Friday, May 28, 2010

I Want It All And I Want It Now *

[*Queen, 1989]

Quick refresher on the basic principle of copyright law in Canada and most other countries – the creator (author) of an original work (music, lyrics, writings, photos, DVDs, videos, paintings etc.) is entitled to control how it gets used for a period of time, with some other limited exceptions.

There is no copyright in facts or ideas, however there is copyright in an original (creative) expression ( work ) of facts and/or ideas.

Copyright arises upon the creation of a work. You do not have to add the words “copyright” or “copyrighted”, or the symbol ©, in order to claim copyright in a work. You do not have to register in order to obtain copyright. Copyright comes into existence the moment the original work is created.

At the moment one of the hot topics of the legal blogsphere is the class action brought in Ontario against Thomson Reuters alleging that it is violating lawyers’ copyrights in pleadings and other materials that lawyers have created and filed in lawsuits. Similar issues have arisen before in other jurisdictions with varying results.

The allegations are that Thomson Reuters had copied the filed materials relating to certain cases. It has created a web based services called “Westlaw Litigator®” whereby persons can search by subject matter, law firm and or lawyer, and for a fee can download a copy of the copied materials, including editable forms of the materials. Apparently Thomson Reuters has added “© Thomson Reuters Canada Limited or its Licensors” to all of these documents digitized on its website. [The foregoing is gleaned from Sack Goldblatt Mitchell LLP’s website (the law firm representing the complainants) where it has made available the statement of claim ]

A visit to the Westlaw Litigator® website – home of the allegedly offending service – finds that it is being touted as “A database of actual filed pleadings, motions, memoranda, and jury instructions”. I did not venture further as I am not a subscriber.

The claim was issued on May 25, 2010, so no response has been filed yet. Not that I am remotely prescient, but I am sure the response will contain an attack on the merits of this being a properly brought class action suit.

It will also no doubt contain arguments that Westlaw Litigator® falls into the “fair dealings” use of copyrighted materials. They may counter by questioning who actually owns the copyright in the filed materials: the lawyers/law firm that authored them? The client who paid the lawyers to represent him or her? The courts themselves because they have to be“issued” by them in order to be part of a claim? Because these are public records that anyone can go in and search, are they not therefore in the public domain (i.e. not subject to copyright)? And if they are public records, is Thomson Reuters not free to create a database of them?

Thomson Reuters may also try to argue that the majority of lawsuit filings are themselves not “an original work”. The court prescribes the form and format of documents filed with it, and a significant part of pleadings are composed of references to other works – reported legal cases and legal texts – and facts.

I think that Thomson Reuter is on very shaky copyright ground here.

According to the claim, they have not edited or enhanced the materials. Thomson Reuters have just done a little digging in the public records of high profile cases, copied verbatim the materials in the court files, indexed the copied material by lawyer, law firm and subject matter and then created a database of these materials which Thomson Reuters customers who subscribe to the service can search and download for a fee. Apparently they have done all this without the permission of the authors of the materials who are arguably the copyright holders.

Whether or not the allegedly infringed materials are “creative” “original” etc. is a no go. The creation of these materials by lawyers – the choosing of what to reference, the presentation of arguments and the order in which they are presented – involves a significant amount of work and creative effort. Good pleadings, motions, draft orders etc. are concise well crafted works of non-fiction – or ideally they should be.

I don’t think that Thomson Reuters can distort the fair dealings exceptions – even the educational ones - to justify what they have done. When I went to law school in the Neolithic Age, in addition to legal texts, we often had to buy case books (which are now presumably digitized) - compilations of extracts (not whole chapters) from legal texts and parts of cases, that were compiled by the law professor (to torture students). The case books all had “reproduced by permission of the author/publisher” on the cover pages and were sold on a recovery of cost basis. Permission had been sought and granted. Profit was not being made. Thomson Reuters has apparently copied entire works, has not sought permission and is seeking to make a profit.

