ComputerWorld is reporting today that an IT staffing firm has accused one of its former employees of violating her non-compete undertaking through her conduct on LinkedIn. I’m not aware of any similar lawsuit to date in Canada so it’ll be interesting to see how this particular case evolves in the U.S. This case and others that I’ve previously noted highlight the blurring line between online and offline worlds. Businesses should consider whether or not, and to what extent, they should try to enforce such restrictive covenants in the social networking world. Stay tuned…

We’ve just launched a new firm blog, called PitbLAWg, that’s intended to provide readers with practical commentary regarding timely and relevant legal issues affecting you and your business. 

I hope you visit PitbLAWg by clicking here.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

This very question has yet to be the focus of judicial consideration in Canada, and it appears as though it remains an unresolved issue in most other jurisdictions.  Although bloggers and writers have analyzed e-mail disclaimers, there is no authoritative jurisprudence or legislation to shore up their arguments.  There are a number of issues surrounding the enforceability discussion, including, among other things:

• the lack of consideration between parties to create binding contracts via typical e-mails;
• the timing of e-mail disclaimers (they come at the end of e-mails, after recipients have read the messages); and
• the otherwise lack of confidentiality associated with e-mails, which has come to light through the ever-increasing number of e-fraud cases.

That said, it is always safer to err on the side of caution.  In the event your organization were unlucky enough to be sued for the contents of an e-mail, it may prove useful to have used an e-mail disclaimer.  At the end of the day, even though the enforceability of e-mail disclaimers may not have yet been judicially considered, having an appropriately drafted e-mail disclaimer may help mitigate your businesses’ liability in the event of an unfortunate e-mail mishap.

E-mail disclaimers should be drafted with legal and business considerations in mind in such a manner that reflects the values, marketing strategy and risk tolerance of your organization. Please contact me if I can provide any assistance in drafting an e-mail disclaimer that suits your organization’s needs.

Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.

But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ’70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.

It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.

PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years.  To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested.  A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.

Changes to PIPEDA may include:

• a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada; 
• amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
• modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.

The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review.  Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.

Have you heard the term “cloud computing“, but aren’t really clear what it means?

Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.

Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.

Cloud computing is not new, but is now embedded into the fabric of modern business operations.  In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs. 

Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.

Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.

They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach? 

Breaches of confidential corporate data and personal information are nothing new to the business world, but smartphones have brought a new dimension to the problem. Smartphones are starting to make appearances in Canadian court cases in a supporting role, but it won’t be long before they are squarely in the spotlight. The latest iPhone model has up to 32GB of memory while BlackBerrys can store vast amounts of data on memory cards. The equivalent of entire filing cabinets can now be carried around conveniently in your shirt pocket. This reality has increased the risk for massive privacy breaches in the blink of an eye.

The big question is how involved should employers be in regulating and monitoring their employees use of smartphones? All encompassing monitoring of employee smartphone use is a touchy area, but the permeation of smartphones in today’s corporate world and the corresponding risks to businesses necessitates (at the very least) that relevant guidelines concerning their use in the workplace should be implemented by employers. All it takes to damage a business is for one employee to misplace their smartphone without having first activated their security settings.

People are increasingly aware of their privacy rights. This heightened awareness has translated into a greater willingness to initiate costly and time-consuming privacy complaints. Thanks to laws like the Personal Information Protection and Electronic Documents Act (PIPEDA), the reality for businesses is that non-compliance with privacy laws can take a chunk out of the bottom line. Given the costs associated with failing to meet legal standards, it’s not surprising that many insurers now offer privacy insurance coverage. But what is privacy insurance, and will it actually protect your business when you need it most? The scope of coverage offered varies depending on the provider, so it’s important to read the fineprint.

