That’s the title of my Slaw post for today.   It reads as follows:

We constantly see commentary on frivolous lawsuits, and cases that poke holes in limitation clauses in contracts of various types.  Perhaps everyone should have some sort of basic understanding of who is responsible for what.  So I propose (in jest of course)  that everyone be subject to the following agreement.

By being born, you agree to be bound by the terms of this agreement, even you you have not, or can not, read them. 

You are responsible for your own actions.  Stuff happens in life, and you should look to yourself before you blame others. 

Stuff will happen that may entitle you to compensation from others (subject to deductables and the understanding that a successful lawsuit will not be equivalent to a lottery win), such as buying a defective product, or if someone fails to live up to a promise that you relied on, or if someone breaches a duty of care they owe you. 

At the same time, don’t expect compensation if your problem results from you:

• being the author of your own misfortune,
• not paying attention,
• doing something worthy of a Darwin award,
• not taking reasonable steps to protect yourself,
• failing the “it seemed like a good idea at the time” test.

For the London Free Press – June 28, 2010

Read this on Canoe

PERSONAL INFORMATION: The language pertaining to ‘lawful authority’ and breach notification is open to interpretation

Bill C-29 was recently introduced to amend the Personal Information Protection and Electronic Documents Act. The bill is an attempt to address a number of shortcomings in the legislation that governs private-sector privacy in Ontario and other provinces.

Most of the changes are welcome. Two changes are controversial: the definition of “lawful authority” and privacy breach notification.

“Lawful authority” determines when an entity can release information to the police without a warrant.

The act permits disclosure of information to government bodies where it has identified its “lawful authority” to obtain the information. Much debate has arisen as to what constitutes “lawful authority.” As a result, some entities won’t release personal information to police without a warrant.

Bill C-29 has attempted to clarify “lawful authority” as follows:

(a) lawful authority refers to lawful authority other than (i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records; and (b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

So it tells us what “lawful authority” is not, but not how to know when it exists. It really isn’t very helpful.

The second issue deals with breach notification.

The Personal Information Protection and Electronic Documents Act does not require any notification to either customers or the privacy commissioner if personal information has been lost or stolen. The proposed amendments add requirements to notify the privacy commissioner and/or affected individuals in certain circumstances.

That language has threshold tests that are not as clear as they might be. If this language stays, it may take a privacy commissioner or court decision to clarify.

For example, the privacy commissioner must be notified where a “material” breach has occurred. Since “material” remains a subjective test, it is somewhat at the discretion of the entity to determine whether the breach is “material.”

Individuals must be notified only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Again, this requirement is somewhat at the discretion of the entity that would have to notify the individual.

Some will argue that the discretionary component of the notification requirements is valuable as it is not mandatory to disclose minor breaches. That may be a good thing, but it will take some time to figure out how to apply the tests in practice. The difficult part is knowing where the threshold actually is.

The wording of the breach notification provisions leaves the possibility that entities may abuse the discretion provided to them and choose not to report breaches that many would argue are major. That’s especially true since there is no fine or penalty for not doing so.

On the other hand, when it comes to privacy, the “headline risk” of not abiding by the legislation, or being perceived to not be doing the right thing, is perhaps as big a motivator as anything.

I was on a panel last night at the Ivey business School with Eli Singer, co-founder of Entrinsic Partners, a digital communications agency that builds corporate social media strategies. 

Eli had many astute observations regarding marketing and social media.  For example:

The choice of social media platform to use is secondary.  A strategy comes first.

Don’t invest too heavily in a particular SM product feature that you can’t control.  When facebook decides to stop the group feature you have spent all your time and money on, you are simply out of luck.

Most businesses really don’t know what they want.  Its partly fear of the new and unknown.  Delegating and abandoning the strategy to a digital native whose sole qualification  is that they use facebook won’t work.

And if you are that digital native that is conscripted to do it – approach it like any business case.

