Wednesday, April 29, 2015

Canadian Government on Copyright Notice Flood: "It's Not a Notice-and-Settlement Regime" via @mgeist

from Twitter

Monday, April 27, 2015

Canadian Privacy iAMA on Reddit

PrivaSecTech is hosting an AMA (“ Ask me anything “) on Reddit which will feature some of Canada’s top privacy professionals. On Friday May 1st from 17:00 - 20:00 AT / 15:00-19:00 ET / 12:00-16:00 PT, the team will be on hand to answer all of your privacy-related questions. Bring all of your interesting legal, policy, and technical questions as they apply to your organization or to yourself as a Canadian.

The team:

Micheal Vonn – The BCCLA’s own Policy Director, a specialist in privacy, national security, policing, surveillance and free speech.

Kris Constable – Senior Advisor & Consulting Privacy Officer at PrivaSecTech. Kris advises, trains, and audits organizations that prioritize the privacy of their users. Twitter: @cqwww

Andrew Clement – Professor in the faculty of Information, University of Toronto researching surveillance and privacy. He leads the internet surveillance mapping project and recently initiated the Snowden Surveillance Archive .

John Wunderlich – Independent privacy consultant and researcher. You can follow him on Twitter @PrivacyCDN or find him at .

Sara Levine – A specialist in privacy, freedom of information and health law, serving clients in the business, regulatory, non-profit, education and health sectors. Sara is committed to public education around privacy and freedom of information issues, and regularly speaks to groups interested in privacy rights and obligations in BC.

David T.S. Fraser – A Canadian privacy lawyer and partner with the firm of McInnes Cooper . He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

You will need an account on Reddit to participate. On the afternoon of May 1st, join the Canadian Privacy iAMA thread, and ask your question(s)! Visit PrivaSecTech’s event page for the link to the Reddit iAMA, which will be posted as soon as it is active!

In the interim, check out r/privacy and newly formed r/privacylaw .

Sunday, April 26, 2015

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee via @danmichaluk

from Twitter

Tuesday, April 07, 2015

Why privilege matters in privacy advice

After a data breach, a company can easily find that the due diligence it exercised to avoid the breach in the first place can readily be turned against it. “Privacy impact assessments” and “threat risk assessments” are increasingly common, identifying privacy and security risks associated with new projects, new products and new processes. They should be a frank assessment highlighting all of the things that can go wrong to that the business can understand the steps to take to mitigate these risks. If they don’t identify all the risks, they are incomplete. But as most privacy professionals know, you can readily pay a million dollars to avoid a thousand dollars worth of risk. Mitigation steps need to be proportional to the risk, but only the worst case scenarios can instruct you on how badly things can go.

As important as these documents are, they can easily become the “smoking gun” that is front and centre in an investigation by regulators or a class action lawsuit. A privacy risk that is identified and unaddressed (or not fully addressed) will quickly be presented as negligence and recklessness.

I recently reviewed a “privacy risk assessment” prepared by a privacy consultant that was authored a few months before a significant breach involving tens of thousands of individuals. The report was the work of a privacy consultant and can readily be interpreted as a chronicle of previous privacy breaches (all of which could have been much worse), common carelessness on the part of employees, and budgetary constraints that led to cut corners. Many risks were identified and not all were ultimately addressed. The report can be seen to point in a direct line to negligent and reckless handling and safeguarding of sensitive personal information, while management was fully aware of systemic shortcomings. The report concludes that the organization should seek an “acceptable level” of privacy and security breaches. I expect that this document will be Exhibit “A” the class action lawsuit that has already been filed. The consultant's working notes will also be relevant evidence, along with any interviews he carried out. It may well be that the manager who commissioned it will soon regret making that decision.

The reason why this privacy risk assessment will be front and centre in a lawsuit is that the report was not prepared by a lawyer. It was prepared by a consultant who is not able to offer legal advice, despite the fact that it refers to compliance with privacy legislation. The only way to confidently keep anything out of court and off the record is to make sure that it is protected by legal advice privilege. If the report had been prepared by a lawyer or even by a consultant on a lawyer’s instructions in order to support the lawyer’s legal advice, it would never see the light of day unless the organization chooses to waive its privilege. The report would have served its purpose of allowing the organization to have a frank assessment of its vulnerabilities -- warts and all -- without the risk that it would be front and centre in court.

Note: I expect that this may be received as self-serving since I am a lawyer. I look forward to any debate or discussion that this raises.