eDiscovery in Canada: The Case for a more Rigorous Approach to Collection, Preservation, and Production – A.S.A.P.
December 3, 2012
eDiscovery compliance is a growing but under-appreciated challenge.
I was reading an article entitled “Social media and your eDiscovery strategies”, and it re-affirmed my view that the law, eDiscovery practice and procedure, and the courts will all need to undergo a continuous paradigm-shift in order to adjust to the new wired world in which we live, work, and “try to” relax. I wrote some time ago of the dangers of User-generated Legality Issues (UGLIs) in social media, and the impending challenges of addressing them. Suits regarding these UGLIs will require (and mandate prior diligence in and adoption of), good and sustained collection and preservation techniques.
Canada’s strong protections, coupled with weak collections, may yet prove costly.
The Supreme Court of Canada has found that there is no secondary liability from mere linking (without more) to a defamatory site with regard to online defamation through libel or slander. More recently, with regard to cyberbullying, the Court has also found that an alleged victim of same, who is a minor, need not disclose his or her identity merely in order to confront an alleged cyberbully. Anonymity of victims is protected, and the accused in some cases will, likewise, be protected against liability. However, in cases where the facts as presented are more indicative of malice or premeditation, the accusers and the accused will (and must), first be judged on their own merits by the lower courts.
Now, with a rise in the number of employers permitting their directors, officers, employees, contractors, agents, volunteers, and assigns to access proprietary work, and non-work third-party platforms with their own portable devices (BYOD) and through clouds in multiple jurisdictions, the question of how best to monitor this and retain a record in case of future-arising UGLIs, becomes very pressing. Speaking recently with a colleague who, like me, is also dually licensed in both the Canada and the United States, we agreed that it is increasingly likely that a Canadian entity will face significant eDiscovery sanctions for failing to “collect, preserve, and produce”, with regard to some litigation or regulatory matter venued in the Continental United States. The reason for this is the vastly divergent approaches to eDiscovery currently prevailing in each of these two nations, and the high possibility that a presiding U.S. judge may conclude that a foreign business entity, including a Canadian (or other nation’s) business entity:
- Physically doing or attempting to do, business in the United States; or
- Listed on a United States Exchange and/or sourcing funds in the United States; or
- Hosting servers accessed by clients or employees in, or minors of the United States; or
- Involved in a U.S. entity change of control or character (merger, acquisition, dissolution); or
- Having some intellectual property registered in the United States, even if solely exploited offshore – whether or not lawfully; or having some intellectual property exploited in the United States – whether or not lawfully, even if registered offshore including in a tax-advantages jurisdiction or a bare I.P. holding company; or
- Employing United States Citizens or Permanent Residents, even if based/working outside the United States; or
- Possessing some other qualifying, identifiable “nexus” of connections to the United States;
should have been aware of, and have appropriately addressed in advance, its actual and potential eDiscovery obligations; failing which it will be forced to face the full spectrum of onerous eDiscovery sanctions then and there available. Indeed, caselaw and commonsense would tend to indicate prior and near blanket consent to extraterritorial application of the full panoply of U.S. eDiscovery obligations and their related sanctions in most if not all of the above circumstances.
Let us consider a fictional scenario. A major Canadian entity (incorporated provincially or federally but with its principal office in Ontario), is hailed into U.S. state court, and the Complaint includes a voluminous request for eDiscovery production. Being well-advised by U.S. counsel on the suit’s implications for their I.T. department, their legal and compliance departments, and of the necessary and significant costs to be involved in the document review and production – as well as the scope of sanctions for non-compliance through failure to produce and insufficient disclosures, the entity immediately realizes that its information governance regime, as based in and controlled from Canada, is not configured to have collected and preserved the required materials. This makes speedy production in response to the suit request, a major issue. They therefore resolve to put up a vigorous defence; reserving for later the Motion to Dismiss for Failure to State a Claim upon which Relief can be Granted.
