CIRA Archives - IPOsgoode /osgoode/iposgoode/tag/cira/ An Authoritive Leader in IP Wed, 08 Mar 2023 17:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Legal Tug-Of-War: Protecting Privilege in Privacy Breach Disputes /osgoode/iposgoode/2023/03/08/legal-tug-of-war-protecting-privilege-in-privacy-breach-disputes/ Wed, 08 Mar 2023 17:00:00 +0000 https://www.iposgoode.ca/?p=40655 The post Legal Tug-Of-War: Protecting Privilege in Privacy Breach Disputes appeared first on IPOsgoode.

]]>

Sally Yoon is an IPilogue Writer and a 3L JD Candidate at Osgoode Hall Law School. M. Imtiaz Karamat is an IP Osgoode Alumnus and an Associate at Deeth Williams Wall LLP. This article was on the OBA’s Information Technology and Intellectual Property Law Section’s.


Privacy breaches are becoming commonplace in today’s business landscape and cybersecurity is top of mind for many organizations— and for good reason. Thefound that the number of breaches involving customer and employee information nearly doubled after the pandemic, and more businesses are reporting loss of customers from cyberattacks. This situation is exacerbated by the risk of litigation, as lawsuits are a legitimate consequence of a privacy breach. Ongoing activity in the privacy breach litigation space calls for organizations to re-examine their privilege strategies and prepare for potential scrutiny that may occur in the event of a dispute.

The Ongoing Litigation Risk

In 2022, Canadian courts continued to see litigation resulting from privacy breaches, with class actions being certified on the basis of a broad range of claims, includingԻ. There have also been significant developments in the jurisprudence for privacy breaches, such as the landmark release of three Ontario Court of Appeal decisions (Owsianik v Equifax Co.,;Obodo v Trans Union of Canada, Inc.,; andWinder v Marriot International, Inc.,) in late 2022 that clarified the scope of liability in data breach class actions for the tort of intrusion upon seclusion.

The continued litigation reminds organizations and lawyers to ensure their privacy breach response plans conform with best practices. This is not only limited to having a robust IT framework, but includes adopting legal procedures to provide adequate protection and support. Privilege is an essential component of privacy breach litigation and should be a priority in a response strategy. In a privacy breach, legal privilege permits an organization to obtain legal advice about the incident without having to worry that such communications and related documents will be disclosed to others. This is crucial for breach response efforts, when the fast-paced environment requires candid conversations between counsel and client. Privilege is also an essential aspect for litigation preparation, by allowing lawyers to create necessary resources without fear that these materials may be disclosed and potentially used against their clients.

A Brief Review of Legal Privilege

Solicitor-client privilege and litigation privilege are two types of privilege that are involved in privacy breach litigation.

  • Solicitor-client privilegecommunications between the lawyer and client; entails the seeking or giving of legal advice; and is intended to be confidential. It does not depend on on-going or anticipated litigation, and it isonce applied, unless waived by the client.
  • Litigation privilegeprotects documents and communications that were created or collected for the of litigation that is on-going or reasonably anticipated. The privilege terminates once the respective litigation ends.

Recent Canadian Privilege Disputes

Although not as extensive as other jurisdictions, Canada has seen privilege disputes in the context of privacy breaches. The outcome of these disputes are important teaching points for organizations intending to develop their own privilege strategy.

Kaplan v Casino Rama Services Inc.

InKaplan v Casino Rama Services Inc.,,a class action lawsuit was brought against the owners and operators of Casino Rama Resort (Casino Rama) following Casino Rama’s announcement of a large-scale cyberattack. During the certification stage of the lawsuit, Casino Rama relied on an affidavit that included information from reports of a cybersecurity company hired to investigate the incident. The plaintiffs requested production of the company’s reports, but Casino Rama declined on the basis of legal privilege.

The Ontario Superior Court of Justice (ONSC) found that if privilege was present, it would have been waived when the defendants disclosed and relied on information from the reports as evidence towards the size and scope of the class of persons affected by the breach. In its reasons, the ONSC said that “a party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue...” Therefore, the ONSC ordered production of the parts of the reports that related to the size and scope of the class of affected individuals.

LifeLabs Dispute

More recently, the privilege debate is being examined in the context of information provided to provincial privacy commissioners. In November of 2019, LifeLabs LP (LifeLabs) notified the Information and Privacy Commissioner of Ontario (IPC) and the British Columbia Office of the Information and Privacy Commissioner (OIPC) that it fell victim to a cyberattack, which resulted in personal health data of approximately 15 million customers being extracted from their systems. The IPC and OIPC commenced a coordinated investigation into the incident and demanded that LifeLabs produce certain documents relevant to the investigation. LifeLabs provided some of the documents but asserted litigation or solicitor-client privilege over others.

