ELECTRONIC RECORDS INTEGRITY AND AUTHENTICITY AND STANDARDS OF EVIDENCE John D. Gregory

IQPC February 25, 2004 1

ELECTRONIC RECORDS

INTEGRITY AND AUTHENTICITY

AND

STANDARDS OF EVIDENCE

John D. GregoryMinistry of the Attorney General (Ontario)


Integrity and authenticity

What are they? Why do you care?

for business reasons have to trust your records

for legal reasons others may have to trust them


The legal reasons

administrative – a government department (such as the tax people) wants to see them

regulatory – a public agency (such as the Securities Commission) wants to see them

judicial – they are needed for a court case


Judicial reasons - Court rules We focus on court rules here because:

they are a general standard – not specific to an agency

they are a single standard – not multiple as with agencies

their standard influences others’ rules Note on Audit Standards

See later discussion by Brian Ludmer CICA has information security audit standard


The Law of Evidence in a (small) nutshell Admissibility vs weight: for courts, most of discussion

touches the former for agencies and regulators, will

affect the latter


The Law of Evidence in a (small) nutshel l the “normal” rule: oral evidence, under

oath, subject to cross-examination but: lots of exceptions notable exception: documents

“documentary evidence” includes papers, pictures, audio and videotapes, and contents of computers


The Law of Evidence in a (small) nutshel l

Criteria for admission of documentary evidence: authentic – the record is what it purports to be best evidence – an original, or an explanation not hearsay (a content rule not a form rule)

reliable and necessary business records rule statutory records rules

Ontario Evidence Act, Canada Evidence Act



Electronic documents – how does this change? Authenticity: basic rule is OK – document

supported by live witness – but e-documents are more subject to manipulation (sometimes). May be hard on a challenge.

Original (best evidence): may be meaningless for electronic document. Changed by legislation from a record-based test to a system-based test

Hearsay: no change in principle – because content does not change with the medium. Still OCB test.



In practice: Electronic records get admitted readily Everyone knows records are made on

computers “Notice to admit” procedure – know

ahead of time Risk (in costs) of objecting on speculation



BUT If there is a serious dispute, how do

you defend your records? How do you demonstrate authenticity,

originality? SO

Legislation to help answer these questions.


The Legislation Uniform Electronic Evidence Act

(federal government, 6 provinces incl. Ontario + Yukon)

Ontario Evidence Act s. 34.1 (2000) Canada Evidence Act s. 31.1 – 31.8 Quebec – distinct (Civil Code and

special Act)


The Legislation The key to the legislation: system

integrity general application: the best evidence

rule – no original needed In addition: any evidence

supporting system integrity may be used to support admissibility


The Legislation To ease admission, the law provides

presumptions that the record-keeping system has integrity: for one’s own computer, OK if one can show

the computer was working fine all the time, or if it wasn’t, the problem did not affect the

integrity of the record-keeping system for a record from an adverse party’s computer, OK

(since the other party knows more about it) for a record from an independent third party, OK if

kept in the ordinary course of business


The Legislation AND if the presumption is rebutted, so one has to

show the integrity of a record-keeping system:For the purposes of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavour that used, recorded or stored the electronic record and the nature and purpose of the electronic record. (UEEA s. 6)


The Legislation Standards may be of variable degrees of

formality (official, semi-official, private) applicability (sectoral, record-type) generality (could be bilateral agreement)

Proof that the presumptions apply or that standards are complied with may be by affidavit of a person with knowledge of the record-keeping practices of the party that wants to produce the record in evidence. The person should be available for cross-

examination.


Standards Canadian General Standards Board part of Public Works Canada

Microfilm as documentary evidence (1988) Microfilm and electronic imaging … (1993) Electronic records as documentary evidence

(2004) – in the final stages of adoption And still to come

Electronic Signatures Codes for retention and disposition of e-records Long term preservation of digital information


Standards Legal effect of a Standard

The standard is itself not a law, it is a guideline. Compliance with the standard is not mandatory. Compliance with the standard is a kind of safe

harbour, not a guarantee of any legal result. The standard is a statement of best practices. The Evidence Act says a court “may consider”

compliance with the standard – if a party asks.


Standards But

The standard is written in mandatory language – the Person “shall” do X and Y.

If you say you comply and do not, there may be civil and regulatory consequences for misrepresentation.

Sometimes compliance is given an advantage, e.g. the law of evidence, the tax authorities (for the CGSB imaging standard).


Standards The standard could become a common-law

standard of prudent behaviour, so that failure to comply could be found to be negligence.