Assuming no deficiencies in process and service of process, they initiate their motion practice asserting improper venue, lack of personal jurisdiction, lack of subject matter jurisdiction and seeking to compel arbitration in accordance with the underlying contract, and seeking judicial notice of Canadian discovery procedures which they argue should be applied in their case. U.S. Judges will likely find that the venue is proper, that they have both personal and subject matter jurisdiction – ignoring the arbitration clause on appropriate grounds (first instance matter, public policy, judicial efficiency, undistinguished precedent from another state, or apparent flaw or inconsistency), and that U.S. eDiscovery rules and procedures shall apply. Best practice would also counsel seeking Additional Time in which to Answer, and quiet but hurried efforts on the back-end, to bring the Canada-bound datasets up to a properly “eDiscoverable” standard. The bolder entity might even also assert a Civil Rights claim in a U.S. District Court (federal), or a Bill of Rights claim (state or federal).
The Defendant may then seek removal to federal court on appropriate grounds, including any avenue available under an applicable multinational treaty or accord, or any bilateral investment protection agreement. If removal is unsuccessful and/or a collateral attack is permissible, then a separate action may be commenced with naming of the Canadian government as a necessary party. Additional joinder of, or intervention may be sought by, other Canadian entities in the same industry, or that foresee themselves facing a similar situation in the future, as well as the European Union, Directorate General for Justice (Privacy and Data Protection Division).
Media publicity will build, interest groups and politicians will get involved, and serious questions will be asked regarding boycotts and embargoes, corporate discrimination, and the unwelcome extraterritorial application of domestic laws as opposed to consensual application of domestic law to domestic and foreign entities as a cost and prerequisite of doing business in a given jurisdiction.
At this point, the crystal ball goes cloudy, and Scenario A will play-out to its yet unknown conclusion. Major sticking points will revolve around the long-arm jurisdiction of U.S security laws with regard to information held on or passing through servers based in the United States (i.e. a vast majority of the Western World’s email providers – as well as possibly anything and everything physically or electronically sent to the United States in response to an eDiscovery request, which might be subject to warrantless “sniffing expeditions”), and the Canadian and European privacy protection regimes, which are significantly more developed and expansive than anything currently available in the U.S. This stems from the standard disclosure language seeking “any and all”, and the strong likelihood that fishing expeditions will uncover many other things that are “apparently” protected under those privacy laws.
It is entirely possible that an eDiscovery business segment tailored to U.S. standards will grow and thrive in Canada in the near future; significantly raising the cost for Canadian entities to do business in the U.S. to the extent that some will withdraw. If Canadian businesses pull back en masse, then U.S. (or European, Asian, African, or Latin American) businesses will step-in and take-up the slack, purchase their assets, and U.S. unemployment numbers will go up or down, as a result of mergers and restructuring.
It is also possible that a political compromise will be reached, with a Canadian version of U.S. eDiscovery that might be or become colloquially known in the United States as “eDiscovery Lite/North”. If U.S.-style eDiscovery is further exported to Canada, then U.S. discovery experts will find steady business across Canada through service provision, best practices seminars, and publications. The same will be true for Canadian provides of their model is the one finally favoured for export to the U.S.
Online risks are now much better known and appreciated.
Within the past 10-15 years, judges in many jurisdictions experiencing the internet’s infancy could have been met with a case of online defamation and seen it as “not such a big deal”, no matter how hard counsel and client might attempt to prove otherwise. I have been there, and it was in the early 2000s! However, in this increasingly interconnected world where a social/antisocial message or web posting (blog, email, tweet, viral video, text) can inspire worldwide riots within a matter of moments that spread and escalate over many hours and time zones as others are alerted and fired-up in series, and where people can lose both their lives, and their jobs, as a result of some public disclosure of private facts, the bench clearly no longer has that luxury.
Businesses should therefore try to stay ahead of the eDiscovery curve.
