The internet as a corporate security resource

transcript

The internet as a corporate security resource – tactics, tools and techniques

Dan MichalukMarch 19, 2015

This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.

Outline

• Legal framework• Tactics

Legal framework

• Statutory, common law and criminal• Very contextual analysis about what is and is not

permitted, without a bright line• Law reduces to one question – is the investigation

tactic reasonable in light of all the circumstances?• Judges must recognize that investigation requires

some "exploration," but we can't expect a blessing for aimless probing into private matters ("fishing")

Legal framework

• PIPEDA section 7(1)(b) permits collections• it is reasonable to expect that the collection with the

knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province

Legal framework

• PIPEDA section 7(1)(d) permits collections of some kinds of publicly available information• personal information that appears in a publication,

including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information

Legal framework

• PIPEDA 7(1)(d)• The "appears in a publication" requirement will limit,

but there is a question of how much – doesn’t expressly say "formal publication"

• Addressed in one case that doesn't say much• Argument – implied consent to collection for some

purposes (e.g., to conduct a threat assessment)• Consider – applicability of Charter expression right

Legal framework

• Labour arbitrators often recognize privacy interest and balance management rights against a privacy interest

• Courts now can hear a privacy tort claim• Unauthorized intrusion• Upon a reasonable expectation of privacy• Highly offensive to the reasonable person

Legal framework

• Criminal Code• Section 342.1 – Hacking• Section 402.2 – Identity theft• Section 403 – Identity fraud

Legal framework

• Law Society – General rules

Legal framework

• Law Society – Rule 5.1-2• When acting as an advocate, a lawyer shall not

Legal framework

• Law Society – Rule 7.2-6

Legal framework

• Law Society – Rules 5.1-5 and 5.3-1

Tactics

• Nine tactics in the following slides• Three purposes

• Investigations• Background checks• Intelligence

• Assigned a risk score (1 = low risk, 10 = high risk)

Tactics (Investigations)

• Receiving unsolicited evidence from a friend

• Receiving unsolicited evidence from a friend• Risk score = 1• An employer may often have a duty to receive and

"process" this evidence• Numerous cases in which this evidence has been

used without dispute – e.g. Sheridan College (Rowe)

• Wait, confront and ask for production

• Wait, confront and ask for production• Risk score = 1• Mixed law on "right to silence," but non-cooperators

open themselves to an adverse inference • Privacy likely to be a weak defence for social media

publications (see M Picher cell record cases)• Think about scope of request, manner of production

and risk of modification

• Searching open internet for evidence

• Searching open internet for evidence• Risk score = 3• Permitted but may be challenged• Cleanest defence = reasonable for investigation• Document purposes

• What is the relevant evidence?• Or, is the search to test veracity/credibility of

statements/defences? to identify witnesses?

• Requesting "protected" evidence from a friend

• Requesting "protected" evidence from a friend• Risk score = 7• The employee may become your agent in allowing

unauthorized and unexpected access• By all means question to gather evidence• Then say, "Thank you. If you have anything else you

wish to bring to our attention please let us know."

• Gaining unauthorized access to a SM account

• Gaining unauthorized access to a SM account• Any means (finding login credentials, under false

pretenses)• Risk score = 10• It happens

• Calgary Police Service• Moore's Industrial Service Ltd

Tactics (Background Checks)

• Background check of open internet w consent

• Background check of open internet w consent• Risk score (1 to 10) = 1• Until amended, PIPEDA arguably does not apply• Risks are manageable: (a) defer, (b) demonstrable

need, (c) objective criteria, (d) not decision-maker, (e) written report and (f) validate negative information

• Background check of open internet w/o consent

• Background check of open internet w/o consent• Risk score (1 to 10) = 3• Risks arguably increase when PIPEDA is amended

to apply to candidates for employment• Manage risks per the suggestions above

• Background check of protected spaces w consent

• Background check of protected spaces w consent• Risk score = 7• Conduct a supervised search, don't take login

credentials• Permissible, but significant non-legal risks• Awkward, employee relations and public affairs risk

Tactics (Intelligence)

• Using internet data for preventative purposes

Tactics (Intelligence)

• Using internet data for preventative purposes• Risk score = 5• Primary risk is derived from PIPEDA consent rule• Risk mitigation

• Target activity (e.g. event monitoring), not people (e.g. adversarial group reports)

• Favour surveillance (looking for exceptions) over intelligence gathering (building a dossier)

The internet as a corporate security resource – tactics, tools and techniques

Dan MichalukMarch 19, 2015

This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.

The internet as a corporate security resource

Documents