On March 30, 2020, in, the IPC rejected LifeLabs’ claim of litigation privilege over the documents on the basis that the dominant purpose for the creation of the documents was not litigation. The IPC also disagreed with LifeLabs’ claim for solicitor-client privilege because LifeLabs failed to provide adequate support that it met the requirements for solicitor-client privilege (i.e., that the information in issue was communicated in confidence between lawyer and client; for the purpose of seeking legal advice; and the parties intended it to be confidential). The IPC stated that the mere fact of communication between a lawyer and their client or the transfer of reports to in-house or external counsel does not support a claim of solicitor-client privilege. The IPC further noted that “…while underlying facts given to counsel could be part of the ‘continuum of communication’ protected by solicitor-client privilege…unless disclosure of the underlying facts would reveal or allow for inference of confidential solicitor-client communications, the underlying facts themselves do not attract the privilege”.

Following PHIPA Decision 114, LifeLabs provided the documents in issue to the IPC and OIPC, but maintained that it did not waive privilege by doing so. In May 2020, the Commissioners advised LifeLabs of the information from the documents that they were contemplating using in their final report, which led LifeLabs to submit additional evidence and arguments to the IPC and OIPC in support of its privilege claim over the documents. However, in June 2020, the IPC and OIPC issued a joint decision (the Privilege Decision) that rejected LifeLabs’ claims.

In response, LifeLabs commenced applications for judicial review of the Privilege Decision in both Ontario and British Columbia. In the application, LifeLabs argues that the Privilege Decision was wrong in law in rejecting its privilege claims and challenges the IPC’s power to compel production of privileged documents. This matter is still ongoing in the courts, with relatedbeing heard as recently as late January 2023.

Developing a Privilege Strategy

With the above disputes in mind, it is important for organizations to develop a privilege strategy for responding to privacy breaches and preparing for potential litigation. These are some general best practices to keep in mind:

  1. Preparation:Prior to a privacy breach, businesses can ensure that they have a comprehensive breach response strategy, which addresses retaining legal counsel and considerations for protecting legal privilege. This strategy should be regularly updated to remain current.
  2. Consulting Legal Counsel:Contacting external legal counsel is a top priority upon learning of a potential breach. This allows the organization to begin obtaining the necessary legal advice to immediately respond to the matter; and reinforces claims of privilege from the start. If the organization already has internal legal counsel that has been notified of the incident, it may still be prudent to retain external counsel. This is due to in-house counsel often providing both business and legal advice, which may result in heavywhen claiming privilege in a dispute. Retaining external counsel in a breach response would reinforce that the advice being given is legal, as opposed to business-related.
  3. Control Communication Flow:In addition to ensuring that counsel is included in privileged communications, the distribution of such communications can be controlled and limited to only the necessary parties (including the necessary members of the organization), with the intention to limit distribution and preserve confidentiality. As part of the organization’s preparation, it can work with counsel to establish how information is to be communicated, the recipients of such information, and proper labeling practices (e.g., marking documents as “Privileged and Confidential”).
  4. Consider Privilege with Third-Party Service Providers:Communications with third party service providers may be considered privileged when made for the purpose of helping counsel provide legal advice to the affected organization. This includes the use of cyber forensic experts to investigate a privacy incident and generate reports at the request of legal counsel. Where possible, third parties may be jointly retained by external counsel and the organization; and the terms of the retainer and supporting documents should reflect the legal nature of the engagement. The third party can also seek instructions and report to external counsel.
  5. Caution When Divulging Privileged Information:Organizations intending to maintain privilege should be cautious when disclosing privileged information to external parties. This includes being on the alert for inadvertent disclosure of privileged information in legal proceedings. It may also include stating that the organization does not intend to waive privilege by responding to disclosure demands from regulators.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.

The post Legal Tug-Of-War: Protecting Privilege in Privacy Breach Disputes appeared first on IPOsgoode.

]]>
Revenge and Domain Name Seizure: CIRA Allows Transfer of Registration of Domain Names Used for Personal Attacks /osgoode/iposgoode/2014/05/07/revenge-and-domain-name-seizure-cira-allows-transfer-of-registration-of-domain-names-used-for-personal-attacks/ Wed, 07 May 2014 17:26:48 +0000 http://www.iposgoode.ca/?p=24664 In March 2014, a single member Canadian Internet Registry Association (CIRA) panel allowed the transfer of two domain names which consisted, in both cases, of the personal names of people involved in a dispute with an unsatisfied former customer. The decision of the panel could preserve individual privacy rights online. It also serves to protect […]

The post Revenge and Domain Name Seizure: CIRA Allows Transfer of Registration of Domain Names Used for Personal Attacks appeared first on IPOsgoode.