Be sure to ask what the policy covers. Some policies limit privacy insurance to protection from hacker attacks. But while hackers are a serious issue for any business, your insurance plan may need to do more. Depending on your jurisdiction and the applicable privacy laws, you may want to look for protection against any costs that can be imposed by the regulatory agencies that oversee compliance with privacy legislation. Otherwise, you might find you’re on your own for your businesses’s failure to fully meet the legal requirements for personal information under your control, including obligations to respond to access to information requests, obtain consents and ensure the accuracy of personal information holdings. It’s also a good idea to evalute your existing protection. Your current business insurance may already provide you with the coverage you need. If, for example, your errors and omissions insurance already protects you against privacy breaches, purchasing additional insurance may not be necessary.

Consider what the privacy insurance plan won’t cover. Many plans don’t cover illegal or fraudulent employee conduct, and some stop short of protecting against anything beyond the unauthorized release of personal information. Court defence costs may also be excluded. Make sure you read the plan or have your lawyer go over it before you buy it.

Finally, don’t forget that the best insurance policy is to take as many proactive steps as possible to get your privacy house in order. If you’re reading this blog, chances are you already have some of these measures in place. If not, consider comprehensive privacy policies and procedures that are reviewed and updated on (at least) an annual basis by legal counsel with expertise in privacy law. Staff privacy training is another excellent proactive step. As the saying goes, the best offence is a good defence!

It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca.  Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics.  Here’s what we covered…

On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week.  The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.

On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter.  As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.

On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions.  For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.

On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.

And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities.  Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.

Thanks to slaw.ca for the opportunity to contribute!

According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law.  The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.

It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases.  The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.

The ECPA is nearly 70 pages long.  Stay tuned to this blog.  As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.

A prime example is the bankruptcy of U.S. online toy retailer, Toysmart.com. Toysmart.com had collected vast amounts of personal information from its online consumers in accordance with its privacy policy, which stated that the company would never share its database with third parties. Despite the promise, Toysmart.com then made attempts to sell the database. The U.S. Federal Trade Commission (“FTC”) then sued Toysmart.com seeking injunctive and declaratory relief to prevent the sale of the database by Toysmart.com. The complaint alleged that Toysmart.com had violated U.S. law by misrepresenting to consumers that personal information would never be shared with third parties, and then disclosing, selling and offering that information for sale. Toysmart.com later settled with the FTC. The settlement agreement forbid the sale of the database except under very limited circumstances.

Of course, Canadian companies are subject to Canadian privacy laws such as PIPEDA, which require the consent of individuals for the disclosure of personal information to third parties. In structuring privacy policies, Canadian companies should consider all outcomes including bankruptcy. As a result, privacy policies should be carefully drafted with consideration of the possibility that personal information may be shared with third parties in the event of bankruptcy.  Doing so will almost certainly not be enough to fully comply with Canadian legal requirements, but it’s a prudent step in the right direction – especially in these uncertain economic times.

The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!

Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”.  It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.

PIPEDA applies to organizations that collect, use, or disclose “personal information” in the course of a commercial activity. The definition of “personal information” does not specify the residency of the individual to whom the personal information must relate. As a result, organizations are well-advised to manage their personal information holdings in accordance with all of the obligations set forth in PIPEDA regardless of the residency of the individuals to whom information relates. If they don’t, non-Canadians (including U.S. residents) may initiate privacy complaints to the Office of the Privacy Commissioner of Canada.

The commissioners point out that ”a common misconception is that a company doesn’t need your permission to take your photograph in a public place.  In fact, one of your key protections under Canadian privacy law is that you should know when your picture is being taken for commercial reasons, and what your image will be used for.  Your consent is also needed.”

The Winnipeg Free Press is also running an excellent story in today’s newspaper, which highlights some of the broader issues related to Google Street View.   Arthur Schafer, a professor at the University of Manitoba and director of the Centre for Professional and Applied Ethics, comments in the story about the related ethical issues while I comment in the story about the related legal issues.