Of course, prevention is better than a cure. Tools for this will range, of necessity, from outright bans, through strong social media usage policies, to increasingly pervasive and intrusive monitoring – both by employers and by governments. The last option, being relatively easy to maintain and scale-up or -down once commenced, seems increasingly likely to become the new normal with some regulators – albeit in fits and starts, because many medium-as-message consumers who already and quite willingly share voluminous details of their personal work, lives, and relationships online, perceive each incremental step as “not such a big deal”, no matter how hard privacy pioneers might attempt to prove otherwise.
The ball is still in the air on this one. Although we can prepare policies in advance as doing nothing is excluded as a viable option, we still have to wait for the ball to land. And even then, it can always roll in any of many unpredictable directions (being round), or be sent flying, once again. This new world must be brave (and patient), as it slowly (and not always hesitantly) goes where no world has gone before.
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States). He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
 Barry Murphy. Social media and your eDiscovery strategies. Published on TechRepublic, November 21, 2012. Online: >http://www.techrepublic.com/blog/tech-manager/social-media-and-your-ediscovery-strategies/8051?tag=nl.e101&s_cid=e101<.
 See Crookes v. Newton, 2011 SCC 47,  3 S.C.R. 269 (decided October 19, 2011). Online: >http://www.canlii.org/en/ca/scc/doc/2011/2011scc47/2011scc47.html<.
 See A.B. v Bragg Communications, Inc., 2012 SCC 46 (CanLII). Decided September 27, 2012. Online: >http://canlii.ca/en/ca/scc/doc/2012/2012scc46/2012scc46.html<.
 In response to a patron’s bad restaurant review, an Ottawa restaurant owner who created a fake profile and posted fake (and lewd) personal details online, and then transmitted fake email messages to the patron’s employer using that fake profile, has now paid a price. After being found guilty of defamatory libel on September 6, 2012, “[s]he was sentenced Friday (November 16, 2012) to 90 days in jail and two years probation and ordered to take an anger management course, receive mandatory counselling and work 200 hours of community service”. She has appealed her sentence. See CBC News. Cyberbullying Ottawa restaurant owner gets bail. Posted on cbc.ca, November 22, 2012. Online: >http://www.cbc.ca/news/canada/ottawa/story/2012/11/22/ottawa-restaurant-owner-gets-bail-after-libel-sentencing.html <. See also Tony Spears. Cyberbullying Ottawa restaurateur gets jail time. Published on http://www.torontosun.com, Friday, November 16, 2012. Online: >http://m.torontosun.com/2012/11/16/cyberbullying-restauranteur-gets-jail-time<
 See Ekundayo George. What about hospital BYOD? Published October 7, 2012, on www.ogalaws.wordpress.com Online: >http://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/<.
 In Ontario, Canada, each party in litigation prepares and serves on the other party/parties an Affidavit of Documents, stating who has what, what is available for disclosure, and what is not, including those over which any privilege is asserted. There are generally no massive and all-pervasive requests that cut clean across the board. See R. 30.03(2) – Contents. Then, Requests to Inspect will be served (R. 30.04), and even though the court may still order production, neither its disclosure nor production is an admission of the relevance of any document (R. 30.05). Rules of Civil Procedure, Ontario. R.R.O. 1990, Regulation 194. Online: >http://www.e-laws.gov.on.ca/html/regs/english/elaws_regs_900194_e.htm<.
 Id. Rules of Civil Procedure Ontario. The Sedona Canada Principles for addressing eDiscovery do exist and are available for incorporation in any Discovery Plan, to which the parties must now agree within a specified time (R. 29.1 – Discovery Plan). However, the Ontario scheme is more of a gentleman’s agreement formula, and the court is reluctant to intercede or force the issue (except in preparation for trial as under R. 20.05), as opposed to the U.S. model where judges are and remain quite active at all stages of the matter and not every litigious matter is characterized by or conducted with, a high level of civility. See also The Sedona Conference, 2012. E-discovery Canada – About. Published on lexum.org. Online: >http://www.lexum.org/e-discovery-web/about.do<.