That’s the title of my Slaw post for today.   It reads as follows.

I’m on a panel tonight at the Ivey Business School talking about trends and opportunities in social media.  I’ll be talking about legal and privacy issues.

Some of the risks that come with social media arise from its newness.   There seems to be two opposing (and apparently inconsistent) factors at play whenever anything new arises. 

First, when something new comes along, people often don’t put it in the proper context, and forget all the old rules.  For example, people might make a comment on a blog or facebook that reveals something confidential, even though that same person would never have revealed that in a letter or email.

Second, humans have flawed risk perceptions.  We tend to underestimate the risks of things we are familiar with, and overestimate the risks of things we are not familiar with.  That leads us to be concerned about risks of something new, even if those risks are similar to, or less than, things we are used to.  This leads to the “lets just shut it down” reaction where employers simply block access to things.

These factors lead to some bad decisions on both ends, but also fosters debate and discussion over the issues that tend to sort things out over time.

For the London Free Press – June 21, 2010

Read this on Canoe

Many people are not concerned about their privacy on Facebook – but they should be. Facebook’s recent changes are a good lesson in how not to make changes that affect or control privacy.On April 21, 2010, at a Facebook developers’ conference called “F8″, the company introduced new features that essentially allow Facebook users to share more information about themselves with more people.

This sounds great, but the changes were made in a way that opened up people’s information without asking them first.

In other words, the new privacy defaults were more permissive than the previous defaults, and things that were private suddenly became public. Privacy options were expanded, but many found the options too complex and difficult to understand, thus requiring a lot of time and energy for each user to go in and adjust the settings.

That assumes of course that users first found out about the changes, understood that they needed to alter privacy settings, and took the time to actually do it.

Facebook believes that more users want to share more information about themselves as society becomes more transparent, and the new default settings reflected this. This is different from the more private attitude that Facebook started out with.

Frankly, that’s a decision that users must decide for themselves on an individual basis. You and I should get to decide that, not Facebook founder Mark Zuckerberg. Transparency is a good thing when it comes to understanding privacy choices, but transparency about an individual’s information is a decision that each individual must get to make for themselves.

Transparency is a concept that is now in vogue for business and government alike. It is about accountability to their stakeholders. That concept does not, however, translate to us as individuals or our personal information.

It may be that Facebook was trying to be more like Twitter. The difference is that everyone knows that comments one makes on Twitter can be seen by anyone, as Twitter’s fundamental purpose is to share one’s thoughts with the world. That’s not the understanding people have when they sign up for Facebook.

User outrage has lead to recent changes. Facebook has created more simplified options on their privacy settings page, including cutting the number of settings from 50 to around 15 and consolidating seven pages of choices into three.

The lessons here for anyone providing services are numerous:

- Don’t make changes that automatically open up user information more than it already is. 

- Make privacy choices as clear and simple as possible.

- Make clear what information will be shared with whom, so users can make informed choices.

- Set defaults conservatively and allow users to open it up – not the other way.

- Think about privacy when doing new things to get it right at the outset. 

And if you are a Facebook user and have not looked at your privacy settings recently, take another look and change them if they are not to your liking.

That’s the title of my Slaw post for today.  It reads as follows:

Microsoft has just formally launched a new gesture based controller for the Xbox called Kinect (formerly known as Natal) to go on sale November 4.  And a new, more compact version of the X-box.

So what has this got to do with the office?

For now, this device can only be used with an Xbox – but there is no reason that the same technology could not be used with a PC for a Minority Report like interface.  Indeed, there is evidence that Microsoft has this in mind.

For now, here are some ideas for how business might use the Kinect and Xbox – such as a way to turn a slide show into a more interesting event.

The Federal Privacy Commissioner released her annual report to Parliament last week on Pipeda.  This report summarizes her department’s activities over the past year. 