If you’re not ramped up on Google Street View, you may want to read the Wikipedia description, which does a good job of explaining the Google service. David Fraser also has an illustrative blog post, which highlights the remaining privacy issues despite Google’s efforts to blur faces and licence plates. 

Despite the fact that Google’s Canadian-based service providers are taking pictures in public places, Canadian privacy laws generally require the consent of individuals for the collection of their personal information.  In fact, the first ever Case Summary under PIPEDA dealt with video surveillance activities in public places.   In the Case Summary, the former Privacy Commissioner advised the company being investigated that its intended public video surveillance for commercial purposes was unlawful and should not be pursued.   More recently, and on point, Canada’s Privacy Commissioner, Jennifer Stoddart, has sent a letter to Google outlining the concerns about Google Street View from a Canadian privacy law perspective. 

Stay tuned… this story is just beginning.

In general, the defamation (written and spoken) of a business occurs when a party lowers the reputation of a business in the estimation of other members of society or an industry.  Since a business doesn’t have “feelings”, defamation cases related to businesses focus on the damage to a business’ reputation or goodwill due to the comments of another party.   The following court cases are worth checking out, both of which confirm that a business can be defamed and, as a result, is entitled to receive monetary compensation.

In Barrick Gold v. Lopehandia, the defendant was found liable for a massive online defamation campaign initiated by the defendant against the plaintiff.  The defendant had posted comments on gold and mineral investor related online forums defaming the plaintiff.  The Ontario Court of Appeal noted that Internet defamation is different than traditional written forms of defamation since online defamation, or “cyber libel”, is often taken at face value, and is capable of instantly reaching an unlimited number of persons around the globe.  The plaintiff corporation was awarded $75,000 in general damages for damage to its reputation and goodwill, $50,000 in punitive damages, and a permanent injunction to prevent further postings.

In WeGo Kayaking Ltd. et al v. Sewid, the British Columbia Supreme Court awarded $250,000 in general damages to the plaintiff corporation in relation to “review” comments posted online that incorrectly and intentionally classified the plaintiff as a “bad” tour company.

Defamation doesn’t just happen to individuals.  These cases serve as a reminder to businesses that they are capable of being defamed and, as a result, should diligently protect their online reputations.

Bell Canada

I don’t know what those assets will be, but I think it is an interesting example of the fact that even in recessions we still see acquisitions of companies.  When an organization’s assets are bought, one of the most valuable assets that are purchased is often its customer list.   

PIPEDA and other applicable privacy laws, of course, govern transactions involving personal information.   In the course of such transactions some companies are now implementing concepts once used only to secure physical assets.  For example, many organizations are choosing to employ “escrow” arrangements to ensure the security of personal information.

Most businesses now understand that the implications of violating applicable privacy laws can be very serious to the reputation and bottom line of both the vendor and purchaser.  As part of a sale of a customer list, and depending on the specific circumstances, both parties may agree that the customer list be placed in escrow until the transaction is completed.  This ensures that what is likely the most valuable asset in the transaction – the customer list – is protected from unintended disclosures prior to the actual transfer of the business.

Despite this fact and that Canada’s federal privacy law, PIPEDA, has been in force since 2001, it’s surprising how many others are confused on this point.

For instance, I recently had a client make an information request to an organization for access to corporate information. When the organization responded, they denied access to the requested information and claimed that PIPEDA required that they do so in order to protect the privacy interests of a business.

There may be circumstances where organizations have other legitimate reasons for denying access to certain information. There may also be circumstances where privacy laws such as PIPEDA should be cited in denying access to certain business records where releasing the information could unlawfully disclose the personal information of another individual. Organizations should not, however, cite Canada’s privacy laws as a justification to deny access to information requests on account of the privacy rights of a business.

If you encounter this scenario you may be dealing with someone who either doesn’t understand privacy laws or who is perhaps being disingenuous. After all, the general thrust of Canada’s privacy laws is to encourage organizations to create a culture of privacy in order to protect the privacy of individuals whose personal information is collected, used, retained or disclosed by such organizations.

