information are all assessing what information you have, where and how it is kept, who has access to it, and how are you going to try and protect it, and ensure that you have continuity so disaster recovery,” asserts Kelly Friedman, a partner with Davis LLP who has an expertise in electronic information issues.

Many law offices typically maintain a number of departments, such as information technology (IT), data security, records and management (RIM), and privacy, all of which play a role in managing the organization’s information. But the siloed approach is inefficient and fraught with limitations. Often, each department has its own policies and procedures, disparate data systems and applications, and even its own vocabulary even though they may share the same words. It’s far from unusual to end up with cases where the IT department puts its foot down and establishes email account volume limits to relieve stress on the organization’s email system only for personnel to move email to local drives and devices, which in turn can increase data security exposure and make it difficult to find and preserve emails for litigation. Or the organization allows the use of laptops and smart phones under a Bring-Your-Own-Device program to increase convenience and efficiency, without establishing clear parameters – a situation that again can lead to the same headaches in addition to making it more challenging to apply records retention policies. “What I hear when I have gone in law firms is different people do things in different ways so it’s tough on the staff because one department stores their documents one way, and a different department in a different way,” says Susan Nickle, general counsel at London Health Sciences Centre and former partner at Wortzmans.

What’s more, those within particular silos are constrained by the culture, knowledge, and short-term goals of their business unit, administrative function, or discipline, notes a report by The Sedona Conference Working Group on information governance. Under the siloed approach, there is an absence of overall governance or coordination for managing information as an asset, and no roadmap for the current and future use of information technology, adds the Sedona report. “We started down the road of electronic files kind of almost an ad hoc basis, without any planning and without thinking about the future and without thinking about the importance that these systems would eventually have,” notes Felsky, whose practice is dedicated to information governance. “We have completely moved away from our traditional records management processes and we have been in a new world for some time, and it’s a world of chaos.”

Information governance sets out to put some order to the disarray. It emphasizes a culture of collaboration between different departments of information-focused disciplines to make coordinated decisions about governing information for the benefit of the overall organization as opposed to a particular department or discipline. “You need all of these people – IT, RMI, security and privacy – at the table to make decisions that align everyone’s interests and everyone’s own agenda to be able to achieve anything,” says Dominic Jaar, national practice leader of information management services with KPMG LLP (Canada).

Senior leadership and oversight is key, otherwise the whole exercise is bound to fail. Senior management not only has to endorse the importance of information governance to the entire organization, it has to adopt the strategic objectives of the program, provide appropriate resources, and establish accountability for meeting program expectations and for establishing the organization’s strategic objectives for information governance. “Senior management really do have to believe in what will be done, why it will be done, and how it will be done,” says Sheila Taylor, CEO of Ergo Information Management Consulting. “Sometimes management is not as enlightened as they ideally should be or they view this as something that just employees have to do. They all have to buy it, otherwise why would the average employee pay attention to it.”

The path to information governance is laden with even more awkward and complex challenges for law firms. To begin with, the legal profession is still paper-intensive, due to a large extent to the court system’s reliance on paper. “Some businesses can say we’re going to go all digital, and law firms might wish to do that and should in terms of information governance and make the transition by saying that the electronic record is going to be the official record and the paper secondary but it’s hard for law firms to do that because the paper in many cases is the primary record and continues to be as you go to court,” says Felsky.

Some judges are not happy with the situation. Last September, Ontario Superior Court Justice D.M. Brown criticized in DBDC Spadina Ltd. v. Walton, [2014] O.J. No. 4009 the requirement that parties file paper copies of materials in court as an “unnecessary cost,” and chastised the Ontario Court for its “failure to move into the digital age” and “the continued insistence that litigants deal with this Court through the dated and expensive medium of paper.” Many times, though, the culprit lays with law firms themselves. At times technologically savvy law firms want to forge ahead and do an entire case electronically but cannot because opposing counsel may not be set up to receive documents electronically or may feel that they are not sophisticated enough to manage the case that way.

More fundamentally, the nature of data still befuddles many law firms. Gone are the days when lawyers largely relied on manila folders and file cabinets to store documents, and protected sensitive information with a simple lock and a key, all of which was anchored by records management. Digital is an altogether different beast: it is interactive, programmable, and machine-readable only. Its sources are wide-ranging, and include electronic documents, social media, videos, voicemail, websites, and the Internet.