]]>
In March 2014, a single member Canadian Internet Registry Association (CIRA) panel allowed the of two domain names which consisted, in both cases, of the personal names of people involved in a dispute with an unsatisfied former customer. The decision of the panel could preserve individual privacy rights online. It also serves to protect the reputation of the people who were involved (allegedly in unfavourable, distasteful and aggressive ways) in the Registrant’s campaign against Manulife Financial Affinity Markets. However, the decision shows serious shortcomings in the policy which provides the framework for domain name disputes in Canada.

 

The aforementioned decisions show how awkwardly the CIRA dispute resolution framework functions when applied to a new situation: a complaint based on the bad faith use of a personal name as a domain name. The (CDRP) typically contemplates complaints based on financial interests rooted in valid trade-mark rights, not simply in the valid personal interests of complainants. This situation is unfortunate, as these types of proceedings may become more frequent in the future.

Background: Revenge on the Internet

The two decisions, heard together, involve two Complainants - a working in Client Relations at Manulife Financial Affinity MarketsԻacting as General Counsel for the same company - and a single Registrant,a former customer of the Complainants’ employer.

The Registrant (who took no part in the proceedings) was unhappy with certain decisions made by Manulife which may have cost him money. In response to his dissatisfaction with the company, and with the Vice President in particular, he registered the Vice President’s personal name as a domain name, and threatened to use the domain to harm the Complainant’s reputation.

At the time of the complaint, the domain name had resolved to a website which displayed pornographic images. The Registrant also allegedly promised to drop by the Vice President’s home to discuss the matter, and made other comments which were described by the Panelist as “threats” which “had a personal tone.”

In response,the lawyer working for Manulife sent the dissatisfied customer an email addressing the registration of the domain name andadvising him that a visit to the Vice President’s house would be treated as a trespass. The issue was not resolved, and the Registrant soon registered another domain name, this time using the personal name of the lawyer. He threatened to provide personal information about her and her family on the new website.

The email exchanges between the Registrant and the lawyer, while not publicly available, were described by the Panel as “angry and condescending.” Exchanges between the lawyer and the dissatisfied customer apparently included statements by the customer that the Internet was a “dangerous place,” and carried the implication that information included on the website about the lawyer and her children could cause them harm.

Both the General Counsel and the Vice President filed complaints against the former customer on 13 November 2013, seeking to have the domain name transferred to avoid further threats and potential damage to their reputations.

The Policy, the Law and the Problem of Personal Names

The (CDRP) can allow for the transfer of ownership of a domain name registration under paragraph 3.1 where

  1. The Registrant’s dot-ca domain name is confusingly similar to a Mark in which the complainant had Rights prior to the date of registration of the domain name and continues to have such Rights;
  2. The Registrant has no legitimate interest in the domain name (as described in the CDRP); and
  3. The Registrant has registered the domain name in bad faith (also as described in the CDRP)

The term “Mark” also has a specific definition under paragraph 3.2 of the CDRP. This definition closely tracks definitions in ss. 2 and 4 of the Trade-marks Act (), in that it requires that the Mark be used for the purpose of distinguishing one’s goods and services from those of another.

Both the CDRP and the Trade-marks Act are concerned about preserving the use of one’s personal name from protection, in order to enable people to honestly conduct business under their actual names. However, both the Act and the CDRP address this defensively:

  • The Trade-mark Act provides that a Mark is not registrable if it is primarily merely the name or surname of an individual who isliving or who has died within thirty years of an application (under ).
  • The CDRP protects the ability of Registrants to operate websites under their own name in subparagraph 3.1(b), where the personal name of the Registrant constitutes a “legitimate interest” under subparagraph 3.4(e).

Neither the CDRP nor the Trade-marks Act recognize a form of rights which arise from one’s personal name outside the use of that name for the purpose of distinguishing one’s goods and services from another. Essentially, the CDRP lays out a procedure for protecting the commercial interests of trade-marks or trade names, and minimizes those protections where the Registrant of a domain name operates a website that is, in fact, his or her name (or a name by which he or she is commonly known).

Under the CDRP, as under the Trade-marks Act, a personal name can be used to block or reduce the scope of protection afforded to a Mark, but cannot necessarily be used as a sufficient basis to give rise to trade-mark-like rights on its own. To establish rights, the crucial factor is the presence of distinctiveness in the context of commercial activity, not the legal name of persons involved in a proceeding.

Solving the Problem Using the CDRP

The approach taken by the CDRP and the Trade-marks Act leads to a problem. In order to obtain relief under the CDRP, a person whose name has been registered in bad faith as a domain must prove that his or her name is a “Mark” using the same kind of evidence and reasoning that he or she would use to prevent his or her name from becoming a “Mark” under the Trade-marks Act.