Noteworthy elements include:

• Comments on how quickly technology (such as social networking) is transforming our lives – and the privacy issues that arise from those (eg. facebook, Google street, Bell deep packet inspections, GPS tracking).
• Efforts to deal with international aspects of privacy.
• An investigation into the mortgage brokerage industry.

For the London Free Press – June 14, 2010

Read this on Canoe

A UK court ruled it would be unfair to enforce a limitation of liability clause where the buyer relied on the company’s advice

Commercial software purchases can be major investments. If problems arise or the buyer ultimately finds the software is not the right solution, either the buyer or seller must bear the cost of the product, lost profits and additional staffing.

Software companies include limitation of liability clauses in their standard terms and conditions, but this has not stopped courts from awarding damages to buyers in some situations.

The recent United Kingdom court decision of Red Sky v. London Kingsway Hall Hotel suggests that how the sale is conducted may determine which party is liable.

The court said it would be unfair to enforce a limitation of liability clause where the buyer relied on the software company’s advice in deciding to purchase the product and the product was inappropriate for the buyer’s intended use.

The software in question was meant to provide reservations and point-of-sale functions for hotels. After installation, the buyer found it did not meet its needs, and replaced it with other software.

The court also said that standard terms including a limitation of liability clause are predicated on the fact that a prospective customer would investigate the software and make up its own mind whether to purchase based on demonstrations and the operating documents.

UK courts have placed a heavy onus on software companies to provide the buyer with all relevant information if they wish to rely on limitation of liability clauses. What is relevant or sufficient will necessarily vary from case to case.

But it is clear – at least in the UK – that software companies are expected to take steps to ensure that the buyer has a fair chance to assess the product before purchase.

In this case, the court said the limitation of liability clause was unfair under the UK’s Unfair Contract Terms Act, as the software was not fit for its purpose. Basically, the software vendor was not transparent enough to give the buyer enough information to make an informed decision on the suitability of the software for its particular needs.

In the end, the court found the vendor liable for 110,000 pounds in damages for software that it had been paid 50,000 pounds.

Though Canadian courts may not have gone this far based on the same reasoning, Canadian courts have found liability despite limitation clauses where they find them to be unconscionable in the circumstances. Unconscionable means that it has to be more than unfair or unreasonable. Essentially, courts won’t allow vendors or their products to be incompetent, or cavalier in their claims, then hide behind limitation clauses.

Every product vendor, whether it sells software, online services, or other products, clearly wants to market their products in their best possible light. But it is wise to be as transparent as possible about the products, especially when it comes to helping purchasers make buying decisions.

An Ohio court has said that a police officer’s “unaided visual estimation of a vehicle’s speed” is enough to support a speeding conviction.  That’s with no radar, and no need for the officer to have been beside or behind and read his own speed on his own speedometer. 

As Mike Masnick of Techdirt puts it, “That won’t be abused at all…”

That’s the title of my Slaw post for today.  It reads as follows:

The Law Society of Upper Canada is having a teleseminar at noon today entitled “The New Guide to File Retention and File Destruction.”

I’m one of the speakers – talking about issues relating to electronic records.

One of the fundamental principles of electronic records from a records retention and destruction perspective, is that electronic records should be retained and destroyed on the same schedule as paper records.

As I was thinking about the issues, it occurred to me that if I had to hazard a guess, I suspect many law firms, and many businesses for that matter, have not come to grips with this yet. 

The reason is simple.  Take the period of time a file is active, then add to that the time a closed file should be retained. (The LSUC suggests 15 years for typical files.)  Then consider how long electronic records have been around in a significant quantity.   We are just now coming to a time when law firms might have a significant amount of electronic records in addition to paper files. 

Certainly word processing and email have been around for more than 15 years, but in the early years the only thing that was kept was the paper. 

Personally, my viewpoint is that the electronic versions (word documents, email, images, faxes, collaboration tools, instant messaging, etc.) of documents are the real, original documents. The paper versions are just a physical manifestation of those records.