 Cartoons, movies, new laws, beauty pageants, governments old and new, and new Constitutions are amongst the many items to which some people, somewhere, have taken some sort of offence, of late and to date.
 Kelly Heyboer/Star Ledger. Rutgers freshman is presumed dead in suicide after roommate broadcast gay sexual encounter online. Posted on www.nj.com, Wednesday, September 29, 2010. Online: > http://www.nj.com/news/index.ssf/2010/09/hold_new_rutgers_post.html<.
 Noah Shachtman and Spencer Ackerman. Petraeus Resigns From CIA After Feds Uncover ‘Extramarital Affair’. Published November 9, 2012, on www.wired.com. Online: >http://www.wired.com/dangerroom/2012/11/petraeus-down<.
 Matt Sledge. ECPA Amendment Passes, As Senate Judiciary Votes To Require Warrant For Email Snooping. Published November 29, 2012, on www.huffingtonost.com. Online: > http://www.huffingtonpost.com/2012/11/29/ecpa-electronic-communications-privacy-act_n_2211889.html<.
 This is a gratuitous tribute to the futuristic 1931-1932 novel by Aldous Huxley, entitled Brave New World. Online: >http://en.wikipedia.org/wiki/Brave_New_World<.
 This is a gratuitous tribute to the original Star Trek series of the science fiction entertainment franchise bearing the same name or a related name, and its motto for the original cast under Captain James Tiberius Kirk (William Shatner), which was: “to boldly go where no man has gone before” (later changed to “no one” in its subsequent spinoffs with a more politically correct, gender neutral appeal). Online: >http://en.wikipedia.org/wiki/Star_trek<.
January 3, 2012
Since the “dot-com” era began, many Internet-driven businesses have come and gone. Some resurfaced in a new guise, but others were never to be seen or heard from, again. Why was this so, and what did some of them do correctly, that others did wrongly? I think those that failed, did so for not meeting 1 (“one”) or more of the 7 (“seven”) checkpoints in the e-Commerce success formula, applicable both in the times gone by and in the current climate. As further detailed below, these are: Acceptable Service Levels; Security; Policies and Privacy; Intellectual Property Rights (I.P.R.); Regulatory Compliance; Enforcement; and Dedicated Cashflows.
1. ACCEPTABLE SERVICE LEVELS: If and when offering a service or product to the public, then the quality of that offering must be acceptable. Bad product or bad service, leads to bad reputation. With the current pace of word-of-mouth advertising through Social Media, a company’s reputation can be tanked, with a quickness. Why spend so much time generating all that buzz, and then bet the company by offering something that is a substandard product (bug-infested), a service that is obviously not quite yet ready for primetime (the wider, mass market), or something that is otherwise badly managed in the initial rollout (going cheap on the launch)?
This may have worked for some businesses in the past, and it may still be tried in some cases by those businesses feeling secure or carefree enough with the substantial following for their product or service, or suite of same. But, today? No way!! Beta testing is available for a reason. Use it! The more alternatives that proliferate, and providing that there is a relative inelasticity in providers, the less tolerant the market will be for mediocrity and unacceptable service levels.
2. SECURITY: Of course, the company crown jewels (I.P.R., trade secrets including strategies and customer lists, and so forth), must be secured. If not, then the model can be replicated either without shame and by an obvious copycat, or through reverse engineering with a very good idea of where they need to go, from having the product, your product, right there in front of them. Physical security, electronic security, and a security frame of mind, must permeate the business and the workforce from top to bottom, in order to hit this checkpoint right.
The added networking functionalities that Social Media now gives to developers, programmers, and scientists, coupled with the fact that massive amounts of raw and unencrypted data can be lost (and are being regularly lost) on smartphones, laptops, and through online theft and hacking, means that achieving comprehensive Cybersecurity is no easy task, as I have already blogged. You may notice that some of the largest, most successful, longest-lasting e-Commerce successes are entities with a very zealous dedication to security. Obviously, there are good reasons for this.