The standard could be adopted in legislation or regulations and made mandatory for some sectors or some purposes. (e.g. Canadian Standards Association or Underwriters’ Laboratories for electrical goods)

The legal effects may be indirect or private (e.g. give an ability to prove reliability of records)


The CGSB Standard and you The key rule of the Standard: think about it! In other words:

Make a policy about how e-records are managed Communicate the policy Implement the policy Monitor compliance with the policy Adjust the policy as required by circumstances

Have a policy manual that you can point to. Have someone responsible (CRO) (+ witness)


The CGSB Standard and you Characteristics of the Standard: high level language

it applies to lots of records it applies to lots of record-keepers

question: small and medium-sized enterprises technology neutral

it is flexible in its application now it is adaptable to evolution of technology it does not make business choices for its users


The CGSB Standard and you Complying with the Standard Authorization:

senior management have to buy in formally someone is put in charge responsibilities apply even if outsourced work the policy is documented, changes are documented

Electronic Records Management Program Policy” “closely aligned” with the information management

security policy


The CGSB Standard and you Policy contains statements on, among other

things, data file formats and version control enabling technologies quality assurance metadata capture and preservation information and records covered by the policy

includes physical and logical structure of info held by the organization

security classification and how to implement it


The CGSB Standard and you Policy contains statements on, among other

things (contd) security processes and procedures including

user authentication and permission control firewall protection systems backups disaster recovery

retention and destruction policies system and procedure audits for compliance


The CGSB Standard and you The Policy manual: Keep a manual complete and current

It may refer to other standards and procedures

It authorizes the life-cycle metadata of records

It tells how data is captured and stored It controls data migration and conversion

Indexing (self-explanatory)


The CGSB Standard and you Authenticated data output for legal proceedings:

you display the contents of the e-records by printouts or live display or electronic display (e.g. CD)

you have to be able to show that what you are displaying is the same as what is in the computer.

Signature of authorized person may be used have to document the reasons for any change

in format


The CGSB Standard and you Security and protection:

document details of all levels of access need notification of and protection against

unauthorized access to documents maintain environment according to suppliers’

recommendations and (inter)national standards encryption may improve security and integrity

need key management, certificate management take caution on self-modifying electronic records

consider use of time and date stamps document any correction of errors

control who has access to clocks


The CGSB Standard and you Audit trail: A historical record of all significant events

associated with the e-record management system date of storage of information movement of info from medium to medium evidence that controls operate and are effective

Provides evidence of authenticity of records Contains system- and operator-generated logs. Standard gives lengthy list of contents.


Conclusions E-records need extra care and control

Partly because of lack of familiarity Essence is integrity of information

measured over the life-cycle of the record Compliance with the Standard is a good way to

take the care required Compliance with the Standard will help in

meeting common-law and statutory tests of admissibility


Conclusions If your electronic records can meet these

tests, then evidence law does not make you produce the paper even if the paper still exists, i.e. you don’t have to

destroy it but you can BUT there are other laws that require retention

of records, e.g. tax law, industry-specific regs SO you may have to keep the paper anyway. A sound records retention and destruction

schedule can only help.


SOME SOURCES Uniform Electronic Evidence Act

http://www.ulcc.ca/en/us/index.cfm?sec=1&sub=1u2 Implementation status

http://www.ulcc.ca/en/cls/index.cfm?sec=4&sub=4d Ontario Evidence Act, R.S.O. 1990 c.E.23

as amended http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/90e23_e.htm

Canada Evidence Act R.S.C. 1985 s.C-5 as amended http://laws.justice.gc.ca/en/c-5/text.html

http://www.ulcc.ca/en/us/index.cfm?sec=1&sub=1u2





http://www.ulcc.ca/en/cls/index.cfm?sec=4&sub=4d







http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/90e23_e.htm







Some Sources Canadian General Standard Board

http://www.pwgsc.gc.ca/cgsb/home/index-e.html Chasse “Computer-produced records in Court

Proceedings” (1994 ULCC) http://www.ulcc.ca/en/poam2/index.cfm?sec=1994&sub=1994ac

CICA on Information Security principles and audits Information Technology Control Guidelines (3d ed.) http://www.cica.ca/index.cfm/ci_id/1004/la_id/1.htm Conference in March 2004 on Auditing IT systems www.cica.ca/itaudit


Some Sources Industry Canada – Authentication materials

http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/vwGeneratedInterE/h_gv00090e.html

- Authentication principles (draft 2003) http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/vwapj/

authentication_principles.pdf/$FILE/authentication_principles.pdf American Bar Association – “Record Retention

and Destruction: Current Best Practices” http://www.abanet.org/buslaw/newsletter/0019/materials/

recordretention.pdf

Documents

ELECTRONIC RECORDS INTEGRITY AND AUTHENTICITY AND STANDARDS OF EVIDENCE John D. Gregory