But my final point at this time is, if they win, would it not be open season for everyone to then go in and download all of Thomson Reuters’ databases and materials and set up competing websites? Or digitize and sell books that they publish? And hasn’t Google just been “spanked” and still faces issues with regard to its digitization of other peoples’ works?

It will be interesting to see how this matter develops.

Thursday, May 20, 2010

Personal Information - Use with Caution

Databases are the backbone of twenty first century enterprise. Some well publicized gaffes and changes in policies on the part of Google and Facebook have generated a renewed interest in the fact that the social media and search engine industries have access to, and use, the significant amount of personal information about individuals that are in their databases. But let's not forget that banking, other financial services and large retail also have enormous databases of personal information.

This post is not going to debate the “goodness” or the “evilness” of this situation: the broader media are having a field day with that. I am going to set out a quick refresher about the basic situation governing the collection and use of personal information in Canada.

No private enterprise operating in Canada has free rein in its use of personal information. There are variations on a theme in the provincial legislation of Alberta, B.C. and Quebec and there are additional laws regarding health information in most of the provinces, but the basic tenets of privacy legislation affecting private enterprise in Canada are very simple. They are outlined in Schedule 1 to the Personal Information Protection and Electronic Documents Act [the legislation can be found at: ]. I am summarizing the guiding principles below, but you should, at a minimum, actually read Schedule 1.

Organizations are accountable for the personal information that they have in their possession or within their control. They have to have policies, procedures, guidelines and training regarding the handling of personal information. An organization must inform the public about these policies, procedures and guidelines. It must provide access to the personal information within its possession or control regarding an individual to that individual. The organization must have a complaints procedure (more details below) to handle individuals’ concerns with respect to their personal information.

With limited exceptions, companies have to have the individual’s consent to collect and use personal information. The consent has to be for the specific use for which the information is being collected. An organization cannot use the personal information it collects for a specific purpose for another purpose unless it obtains consent for that other purpose.

The personal information collected has to be accurate, complete, safeguarded and retained only for the period of time necessary to fulfill the purpose for which it was collected. When it is no longer required for the purposes for which it was collected, it must be destroyed or made anonymous.

Individuals have the right to find out what personal information an organization has about them and who has access to it. Individuals may request access to their own personal information held or controlled by an organization, and are entitled to require that any corrections be made to the information to the extent it contains any inaccuracies or is incomplete.

To the extent individuals believe their information is being misused or that their access is being improperly denied, they can utilize the organization’s complaints procedure, which procedure must note how the individual can make a complaint to the Privacy Commissioner of Canada.

Seems pretty simple, doesn’t it?

However when you introduce the Internet into the equation, with its ability to proliferate and disseminate information globally and exponentially, complicated issues emerge.

If I terminate a social media service, how am I assured that they do eradicate the personal information that I no longer consent be made available? Why when I want access to a specific service such a cell phone service do I have to consent to them sharing information with their affiliates? What happens if there is a breach in the safeguards exposing my personal information? This is what businesses and privacy watchdogs are struggling with now in real time.

Privacy laws are constantly being tweaked to address recurring issues: e.g. mandating certain notifications in the event of actual and potential exposure of personal information; requiring companies to advise persons if their information is going to be transferred outside of Canada (May 1, 2010 Personal Information Protection Act (Alberta)).

So, with the current attention on the problems associated with data breaches you want to minimize the bad publicity that ensues. If you operate a business in Canada understand what your current obligations are, keep up with the legal developments and review and revise your use and handling of personal information policies and procedures on a regular basis.

Friday, May 14, 2010

Record Keeping Clauses in Outsourcing Contracts – Part Two

I previously talked about record keeping clauses in outsourcing contracts. These clauses are really record retention and destruction policies (RRDPs) writ in the context of outsourcing transactions. However, the parties to an outsourcing deal often do not devote the attention to record keeping clauses that a customer would to developing its own RRDPs. I want to discuss today some of the RRDP issues that are inherent in record keeping clauses, as a way of getting a quick fix on the issues that may be being ignored in these clauses.