And in this era of BYOD, the number of sources continue to proliferate and can now include cell phones, smart phones, laptops, and tablets. The principles then behind records management, which are paper-based, simply cannot be applied to digital. Yet there are still many organizations that can boast of having very well-defined paper-based records management rules who do not have any rules that apply to their electronic records, says Felsky. That can lead to dire consequences, and transform what ought to be an asset into a liability. It can lead to the “very serious practical problem” of being unable to find records, or keeping records forever instead of destroying them when they should be destroyed, or destroying records when they should be kept, or mingling records that should be segregated, or segregating records that should be mingled. Keeping too much information, as far too many law firms do, can be decidedly impractical, expensive, and potentially embarrassing if there is information that can be harmful to the case. “It is a liability if it is not governed, if it’s not managed, and if it’s not recognized as an asset and treated as such,” says Felsky.

Legal observers are nevertheless convinced that law firms — large and small and solo practioners – are at the very least starting paying closer attention to information governance. Ironically, more and more law firms are advising clients over the merits of information governance. “Litigators within firms are very well versed with what can happen when client’s records are a big mess,” says Manning. “Whether or not that translates into law firms themselves have their records in good order is probably hit and miss.”

Some law firms, especially the bigger ones, no longer seem to have a choice. Major requests for proposals now on the street are taking into consideration whether law firms have in place information governance methodologies. Clients who anticipate they will be handing especially sensitive information to law firms “want a higher degree of assurance that it will be handled the right way” and are coming to the lawyer relationship with their own set of terms around privacy, encryption standards and technical safeguards, says a lawyer familiar with the information governance scene. “Increasingly, a law firm’s information management and governance obligations are based on demands passed down by clients,” says Sookman. “Clients now are becoming much more focused on ensuring that lawyers themselves live up to certain standards.” Friedman put it even more bluntly: “Law firms got to act first, or they are going to lose business as corporations get more sophisticated in what they need to protect their own customer data and proprietary information.”

It remains though that some firms and partners are resisting, some because they are set in their ways and refuse to let go of paper while others simply do not want to invest the time, energy, and resources needed to implement information governance. “It really depends on the firm’s culture, the practice area, and how technologically savvy the lawyers themselves are,” says Nickle. “But that is a big challenge to a firm when some want to and others don’t because it makes it very difficult to develop consistent policies across the firm.”

There is no doubt however that growing numbers of law firms have taken the plunge but few boast about it, if only because it is largely perceived to provide a competitive edge over its rivals. But because of cultural, financial and technological impediments, the information governance programs in place at some law firms are not nearly as effective as they should be, says Jaar. He maintains that there are “so many lawyers” who refuse to pool their know-how in a document or knowledge management system and have no interest in pooling their contacts in a contact relationships management system because they feel it is their expertise and their clients. These law firms have “real good technology that they could leverage a lot more,” says Jaar. “So the IT investment has been made but the culture change has not yet happened, and the processes do not support a full information governance program. So it’s been fairly tough for them to move to an information-driven or data-driven organization.”

The other culprit is the billable hour model. A number of lawyers are reluctant to use technology to its full extent because it takes time to learn, and time spent absorbing the ins-and-outs of technology are not billable, which in turn means lower productivity and lower revenues. “That prevents law firms from truly engaging in information governance projects,” adds Jaar. He also holds that some law firms who have invested in the technology to support information governance fail to take into consideration that an effective information governance program requires an investment in setting up a structure and education and training. Technology represents about one-third of any investment in information governance, another third needs to be allocated to developing the governance to put in place policies and procedures, and the remaining third should go to changing the culture inside the firm through a communications strategy, and education and training. “Often, they are under the impression that if we buy this piece of software, we’re done when, in fact, it’s far from true,” says Jaar.

Yet through it all Jaar is optimistic that law firms will eventually embrace information governance. He shares the view espoused by others that information governance will be embedded into the firm’s business. Or as Taylor puts it, “We are going to continue to see it on the radar screen, and eventually having good control of your information will become sort of one of the givens of an organization just like the way organizations manage its finances, its human resources, and its capital assets.”

This story was originally published in the magazine Canadian Lawyer.