LawComm recommends data breach notification

The Law Commission has released its fourth and final report on privacy law. One of its key recommendations is data breach notification, or as the Commission puts it:

… notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive).

Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner.

This would be a major – and welcome – change from the status quo, which is that agencies (e.g. companies holding personal information) are generally under no legal obligation (unless such obligation is assumed) to report data breaches. Sir Geoffrey Palmer commented on the situation last year:

Another subject on which we are contemplating some changes is data breach notification… Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

(The Law Commission’s issues paper discussing data loss is here). The recommendation comes at the same time as the EU is grappling with imposing a uniform notification regime across member states.

A data breach notification regime, while imposing some compliance cost on organisations, is a necessary thing in today’s world.

Recently I had my own example of when such a regime might have been useful, when my bank informed me that I had “suspicious activity” on my credit card – a large transaction from Portugal. What was curious was that I had only had that card for a few months, and had not used it much at all (and not online at all). The card could have been physically copied somehow, but if one of the few merchants who I had used it with had lost the data via hacking, there is no obligation for them to advise me of the loss – nor any other information that may have been lost with it.

The example of credit cards was specifically mentioned by Law Commissioner Professor John Burrows in announcing the recommendation:

“People have a right to know if their information has been compromised in a serious way”, said Law Commissioner Professor John Burrows. “Then they can take measures to protect themselves (such as cancelling credit cards), or can at least prepare themselves for any consequences of the breach.”

It will be interesting to see how the details of such a regime are eventually formulated.

Software Patents – IPONZ explanatory note

IPONZ has published a draft explanatory note on the patentability of computer programs based on the Patents Bill (as currently drafted). Fortunately, the good people at IPONZ have not had the same difficulty in understanding the clear exclusion of computer programs that a small number of patent attorneys seem to have had.

They also appear to have sifted through several submissions from patent attorneys that sought to relitigate the Bill itself in amusingly emotive terms, rather than just comment on the guidelines as requested.

IPONZ has provided a clear, concise note. Some extracts:

31. Many of the interested parties who made submissions on the draft guidelines argued that the Commerce Select Committee intended that so-called “embedded” computer programs should remain patentable, with other “non-embedded” computer programs being excluded from patent protection. However, it is clear from the Committee’s report that the Committee rejected the idea of making a distinction between “embedded” and “non-embedded” computer programs in this way.

32. Instead, the Committee decided to recommend a simple exclusion, as this would exclude computer programs from patent protection, but would not prevent the grant of patents for inventions involving “embedded”computer programs. It seems clear from these comments that the Committee did not intend that the mere fact that an invention involves a computer program should be sufficient, in itself, to make an invention unpatentable.

That is exactly right. For whatever reason, some patent attorneys seemed to have great difficulty with that simple proposition, and much of the FUD being put out by those looking to overturn the software patent exclusion focused on the apparent “confusion” surrounding embedded software. The explanatory note succinctly summarises the Committee’s clear recommendation.

33. On this basis, computer programs are not patentable under clause 15(3A), whether or not they are “embedded” programs. However, inventions that involve a computer program (as opposed to inventions which are a computer program) are likely to fall outside the scope of clause 15(3A) and be patentable.

Which is how other patentable inventions, containing non-patentable constituent parts, are treated.

34. … The exclusion cannot be avoided by claiming the program in combination with conventional computing hardware. Such claims are effectively claims to the computer program and allowing them would circumvent the purpose of the exclusion.

35. For example, claims to the computer program when running on a suitable computer, or claims to the program recorded on a carrier such as a disk or memory card would not be allowable. On this basis claims of the form “a computer program product comprising computer program code adapted, when loaded on a computer, to do X” (so-called Beauregard claims) will be rejected.

This is good. There can be a lot of nonsense to try to avoid exclusions. By definition, all software runs on a computer, so a claim that the invention is the program “when running” should hardly be expected to avoid a computer program exclusion.

One thorny issue on the periphery of the software patent debate is business method patents. They are really a separate issue (controversy). The note makes a only few comments on them, including:

41. Where the contribution is assessed as a method or process that falls outside the computer program exclusion, claims to a computer program that would cause a suitable computer to carry out the method may be allowable.