The CDRP was not written to protect the personal or reputational interests Complainants may have in registered domain names. Even though this problem may be an issue which needs to be addressed, and which poses a substantial problem that should be resolvedin the interests of public policy, the situation which the CDRP was meant to address is in fact more narrow. The CDRP protects the valid commercial interests of firms or people operating under a distinctive name. It does not explicitly protect other valid, personal interests individuals may have in registered domain names.

The panel reasoned around this problem by positing that certain kinds of professionals use their personal names in the promotion of their services, and as the professionals in question have promoted their services under this personal name, that name has effectively acquired distinctiveness. In this manner, “professionals treat personal names as trade names or trade-marks.” Thus, the decision of the panel seems to closely track a “acquired distinctiveness” argument for allowing a mark which is barred from registration under s 12(1)(a) and (b).

Problems for the Future

Here, it would have been unacceptable to the Panelist (and most likely to the public at large) to allow the Registrant to continue abusing the domain name system in this manner. However, the Panelist was confined within the parameters of a policy that was ill-equipped to solve disputes of such apersonalnature. Using the restrictive definitions of the CDRP, the Panelist achieved the best outcome by avoiding the deficiencies of the CDRP entirely, and holding that the Complainants had common law trade-mark rights in their personal names. Yet the decision shows that the policy itself contains a major flaw, and the workaround may have unintended consequences in the future.

For instance, if a private individual is not part of a professional class in which a member uses his or her name to promote a service, does that mean this person cannot use the CDRP to transfer a domain name registered in bad faith for the purpose of spreading sensitive, personal information about that individual on the Internet?

In addition, if a Registrant provides evidence that a large number of professionals share a name with a complainant, would this mean that the complainant cannot prevent the bad faith registrant from maintaining control of the domain name and continuing to operate a hate site, since for that professional the name lacks sufficient distinctiveness?

Libel laws and privacy laws may help fill in some of the gaps, but unlike the administrative proceedings offered by CIRA, civil actions are often prohibitively expensive for private individuals. Ultimately, the new realities of the Internet era show that the CDRP may have been too narrowly drafted – and there are legitimate needs which the policy may not address.

David Bowden is an IPilogue editor and a JD Candidate at Osgoode Hall Law School.

The post Revenge and Domain Name Seizure: CIRA Allows Transfer of Registration of Domain Names Used for Personal Attacks appeared first on IPOsgoode.

]]>
CIRA Updates .CA Domain Name Dispute Rules /osgoode/iposgoode/2011/08/04/ciraupdatescadomainnamedisputerules/ Thu, 04 Aug 2011 15:29:27 +0000 http://www.iposgoode.ca/?p=13432 Taylor Vanderhelm is a JD candidate at the University of Alberta. The Canadian Internet Registration Authority (CIRA) has announced that it will be introducing changes regarding domain name disputes under the CIRA Domain Dispute Resolution Policy (CDRP). These changes will help bring the CDRP in line with the Uniform Domain Name Dispute Resolution Policy (UDRP), […]

The post CIRA Updates .CA Domain Name Dispute Rules appeared first on IPOsgoode.

]]>
Taylor Vanderhelm is a JD candidate at the University of Alberta.

The has announced that it will be introducing changes regarding domain name disputes under the . These changes will help bring the CDRP in line with the , which is used for , as well as the resolution policies of other major (country code top-level domain) registries. The changes will become effective August 22, 2011.

As a non-profit corporation, CIRA is responsible for managing Canada’s .CA domain extension. CIRA maintains a and is also responsible for executing and enforcing registrations of the .CA ccTLD. Additionally, they maintain a publicly accessible .

will deal with several issues, most notably, the meanings of “use,” “confusingly similar,” and “bad faith.” The alterations by CIRA can be seen as refinements as they will leave the meat of the current CDRP policy intact. The most significant modifications to the policy include: the removal of conditions involving the “rights” and “use” of a trademark; a clarification of the “confusingly similar” test to favour a narrow resemblance test in place of the broader traditional test for confusion; shifting the list of bad faith and legitimate interest factors to be non-exhaustive; the inclusion of a bad faith factor for using a domain name for commercial gain; and the elimination of a required use provision for generic domain names before a legitimate interest can be established.

Other less momentous updates to the CDRP policy also include: a clear definition regarding the date of registration; a shortening of the implementation of CDRP decisions from 60 to 30 days; an option for electronic filing of complaints and submissions (which will become mandatory after 1 year); an inclusion of terms now allowing CIRA to transfer a domain name during a dispute under certain circumstances; and finally, a separation of filing and panelist fees for complainants.

These modifications will enable CIRA to stay up-to-date with current best practices in ccTLD management and should help streamline the CDRP procedure for everyone involved. , see the as well as the .

The post CIRA Updates .CA Domain Name Dispute Rules appeared first on IPOsgoode.

]]>