The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.
The recent decision The Queen v. Cole by the Supreme Court of Canada touches upon interesting issues regarding information privacy in the digital age.
The facts are simple. An information technologist working at the same high school as Mr. Cole, a teacher, remotely accessed Cole’s history of internet access and one of his drives and found a hidden file which contained nude photographs of a student. The photographs and internet file were copied onto a disc and given to the police, which determined that a search warrant was unnecessary. Cole was subsequently charged with possession of child pornography and fraudulently obtaining data from another computer hard drive. The trial judge excluded the computer material under Sections 8 and 24(2) of the Charter. In overturning the decision, the summary conviction appeal court found no breach of Section 8. This decision was set aside by the Ontario Court of Appeal, which concluded that the evidence of the disc containing the temporary internet files and the laptop computer and its mirror image was excluded. A 6-1 majority ruling by the Supreme Court concluded that the police infringed upon Cole’s rights but upheld the Court of Appeals’ finding that the evidence should not have been excluded from trial.
For those captivated by recent events in astronomy, parallels can be drawn between the recent landing of NASA’s rover Curiosity on planet Mars and the public discourse on data security in Canada. With the distinction that one is effectively equipped with the right budget and tools to achieve its actual objective, both have come a very long way, both have managed to blaze through layers of clouds, both seek to secure ingredients essential to life, and both are now aimlessly wandering about unchartered territories.
A decisive factor in Barrack Obama’s 2008 political campaign was the extensive use of individual, thin sliced consumer data to send highly tailored messages to gain political support. Within 13 years, Google has become the most valuable brand in the world through the aggregation of vast amounts of data including search data, or data held in Gmail accounts. This information is then used to create an advertising cruise missile, which is much more efficient than the old method of pattern bombing.
Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.
Recent unauthorized access to British Columbia Institute of Technology’s computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT’s computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the “oil” of the 21st century, uncompromised. More curious than uncompromised data, however, is BCIT’s notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.
Jeremy Bentham used to refer to the common law as the “dog law”. As he explains it, “whenever your dog does anything you want to break him of, you wait till he does it, and then beat him for it. This is the way you make laws for your dog: and this is the way the judges make law for you and me.” .
Insofar as the tort of invasion of privacy in Canada is concerned, Jeremy Bentham was arguably right. Aside from the province of Quebec, which is governed by a civil law system, and a few other provinces in Canada which have benefited from a statutorily enacted tort of invasion of privacy, lower Courts have been divided over the existence of a free-standing tort of invasion of privacy at common law. The recent decision Jones v. Tsige (2012) by the Ontario Court of Appeal is the first to confirm that what used to be an embryonic tort of invasion of privacy is now alive and well in Canada
The cyber-attacks recently launched by six individuals from the group Anonymous, an international hacktivist collective, against 13 Quebec government and police websites are but a fleeting glimpse of a much broader problem associated with the cyber world, most of which remains largely unseen. Succinctly stated, the cyber-attacks were a response to the Quebec Liberal party’s constitutionally questionable Bill 78 that was recently passed as a response to the student crisis sparked three months ago over the government’s planned 75% tuition increase. That six individual were arrested by law enforcement agencies and charged with mischief, conspiracy, and unlawful use of a computer should hardly be reassuring.