The progress of the Bill remains understandably low priority, and its future is also somewhat uncertain given that a new Minister will take over the Bill from Simon Power. However MPs at last month’s NetHui said that Simon Power had that week advised that the software exclusion would remain (confirming earlier statements).

New High Court rules and the impact on electronic discovery

The Rules Committee of the High Court has released its final draft of new rules on civil discovery. This is the final stage of a long-running process to update the often troublesome rules relating to discovery, in particular electronic discovery. The latest rules are available here (pdf).

Background

For those who are lucky enough not to have been involved in civil litigation, discovery is a legal process that requires each side in the case to “discover” all relevant documents to the other side – the legal equivalent of laying your cards on the table. That doesn’t just mean documents that support your case – parties are also obliged to produce damaging documents. There are only limited grounds for refusing to disclose documents, such as legal privilege, and even then certain steps must be followed.

Unfortunately, discovery has become often a very difficult and time-consuming (and therefore expensive) part of modern commercial litigation. The general rules of discovery were laid down in the nineteenth century, when most documents could only be produced by hand or at significant cost. It was also a lot more obvious what a “document” was back then – usually ink on paper.

In recent years there has been an explosion in the amount, and type, of documents in business. The most obvious are computer documents (Word docs, spreadsheets, etc) and email. Most significant businesses are now heavily reliant on electronic communications. Documents still include paper files, faxes, and accounts, but also include modern documents such as databases, text messages, and even tweets, and huge amounts of documents can be created during the course of an ordinary day. As a result, parties to litigation are often required to handle huge volumes of documents. In large litigations I am involved in, it is common to have tens of thousands of emails and other electronic documents in play.

Reform

The discovery reform aims to modernise the rules to improve the discovery process for the benefit of litigants, and better reflect the modern realities of business and society. I have submitted on the first draft rules, and note a few highlights and changes in the proposed final draft:

  • Parties must co-operate on discovery (oh, were it always that way!) and ensure “technology is used efficiently and effectively”. (8.2)
  • Parties “must take all reasonable steps to preserve [relevant documents]”, including ensuring that “documents in electronic form which are potentially discoverable [be] preserved in readily retreivable form even if they would otherwise be deleted in the ordinary course of business” (8.3). This is a significant and powerful rule that imposes an express duty to preserve electronic records (see below for more details). When a dispute arises, it may be a prudent strategy to put the other party on express notice of this duty.
  • The rules introduce two types of discovery – standard and tailored (8.6). Thankfully, the proposed threshhold of 200 documents for tailored discovery (previously called non-standard discovery) has been dropped. Even small commercial litigations tend to have far more than 200 documents these days!
  • Parties must undertake a “reasonable search” for electronic documents, which includes some room for negotiation over whether it is or isn’t unduly costly to do so in certain cases (8.14).
  • Original native files (that are discoverable) are to be provided on request (8.27(4)). While I had proposed clearer language here, the rule is still to that effect.
  • Documents are to be exchanged by way of PDF where possible (sched 9, clause 1).
  • The proposed requirement of chronological ordering is not mandatory – a different order may be applied if more convenient (sched 9, clause 2).
  • Exchanged documents should be DRM free (well, it’s not quite as explicit as I had proposed but it’s a start) (sched 9, clause 6.8).

Duty to preserve documents

The most notable change for non-lawyers is the duty to preserve evidence, in particular electronic records. Unlike in the US, there is no tort of “spoilation of evidence” in New Zealand. There can still be serious consequences for destroying evidence, but the threshhold is unclear and there has not generally been a positive duty to preserve documents for the purposes of potential litigation.

The proposed rule 8.3 will change that. It requires a person who knows that a document is “reasonably likely” to be relevant to a legal dispute (whether or not any dispute has arisen) to take “all reasonable steps to preserve that document”. The term “knows” here is likely to be taken as meaning “ought reasonably to know”.

In particular, the rule will require that potentially relevant electronic documents “must be preserved in readily retrievable form even if they would otherwise be deleted in the ordinary course of business”.

The most obvious type of document here is email. Many businesses let their users fully manage their own emails. If a user deletes an email from their inbox, it may be impossible to recover. This new rule will require prudent businesses to ensure there are proper processes in place for retaining important emails. Under the new Limitation Act, it may be necessary to ensure retention of some records for up to 15 years, which is the duration of the new law’s “longstop” limitation period.