1. Scope/Inventory: The starting point in any analysis is to understand the potential scope of the obligation – how big is the possible universe of records, how many of them are there and just what do they look like?

These can be hard questions – for both the customer and the service provider. At the time that the outsourcing agreement is being negotiated, the customer may lack detailed knowledge about how the service provider’s systems or processes operate and what records they produce. Similarly, before the agreement is signed and the service provider has assumed responsibility for the customer’s operations, the service provider may not have good insight into how the customer’s applications or processes operate and what records they use or produce. It isn’t a solution to this potential lack of knowledge however for the customer and service provider to sweep a litany of nearly-synonymous terms into the definition of “Records” and then feel confident that, whatever may be out there, it has likely been caught. This can only lead to retaining records that should be destroyed and destroying records that should be retained. In these circumstances, the customer and the service provider should work together to inventory the records related to the outsourcing, in a manner similar to what the customer would do in developing its own RRDP.

(i) Service Provider Records: what are records, documents and information of the service provider relating to the services that the customer needs access to? Certainly, the answer to this question will include operational data, financial information such as invoices and invoicing detail, security information such as security logs and video tapes and perhaps personnel information. In design, build operate transaction, it may include test data and results. The customer and service provider need to consider individually the services that are being provided and inventory, by service, the records, documents and information produced.

(ii) Customer Data: what are the records relating to the customer’s business that are produced in the course of the services and that are under the control of the service provider? This may not be a very big set of records for IT infrastructure outsourcing transactions where the application systems and their output are under the customer’s control. The answer is likely different though for business process outsourcing transactions, where often the services being provided are closely intertwined with the customer’s operations. Here, information created by the service provider’s employees may well constitute customer business records that should be identified as part of the records inventory.

In inventorying these records, the customer and the service provider will also need to think about related questions such as the form in which the records are produced, whether temporary records are relevant, what the volume of records is and how this volume will grow over the term of the outsourcing agreement.

2. Purpose: The customer and the service provider should identify the reasons for which the records are to be retained. Is it to support the customer’s audit rights under the outsourcing agreement?, e.g. to allow the customer to verify that the service provider has processed the records correctly and has not overcharged the customer? Or are the records being retained for purposes related to the customer’s business?, e.g. to allow regulatory authorities auditing the customer to verify that the customer has appropriate security procedures in place or to satisfy regulatory requirements that the customer retain various types of records for specific periods of time. If the customer and the service provider are able to agree on the purposes for which the records are to be retained, then they may also be able to agree that other types of information need not be retained or can be destroyed once the purpose is satisfied.

3. Legal Requirements and Retention Period: What do the applicable laws and regulations require be retained and for how long? This is not the same thing as requiring the service provider to “maintain Records in accordance with applicable laws”. It is about understanding the laws applicable to the customer’s business, what records these laws require to be retained and for how long. The only way this can be done is through a thorough review of the laws and regulations applicable to the components of the customer’s business that are being outsourced by counsel who understands the outsourcing. For example, if the services being outsourced involve the processing of customer financial records, then these may need to be retained for six years under the Income Tax Act (R.S.C. 1985, c.1 (5TH Supp.), s-s 230(4)). Conversely, for human resources outsourcing transactions for banks or insurance companies, the customer will need to consider its obligations to limit the use, disclosure and retention of the records under Principle 5 of Schedule 1 of the Personal Information Protection and Electronic Documents Act (2000, c. 5).

4. Customer Record Retention and Destruction Policies: The customer should ensure that the record keeping clause in its outsourcing agreement and its record retention and destruction policies are consistent – the same retention periods for the same records. If there are special circumstances that require records produced as part of the outsourcing transaction to be retained for different periods of time, then the RRDP probably needs to be amended to incorporate those unique circumstances and retention periods. Further, if the RRDP establishes procedures for the destruction of records at set intervals or after the passage of specified time periods, the record keeping solution developed under the outsourcing agreement should incorporate the same destruction procedures.