In a recent speech to the 10^th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws.  This is a huge concern!  We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor.  It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.”  The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.

In 2005, Hal Neumann’s home was searched by the Canada Revenue Agency, who were looking for records and documents he’d already given to the government. The CRA is studying the decision to determine if they will appeal. 

This judgement is significant because it demonstrates that Canadian courts are now willing to award substantial damages for an invasion of privacy.  Public bodies or private sector organizations in Canada that think privacy rights don’t have teeth should reconsider after seeing this groundbreaking decision.

Online shopping a risky transaction: Protect yourself from identity thieves

My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of  having sercure websites and comprehensive online privacy policies.

Privacy matters to most customers: Staff should be able to handle concerns

My October 1, 2008 column in the Winnipeg Free Press reports on a survey released by the Privacy Commissioner of Canada and the vital need for businesses to train their staff to identify and deal with privacy issues.  Privacy training, or lack thereof, can affect the bottom line.

Data “packrats” failing customers: Companies need policies on retention

My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.

Privacy chief important role in modern firm

My August 18, 2008 column in the Winnipeg Free Press provides a definition of the position of Chief Privacy Officer (CPO) as well as some tips to help determine the scope of the role in particular firms.

Guidelines aid in use of surveillance cameras

My column of June 4, 2008 in the Winnipeg Free Press describes the guidelines published by the Privacy Commissioner of Canada jointly with the privacy commissioners of British Columbia and Alberta, and how businesses can use them to remain compliant with the law.

Recording telephone calls could be a risky business

My April 2, 2008 column in the Winnipeg Free Press discusses the privacy implications resulting from recording telephone calls, and why it is important to let your customers know if you are recording their calls to you.

Get your company’s privacy policy in order:  Potential purchasers will need to know

My March 5, 2008 column in the Winnipeg Free Press discusses some of the problems that can occur when trying to sell a business, if you haven’t put privacy policies in place.

Businesses face challenge in winning people’s trust

My November 7, 2007 column in the Winnipeg Free Press discusses the Privacy Commissioner of Canada’s annual report and what it means to private sector businesses.

Incubator nurtures local digital gaming

My February 13, 2008 column in the Winnipeg Free Press reports on Canada’s first digital gaming business incubator, Fortune Cat Games Studio, and its efforts to assist entrepreneurs in this potentially lucrative field.

Businesses must take steps to prevent I.D. theft

My July 4, 2007 column in the Winnipeg Free Press points out the fine-tuning to PIPEDA and what businesses will have to do to remain compliant.

Take steps to protect confidential information

My April 4, 2007 column in the Winnipeg Free Press stresses the importance of having non-disclosure agreements in place when disclosing sensitive information to other organizations.

Protecting IDs is good business, and it’s the law

With March being Fraud Prevention Month, my March 7, 2007 column in the Winnipeg Free Press lists some of the procedures businesses should have in place to ensure they are compliant with privacy legislation.

Buying or selling a business requires due diligence

My June 7, 2006 column in the Winnipeg Free Press considers PIPEDA Case Summary #325, which sets out the rules regarding sharing customer lists of businesses being considered for sale.

Ruling has significant implication for businesses

In my August 3, 2005 column in the Winnipeg Free Press I discuss the implications of a ruling of the privacy commissioner dealing with unwanted marketing materials.

Information Act reform will affect businesses

My February 1, 2006 column in the Winnipeg Free Press reports on reforms that I would like to see in the Access to Information Act, based on recommendations from the Gomery Report.

Warning: Inventor holds copyright

In my September 7, 2005 column in the Winnipeg Free Press I discuss ownership of intellectual property.

Outsourcing comes with risks; U.S. service providers bring privacy concerns

My April 5, 2006 column in the Winnipeg Free Press reports on the implication of Canadian businesses using American companies to store Canadian personal information.