The proposed rules do not set out a penalty for failing to preserve documents, but a Court may make adverse findings, or even impose more serious sanctions such as contempt of court, against a party who fails to preserve documents.

While it is far from Sarbanes-Oxley, this change is welcome and good for the interests of justice.

The rules are expected to be implemented by early 2012.

Law change to allow peer-to-peer lending

The Government has confirmed that online peer-to-peer will be made possible in New Zealand as part of the long-awaited overhaul of securities laws. A recently released Cabinet paper says:

Peer-to-peer lenders are effectively precluded from operating in New Zealand given the regulatory regime. Licensing is intended to introduce a regulatory regime proportionate to the risks that they pose. The licensing criteria will look at the character and background of the key individuals involved, and also a limited assessment of organisational processes.

This is welcome news for what could be a niche fledgling market in New Zealand. However, as tends to be the nature with securities law, the devil may lie in the yet-to-be-determined detail.

Submission on Copyright (File Sharing) regulations

Submissions on the Copyright (Infringing File Sharing) Regulations are due this week (27 May 2011). The key part of my submission as follows:

Response to Question 4: (“Should the suggested requirements be included in regulations? Should there be any other information requirements and why?”)

One of the most critical issues in determining whether IP infringement has occurred is proving the complainant’s rights to the IP in question. The suggested requirements do not adequately address this critical issue.

Sections 122D(2)(a) and 122E(2)(a) simply require a notice to “identify the rights owner”. Paragraph 13(e) simply proposes that a notice include “name of copyright work and name of owner of that work”. This is inadequate. Because there is no “register of copyright works”, and because of complex international IP rights management, it is generally impossible for an account holder or IPAP to confirm whether a complainant is in fact the rights owner of the relevant work.

For the complaint to have a desirable level of integrity, the complainant should be required to provide more than a mere “identification” or “description” of the work allegedly infringed. The complainant should be required to provide an affidavit confirming they are the owner of the identified work, or the duly authorised agent of the owner of the work, at the date of the alleged infringment.

This is a simple requirement, and would allow the IPAP, the account holder, and (if necessary) the Tribunal to proceed on the basis that the ostensible rights owner does in fact own (or have the necessary rights in) the work at the centre of the alleged infringing activity (in the absence of evidence to the contrary).

I therefore propose amending paragraph 13(h) of the Discussion Document requirements to read:

h. an affidavit from the rights owner that they are the owner of that work, or the duly authorised agent of the owner of the work, at the date of the alleged infringment, and to the best of their knowledge, the information provided to the IPAP is true and correct.

Not-so-super injunctions

The row in Britain over the naming of footballer Ryan Giggs online (and subsequently in Parliament),  in contravention of a “super-injunction”, raises the same issues as New Zealand has experienced recently: can injunctions and other forms of name suppression work in the age of social networking?

British PM David Cameron appears to have accepted the reality of the situation:

“It’s not fair on the newspapers if all the social media can report this and the newspapers can’t,” he said. “So the law and the practice has got to catch up with how people consume media today.”

This is a strong indication that the UK will change its law (or least its policy) on injunctions. In New Zealand, the Government and officials have not yet grasped the nettle. In 2009, the New Zealand Law Commission published a detailed report on name suppression in this country. It noted:

Where information as to the identity of someone appearing before a court is already in the public domain, it will not generally be appropriate to grant name suppression. The law will not undertake an exercise in futility, which would bring its own authority and processes into disrepute. [3.65]

However, the Commission did not really address the issue of internet publication. As I wrote at the time:

Yet in many recent cases involving name suppression, that is precisely what has occurred. Twitter, Facebook and other local and international web sites are routinely used to blithely report (or more often, speculate on) the identity of the individual… There is every reason to think this phenomenon will become more and more common… If the law is not to permit exercises in futility, this issue may need to be revisited again before long.

There can be very good reasons for name suppression and other forms of injunctions. But it is not a question of right or wrong anymore. The fact is that such orders can (and therefore will) be made a mockery of, with relative impunity online. An English judge’s issuing of an injunction against Twitter users, and Ryan Gigg’s now-futile attempt to sue anonymous Twitter users, seem distinctly King Canute-esque.