The internet as a corporate security resource – tactics, tools and techniques
Dan MichalukMarch 19, 2015
This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.
Outline
• Legal framework• Tactics
Legal framework
• Statutory, common law and criminal• Very contextual analysis about what is and is not
permitted, without a bright line• Law reduces to one question – is the investigation
tactic reasonable in light of all the circumstances?• Judges must recognize that investigation requires
some "exploration," but we can't expect a blessing for aimless probing into private matters ("fishing")
Legal framework
• PIPEDA section 7(1)(b) permits collections• it is reasonable to expect that the collection with the
knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
Legal framework
• PIPEDA section 7(1)(d) permits collections of some kinds of publicly available information• personal information that appears in a publication,
including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information
Legal framework
• PIPEDA 7(1)(d)• The "appears in a publication" requirement will limit,
but there is a question of how much – doesn’t expressly say "formal publication"
• Addressed in one case that doesn't say much• Argument – implied consent to collection for some
purposes (e.g., to conduct a threat assessment)• Consider – applicability of Charter expression right
Legal framework
• Labour arbitrators often recognize privacy interest and balance management rights against a privacy interest
• Courts now can hear a privacy tort claim• Unauthorized intrusion• Upon a reasonable expectation of privacy• Highly offensive to the reasonable person
Legal framework
• Criminal Code• Section 342.1 – Hacking• Section 402.2 – Identity theft• Section 403 – Identity fraud
Legal framework
• Law Society – General rules
Legal framework
• Law Society – Rule 5.1-2• When acting as an advocate, a lawyer shall not
Legal framework
• Law Society – Rule 7.2-6
Legal framework
• Law Society – Rules 5.1-5 and 5.3-1
Tactics
• Nine tactics in the following slides• Three purposes
• Investigations• Background checks• Intelligence
• Assigned a risk score (1 = low risk, 10 = high risk)
Tactics (Investigations)
• Receiving unsolicited evidence from a friend
Tactics (Investigations)
• Receiving unsolicited evidence from a friend• Risk score = 1• An employer may often have a duty to receive and
"process" this evidence• Numerous cases in which this evidence has been
used without dispute – e.g. Sheridan College (Rowe)
Tactics (Investigations)
• Wait, confront and ask for production
Tactics (Investigations)
• Wait, confront and ask for production• Risk score = 1• Mixed law on "right to silence," but non-cooperators
open themselves to an adverse inference • Privacy likely to be a weak defence for social media
publications (see M Picher cell record cases)• Think about scope of request, manner of production
and risk of modification
Tactics (Investigations)
• Searching open internet for evidence
Tactics (Investigations)
• Searching open internet for evidence• Risk score = 3• Permitted but may be challenged• Cleanest defence = reasonable for investigation• Document purposes
• What is the relevant evidence?• Or, is the search to test veracity/credibility of
statements/defences? to identify witnesses?
Tactics (Investigations)
• Requesting "protected" evidence from a friend
Tactics (Investigations)
• Requesting "protected" evidence from a friend• Risk score = 7• The employee may become your agent in allowing
unauthorized and unexpected access• By all means question to gather evidence• Then say, "Thank you. If you have anything else you
wish to bring to our attention please let us know."
Tactics (Investigations)
• Gaining unauthorized access to a SM account
Tactics (Investigations)
• Gaining unauthorized access to a SM account• Any means (finding login credentials, under false
pretenses)• Risk score = 10• It happens
• Calgary Police Service• Moore's Industrial Service Ltd
Tactics (Background Checks)
• Background check of open internet w consent
Tactics (Background Checks)
• Background check of open internet w consent• Risk score (1 to 10) = 1• Until amended, PIPEDA arguably does not apply• Risks are manageable: (a) defer, (b) demonstrable
need, (c) objective criteria, (d) not decision-maker, (e) written report and (f) validate negative information
Tactics (Background Checks)
• Background check of open internet w/o consent
Tactics (Background Checks)
• Background check of open internet w/o consent• Risk score (1 to 10) = 3• Risks arguably increase when PIPEDA is amended
to apply to candidates for employment• Manage risks per the suggestions above
Tactics (Background Checks)
• Background check of protected spaces w consent
Tactics (Background Checks)
• Background check of protected spaces w consent• Risk score = 7• Conduct a supervised search, don't take login
credentials• Permissible, but significant non-legal risks• Awkward, employee relations and public affairs risk
Tactics (Intelligence)
• Using internet data for preventative purposes
Tactics (Intelligence)
• Using internet data for preventative purposes• Risk score = 5• Primary risk is derived from PIPEDA consent rule• Risk mitigation
• Target activity (e.g. event monitoring), not people (e.g. adversarial group reports)
• Favour surveillance (looking for exceptions) over intelligence gathering (building a dossier)
The internet as a corporate security resource – tactics, tools and techniques
Dan MichalukMarch 19, 2015
This organization has been approved as an Accredited Provider of Professionalism Content by The Law Society of Upper Canada. This program contains 0.25 Professionalism Hours. This program is eligible for up to 0.75 Substantive Hours.