Moving to an online work model raises a number of questions that can be overwhelming for those without a large IT department to back them up. Can I enter into contracts if I can’t meet my business relationships? What are my obligations to moving my work process online? The answer is the lawyer’s favourite phrase: “It depends”.
Electronic Contracts and Electronic Signatures are Enforceable Most of the Time
In Ontario, most electronic contracts, electronic documents, and electronic signatures are enforceable under s. 11 of the Electronic Commerce Act, 2000. Section 31 excludes electronic signatures only from wills, trusts, powers of attorney, negotiable instruments (i.e. cheques), and documents prescribed by the regulations (which at the moment are none). This leaves almost all electronic contracts, electronic documents, and electronic signatures enforceable in Ontario.
Expertise in block-chain and smart contracts is not required. The New Brunswick court of appeal has found that email signatures1 are sufficient to form a contract, and the click-wrap agreements you skip through2 when signing up for a new service are enforceable.3 So be careful of what you say and agree to in email, it could be binding; but keep in mind that your quick email agreement may not include all the terms and conditions that you think it does – terms and conditions still need to be accepted, for the most part (it depends).
If you are concerned about someone altering an electronic document after you’ve signed it, you can always consider the use of a secure electronic signature.4 Basically, a secure electronic signature applies a mathematical process to a document to generate a number called a “hash”. If the document is modified after the signature, then the same mathematical process will generate a different value for the hash, so software can determine if the document has been tampered with after signing. Many off-the-shelf electronic signature solutions, such as DocuSign, can generate such secure electronic signatures.
Finally, keep in mind that certain documents may have additional professional requirements other than that the document be in writing and signed (e.g. sworn statements and affidavits) and some government organizations may only accept original signatures (e.g. Articles of Amendment for Ontario Corporations and court filings).
If you Keep Data Relating to Other People, You have Security Obligations
Most businesses have good business reasons to protect their own data. Trade secrets, patent applications, business strategies and marketing plans are very valuable. But many businesses also have obligations to others, whether contractual (such as a non-disclosure agreement), or legislative (such as privacy legislation). You also may have obligations to others under common law to protect personal data of individuals if the disclosure could cause harm.
Your obligations to protect the data of others depends on what kind of data you collect, and where you do business. Many professions and regulated businesses have record keeping and professional obligations in Canada, and if you do business outside Canada you may also be subject to foreign legislation such as the EU’s General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA).
For the most part, you are required to take all security precautions that are “reasonable in the circumstances” to protect the data that you collect and store. You will have to take precautions that are sufficient given the sensitivity of the data and that are consistent with the standards of your industry (the word “reasonable” appears in The Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian privacy act for businesses, 39 times and in the Personal Health Information Protection Act (PHIPA), the Ontario privacy act for those dealing with health data, 60 times).
“Reasonable” means that you don’t necessarily need to use end-to-end encrypted email stored on an encrypted server based in Switzerland.5 If words like “crypotography” make your eyes glaze over, remember that “technology” is just a fancy word for “tools”. Nine times out of ten, it’s not the tool, it’s how you use it. To paraphrase Bruce Schneier: “Security is only as strong as the weakest link, and [technology] is almost never the weakest link. The fundamentals of [technology] are important, but far more important is how those fundamentals are implemented and used.”6
The moral of the story is that it’s not your technology, it’s how you use it. There is no one-size-fits-all solution, but there are a number of things that are always reasonable to do (and arguably, not doing so is unreasonable): use strong passwords, use 2-factor authentication when you can, keep your software up to date, use a modern browser, and don’t open links and attachments from strangers.7 Make sure that any tools that you use comply with any record-keeping and privacy obligations you may have, and use the right tools for the job.
If you struggle with IT, don’t try to do it yourself. Find an IT specialist (there are plenty of good local IT consultants and contractors in SW Ontario who can get you set up). You may find that the cost outweighs the liability and risk you might take on with a DIY solution – plus, using an expert is reasonable.
Use Strong Passwords and 2-Factor Authentication
Strong passwords are better than weak passwords.8 Always use strong passwords and encourage your team to do the same. If the applications that you use have an option to require 2-factor authentication, turn that on. 2-factor authentication requires a second password that’s linked to something that only you have access to, like a text message to your phone number, a special dongle, or a pseudo-random number generator.
Use a different password for every account. If you use the same password on every site and one site gets compromised and your password is found out, every site that uses that compromised password has now been compromised. Almost every data breach comes with a corresponding posting of passwords and related email addresses online, and you may want to visit a website like Have I Been Pwned to see if you are one of those unlucky ones caught in a past breach. These websites also let you subscribe to be notified by email in case you’re caught in a breach. If you have been caught, you should update your passwords.
If you are using strong passwords with a different password on every account, there is no way that you are going to remember them all. I use a password manager like the excellent Toronto-based 1Password, which has plug-ins for most modern browsers, as well as a mobile and desktop app. These apps can help you generate your strong passwords.