If the customer and service provider have: (i) developed an inventory of the outsourcing records; (ii) determined why the records are to be retained; (iii) identified the applicable legal requirements and retention periods; and (iv) resolved any inconsistencies with the customer’s existing RRDP, they have a good picture of what the record keeping obligations for the outsourcing ought to be. There are still a few other issues to think about however.

5. Other Agreement Provisions: The outsourcing agreement likely contains other provisions relating to retention or destruction of information. Frequently, for example, the confidentiality provisions of the Agreement will include a section requiring the service provider, at the customer’s request, to return or destroy all customer confidential information. Similarly the termination transition provisions of the agreement may require the service provider to return to the customer all information and data and not to retain any copies. These provisions should cross-reference the record keeping provisions to avoid any inconsistencies.

6. Format/Technology Change: The customer and service provider should discuss in what form the records will be retained and whether the customer will be able to access the information during, as well as after, the term of the agreement. This should not be an issue for recently-created records that can be maintained by the service provider as part of the operations of its existing systems. However, as the outsourcing relationship evolves, the technology is refreshed and the systems are upgraded, the IT environment necessary to read records that have been archived may no longer exist. The records have not been destroyed – it is just that they are no longer accessible by the service provider’s existing systems. This is a problem can only get worse after the outsourcing relationship ends and the technology that was once state-of-the-art dissolves into end of life.

7. Cost: The customer and the service provider should discuss the (estimated) cost of retaining the records for the required periods and who is responsible for these costs. Frequently this does not happen, perhaps because of an assumption that records retention is an integral part for the service provider’s base service offerings, and therefore, there are no separately identifiable costs. This may not be the case or the service provider’s base fees may only cover basic, standardized record keeping which may not be what the customer requires.

8. Monitoring: Record keeping clauses do not normally deal with what rights, if any, the customer has to monitor the service provider’s compliance with the provisions. To the extent that the outsourcing agreement provides the customer with such rights, they are usually found in other provisions such as those dealing with the customer’s audit rights. This is something that the customer should ensure is addressed in the agreement. Moreover the customer should include reviews of the service provider’s compliance as part of its audit plans early in the outsourcing relationship, before the effects of any non-compliance have had the opportunity to accumulate.

These issues will take time to address. In a digital age however, where electronic records are the norm and e-discovery and spoliation are on everyone’s lips, the issues are unlikely to go away. The parties to an outsourcing transaction should take the time to deal with these issues carefully, thoughtfully and at the right level of detail, not take a broad brush approach that ignores the issues in favour of unlimited or unfiltered retention.

Friday, May 7, 2010

Record Keeping Clauses in Outsourcing Contracts - Part 1

Record keeping is not an issue that gets a lot of attention in many outsourcing agreements. Almost as an afterthought, somewhere toward the end of an Article on audits, governance or termination transition services, there will be a provision setting out the parties’ responsibilities with respect to retention of “records”. It will be based on a comprehensive definition of “Records”, e.g.:

“books, records, reports, documents, maps, drawings, correspondence, notes, logs, system development records, accounts, invoices, backup data (including original source documents) and other similar documents, images, writings, papers or information stored by any means whether graphic, electronic, audio mechanical or otherwise”

and will run something like this:

“During the Term and for a period of seven years after the end of the Term (or such longer period as may be required by applicable Law), the service provider will maintain accurate and complete Records related to this Agreement and to the Services to be provided by the service provider under this Agreement, as may be required or necessary:
(i) for the service provider to meet any other reporting or record keeping requirements referred to in this Agreement; and
(ii) to enable the customer to verify the service provider’s compliance with the terms of this Agreement and to ascertain the accuracy of all financial matters arising under this Agreement.
Before destroying or otherwise disposing of any Records, the service provider shall provide the customer with sixty days’ prior notice and offer the customer the opportunity to recover the Records or to request the service provider to deliver the Records to the customer at the customer's expense. Except as set out in this Section, the costs of all Record keeping contemplated in this Article shall be the responsibility of the service provider.”