3. POLICIES and PRIVACY: It is also vitally important to have effective and comprehensive policies on a variety of topics, so that there are no fatal gaps in employee guidance as to the policies and procedures that they need to follow in specific circumstances, or in those very tricky or novel situations where the guidance of other employers may be found lacking due to imprecision, or a lack of clarity, or a failure to consider and plan for such an eventuality – even by providing a dedicated line on which employees may call for guidance from a responsible person in the company. Situations that should be policy-covered include but are not limited to, privacy breaches, emergencies and complex emergencies, Social Media usage, employee hiring (with appropriate background checks) and termination (with exit interviews and securing of access permissions and company property), and privacy and security, generally.
Where policies are lacking, employees may well take the initiative. There is nothing wrong with having employees who can think for themselves, especially in a knowledge-driven economy or an Internet-driven business. However, where employees lack the critical additional knowledge, subject matter expertise, or general leadership training and discipline to know what is best for the company and also in accordance with law, their initiative may initiate a problem, or two, or three. Sometimes extrication is simple, and sometimes, it comes at a very steep price, including personal liability for directors and officers, very steep fines and regulatory penalties, lawsuits with their companion legal costs and expenses and insurance coverage disputes, and even destruction or dissolution of the company as a going concern. It is better to lead and set the tone with a coherent policy, after careful business consideration and consultation with legal counsel.
4. INTELLECTUAL PROPERTY RIGHTS (I.P.R.): Where the entity owns and has developed its own I.P.R., then this should be protected, of course, through proper registration and ongoing monitoring. It is not prudent, and very much ill-advised, to put a branded product or service on the market without first ensuring that the name chosen, is available and free for use. Otherwise, a flashy and expensive marketing campaign may lead directly to a messy and expensive legal battle for I.P.R. infringement or misuse. This could be ruinous if the seed money or risk capital has already run out or nearly run out, and whether or not the deep-pocketed investors get frightened-away by that kind of rather costly, and potentially very bad publicity.
Similarly, the unauthorized use or willful misuse of the I.P.R. of another, can bring severe and negative consequences through suits and injunctions. Even where the law is unclear or imprecise and with apparent loopholes, this does not prevent an incensed litigant or an ambitious prosecutor from applying novel theories and significant resources to make a test case stick, or to prove a point, or to chill or still the fervor of any and all who might think to follow a bad lead.
5. REGULATORY COMPLIANCE: All of the foregoing ties-in with regulatory compliance. This does not just apply to industry-specific regulations, but also to national laws; laws of the municipality, state, and province, as appropriate; and any International or otherwise multijurisdictional accords and protocols that may be or become relevant, or applicable, or appurtenant to the business or the business model in question.
Having a good idea of what is being planned or proposed, and where possible, being able to chime-in on the debate through a trade or industry group, are best practices. It is better to know, plan, and prepare, than to be suddenly surprised. Sometimes, even with the delayed applicability of new laws and regulations, the time, cost, and efforts required to become fully compliant – let alone the fines and penalties for failing to be so compliant – can be a drain on resources and an unwelcome distraction from the core mission.
6. ENFORCEMENT: Additionally, all company policies must be regularly communicated, enforced, and audited for the degree of compliance therewith; otherwise the company may face more than its share of User-generated Legality Issues (UgLIs). As for leadership in this endeavor, even in a smaller company, it can be highly advisable to have both a Chief Compliance Officer and a Chief Privacy Officer.