Keep your Software Updated and use a Modern Browser
By some estimates, there are 15 bugs for every thousand lines of code9 that make their way to the consumer. Some of those bugs are security threats that bad actors can exploit. The easiest way to mitigate this threat is to always keep your software up to date.10 Apple and Microsoft both provide for automatic updates to their operating systems, as does every major modern web-browser.
Speaking of web-browsers, you should only use a modern web-browser like Safari, Firefox, Chrome, or Microsoft Edge. The browser should be current and supported by the developer and you should make sure that auto-update is enabled. If you are concerned about privacy, a recent study has found most browsers leak some information back to the manufacturer, and you can read more about this on the Ars Technica website to see where your favourite ranks.
Don’t Click on Unsolicited Links or Attachments
Downloading and opening an unsolicited document can run malicious code on your computer that can serve as an entry-point for a data breach. Likewise, an unsolicited link can bring you to a website full of malicious code, or a fake login screen intending to trick you into revealing your login credentials. The Canadian Anti-Fraud Centre’s website lists some of the common scams that are currently out there.
Some browsers will catch sketchy links and block them, and decent anti-virus software will catch a lot of malicious code, but this software needs to be kept up to date to function properly and doesn’t catch everything. Be safe and be careful of what you click.
Choosing the Right Tools for the Job
The modern workplace requires collaboration and communication, and there are a lot of software solutions to solve this problem. Some common tools are: Slack, and Microsoft Teams for team chat; Zoom, Skype, and Google hangouts for video meetings; and Dropbox, Google docs, and Sync for file sharing.
Choosing the right tool for you has a number of considerations, among them are:
- What are the privacy policies of the different tools and the implications of those? See Alysia Christiaen’s blog post11 about video privacy policies, for example.
- What are your professional obligations regarding record keeping? For example, some professions and regulated businesses are required to keep records of all correspondences, which would include chats and text messages.
- How secure and reliable is the system that you’re using? If you’re going to be discussing sensitive data in the chat, you want to make sure that those discussions will be securely stored with limited access at the user level. Depending on the sensitivity of the data you handle, you may also want to know where the servers are located and if the data is kept encrypted.
Working remotely can be a challenge, particularly when there are security obligations. Most electronic documents, contracts and signatures are enforceable in Ontario, so a lot of commerce can continue in the age of social distancing. What steps you should take to keep data secure will vary based on your particular circumstances, your professional obligations, and the sensitivity of the data that you deal with.
There are things that everyone can and should do that are reasonable, and failing to do them may be unreasonable:
- Use strong passwords and use a different password on every site;
- Use 2-factor authentication whenever you can;
- Always keep your software fully updated and use a modern browser; and
- Don’t open links and attachments you aren’t expecting.
In addition, make regular back-ups of all your data. Destroyed data can also create liabilities. One advantage of many cloud services is that they provide built-in back-up systems, but no matter what back-up system you set up, test it and make sure you can access your backed-up data.
Using the right tool for the job is also important, but this will depend on your circumstances. If you’re not an IT expert, reach out to someone who is for help. That is always a reasonable thing to do.
Finally, be prepared in the event of the unthinkable and you are caught the victim of a data breach. Having a data-breach response plan means that you have thought through your particular circumstances and know what your liabilities and risks may be. What data do you have? What are your liabilities if it is destroyed or disclosed? What are your obligations for reporting a breach (you may have obligations under PHIPA, PIPEDA, GDPR or the CCPA)? Having a plan is the first step in being prepared.
If you’re concerned about the “it depends”, Lerners business lawyers are always here to help.
1See, e.g., Druet v. Girouard, 2012 NBCA 40.
2See the Terms of Service; Didn’t Read website, a project intended to make terms of service agreements more accessible for consumers.
3See, e.g., Rudder v Microsoft Corp., 1999 CanLII 14923 (ON SC).
4Secure electronic signatures are a defined term under the Secure Electronic Signature Regulations, SOR/2005-30 made under PIPEDA and the Canada Evidence Act, and have more legal authority than other kinds of electronic signatures.
5But if you do need that sort of thing, you can check out the ProtonMail website.
6Bruce Schneier, preface to “Practical Cryptography”, available on the Schneier on Security website.
7See, e.g., Jennifer L. Hunter, “Cyber Security in the time of COVID-19”, available online at the Lerners LLP blog: Cyber Security in the time of COVID-19.
8See Jean-Paul Delahaye, “The Mathematics of (Hacking) Passwords”, originally published on Scientific American, and available online from the Pocket Worthy website for an explanation of the math behind this.
9See, e.g., Ariel Assaraf, “This is what your developers are doing 75% of the time, and this is the cost you pay”, available online at the Coralogix website.
10See, e.g., Greg Norcie, “Yes, You Should Always Update your Software”, available online from the Center for Democracy & Technology website.
11Alysia M. Christiaen, “Online Video Conferencing – Don’t Forget About Privacy!”, on the Lerners LLP blog.
12Always be careful of what you put in writing, even over text. See, e.g., Josh Gerstein, “In texts, FBI agents on Russia probe called Trump an ‘idiot’”, available online at the Politico website.