When tested however, i.e. when the customer pulls out the clause to see if it requires the service provider to have retained those specific records or information it needs in the upcoming law suit (or, conversely, that the clause did not require the records to be retained and they have hopefully been deleted in the normal course of business) or the service provider checks to determine precisely what its record keeping obligations are, these clauses are often not very informative or helpful. The frequently overly-broad definition of a “record”, the general nature of the obligation (“accurate and complete records”) and the amorphous definition of the purpose behind the record keeping mean, in many cases, it will be difficult to determine the service provider’s obligations precisely.

This should not be surprising. Such record keeping clauses are, in effect, record retention and destruction policies, as applied to outsourcing. However it normally takes a company many months of effort to develop an appropriate records retention and destruction policy. The company needs to identify what records it is creating in operating its business, understand how these records are used, determine its legal retention obligations and finally identify procedures that ensure the right records are retained for the correct period of time and then destroyed in an efficient manner. This can’t be done, in any detail and with any confidence that the company is getting it right, as part of another complicated task like negotiating the contract with a third party for a complex outsourcing transaction.

Notwithstanding the problems with the record keeping clauses in many outsourcing contracts, there is an argument that we are getting the right form of record keeping clauses. In the midst of death march negotiations about fundamental business issues in a complicated outsourcing, the parties are not likely to delay or derail the transaction for failure to properly define the service provider’s record keeping obligations, especially when a quick fix – “keep everything, and for a very long time” – appears to be readily available. Still, it is interesting to consider, through the prism of record retention and destruction policies, what the issues are that impact record keeping clauses and how the parties might think about them, if they had the time. That is something for next time.

Tuesday, May 4, 2010

“All animals are equal, but some animals are more equal than others.”

[“Animal Farm” George Orwell. 1945]

When a service provider takes over tech support, it will be processed through a help desk tracking system based on contracted pre-defined situation assessments (urgencies) and standard service level response times based on the assessment. There may be a “break in” period, but pretty soon after the outsourcing, your prior tech contact whom you had on speed dial to call to fix your blue screen of death will no longer be able to respond directly to you.

Most of us get this. But what I find fascinating is that there still is the culture of entitlement based on seniority, not need, that you would have thought should have disappeared in the latest white collar economic melt down. The “old school” executive may have “chosen to explore other opportunities”, but his younger successor has morphed into the entitlement role.

I know this happens in all types of professional organizations, private companies, public companies and the public sector. But I am going to limit my narrative to law firms. I have some “sources” at a few Bay Street and Wall Street law firms. A number of these law firms have outsourced their tech support or they themselves have implemented the “discipline” of a help desk system. They want to cut costs and standardize the technology used at the firm.

All goes well initially, until the first senior/managing partner “crisis”. A panicked call from his (and on rare occasion, her) assistant – because dialing a phone is still not done by such an august individual - jumps them to the front of the line regardless of the issue. Tech support will come running on the double to deal with the issue; and more often than not give a private tutoring session on other technology related questions that have nothing to do with the original call and often are not business related.

And so the slippery slope begins.

The standard issue computer hardware and software that will do more than enough tricks to fulfill legal services requirements is not necessarily the latest and greatest. And when a senior/managing partner gets tech envy, look out. The help desk may try to stop the line jumping and keep to contracted standards; but the individuals at the front lines of service delivery know that this is a career limiting (killing) move, and so the discipline breaks down.

So if your organization has this type of an culture – and a surprising number do - you can accommodate this if you want and create a “super priority” category in the service levels, but this will cost more and not necessarily allocate resources effectively. Or you can try resist the elevation of some of the denizens of the farmyard above others, however history shows us ……