To the extent that a candidate is qualified, both of these titles may be held by a single, double-hatted individual. However, if that is the case, then it is advisable that the person hold no third portfolio, as the pace of development in both of those areas will keep him or her more than sufficiently occupied. Indeed, many an entity may find it more affordable and prudent to have a limited In-House capacity in both of these areas, but outsource the bulk of its needs for guidance in privacy and compliance to legal providers who can promptly deliver legal updates and customized policies, in conjunction with occasional audits, and tweaking as the business matures and moves though standard and non-standard cycles, or other critical events (mergers and acquisitions, litigation, regulatory investigations, public offerings and buybacks, or insolvency).
7. DEDICATED CASHFLOWS: The initial dot-com heydays were replete with businesses that sold nothing, gave away copious amounts of services or software or both of these for free, and essentially, burned through cash as though the patience of their dedicated investors would never end. Eventually, it did, and so did they.
There has to be revenue, and it needs to be projected to start at some point down the line, right from the start. This way, milestones can be recorded, and steps taken to address any failures to meet them – whether in extensions of time and financing, or in a change of policy or management, or both of these. There is nothing wrong with having a loss-leader, and giving away services or software in order to capture market share and loyal customers. Advertising, therefore, when responsibly and lawfully and tastefully done, is the easiest way to generate revenues, and build a business from the traffic to, or the following or patronage of, a popular site or service.
Summary: E-commerce and the Internet-driven business are still very much works in progress, as governments struggle to keep up with their ever-changing nature, and the consuming public (in sections and subsets of same), thrives on the tensions generated and in the spaces created, by this state of constant flux.
Some have accused the People’s Republic of China and the Russian Federation of high complicity in organized theft of strategic assets by exploiting flaws in and their failures on, one or more of the above 7 checkpoints. However, these alleged culprits are also obvious victims; and allegations of economic espionage and leveraging for advantage, legally, not so legally, and quite illegally, including with government support or complicity, are really nothing new.
Whether one’s problems show success or a failing equal to those of others on the same or substantially the same above checkpoints, is in the beholder’s eye. Regardless, however, perhaps if regulators focused a little more on fixing the failings in this winning formula than spinning for sanctions and shame, more would thrive and succeed in this brave new, Online Great Game.
Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice and has practiced, in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.
This article is intended and presented for general information purposes and is not intended or construed or to be read, as constituting legal advice or creating any lawyer-client relationship.
 Ekundayo George. “Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.” Oglaws. Published on December 9, 2011. Available at: http://ogalaws.wordpress.com/category/strategic-consulting/cybersecurity/
 See Ekundayo George. “M”edia Effectiveness, at the text containing endnotes 5 through and including 12, for an explanation of this concept. Ogalaws page Tab. Available at: http://ogalaws.wordpress.com/media-effectiveness/
 United States of America, Office of the National Counterintelligence Executive (ONCIX). Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011. Published in October, 2011. Available at: http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf
 BBC News, Technology. China seeks to combat hi-tech crimewave. Published on December 30, 2011. Available at: http://www.bbc.co.uk/news/technology-16357238
See also BBC News, Europe. UK diplomats in Moscow spying row. Published on Monday, January 23, 2006. Available at: http://news.bbc.co.uk/2/hi/europe/4638136.stm
 New York Times. Air France Denies Spying on Travelers. Published on September 14, 1991. Available at: http://www.nytimes.com/1991/09/14/news/14iht-spy_.html
See generally Paul M. Joyal. Industrial Espionage Today and Information Wars of Tomorrow. Integer Security, Inc. Information and Analytic Services. A report prepared by Paul M. Joyal (President of Integer Security Inc.), for presentation at the 19th National Information Systems Security Conference, held in Baltimore, Maryland, U.S.A., on October 22-25,1996. Available at: http://csrc.nist.gov/nissc/1996/papers/NISSC96/joyal/industry.pdf
See e.g. CTVNews.ca Staff. Corporate espionage costing billions each year. CTVNews.ca Published on Tuesday, November 21, 2011. Available at: http://www.ctv.ca/CTVNews/CanadaAM/20111129/corporate-espionage-secrets-companies-111129/