Every few months there is a breaking story about passwords being hacked, stolen or compromised. As recently as last June, it was reported that roughly 6.5 million hashed and encrypted passwords used to access the professional social networking site “LinkedIn” were compromised and posted on a Russian hacker site two days later. While those of us who are immersed in the world of IT and ESI are fully aware of the need to use strong and secure passwords to protect our data, it is not a common practice amongst the general population.
Just ask Andrew and Patricia Murray contestants on the short-lived Fox game show called “Million Dollar Money Drop” who lost over $580,000 in potential winnings when asked the following question: “According to the data security firm at Imperva, what is the most common computer password?”.
The answer choices provided were: A) password, B) 123456 or C) I love you
On the game show, contestants answer a series of multiple choice questions and wager some (or all) of their winnings based on their confidence in knowing the correct answer. Based on “their personal knowledge of surveys and articles” the Murray’s answered “password” and lost all of the $580,000 in accumulated winnings after the correct answer was revealed to be “123456”.
As the correct answer provided by the game show was solely based on the data collected by Imperva and there is no comprehensive data on all computer passwords it is hard to say for sure whether “password” or “123456” is the most commonly used computer password. A quick Google search on commonly used passwords yielded hundreds of sites which have both “password” and “123456” listed in their top ten results. So it seems there may be some validity to it.
While the Murray’s and the Google search could not definitively confirm the most commonly used password, they do serve as a gentle reminder to the general population that they should be using stronger and more secure passwords to protect their data.
For those of you stilling using “123456”, here are a few tips on how to create stronger and more secure passwords:
The privacy pendulum in Canada continues to swing – this time toward increased privacy rights in the workplace. For the last several years, employees have been advised that they had no expectation of privacy for personal information created and stored on digital devices owned by their employer. Apparently, the Supreme Court of Canada disagrees with this principle and recently confirmed in a landmark decision that employees have a reasonable expectation of privacy in some circumstances.
In the R. v. Cole decision released Friday, October 19th, Canada’s highest court considered the privacy rights of an employee teacher who stored child pornography on his work computer. In its decision, the Court confirmed that employees do have limited rights to privacy for personal information on workplace digital assets, as long as personal use is “permitted or reasonably expected.” However, based on these particular facts, the Court held that the expectation of privacy was overridden by the importance of the evidence to the case.
In general, the Court noted that computers (at home or in the workplace) contain information that is “meaningful, intimate, and touching on the user’s biographical core”. As such, “while workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely.”
This decision will impact on the collection practices of organizations engaged in the discovery phase for litigation, regulatory investigation or audit. The right of an employer to simply collect all information on workplace digital devices, once believed to be unfettered, will have to be examined in light of this decision. Further, it is likely we will see an increase in workplace policies prohibiting the personal use of workplace assets.
In a recent Nova Scotia Supreme Court ruling, the plaintiffs in Velsoft Training Materials Inc v Global Courseware Inc, 2012 NSSC 295 (CanLII) were ordered to share the details of the searches they used in identifying relevant records included in their production.
The defendants, Global Courseware, argued that the plaintiffs had not disclosed all relevant electronic records, since they had produced over 68,000 records, while the plaintiffs had only produced about 2,800. According to the defendants, significantly different search criteria had to have been used by each party. The defendants provided their search criteria to the plaintiffs, but the plaintiffs refused to reciprocate.
Justice Wood ruled that a discrepancy in the number of records disclosed by each party was not, in and of itself, sufficient reason to compel further disclosure. However, he did rule that the defendants were entitled to know the search criteria that the plaintiffs used, so that they could decide, based on that, if they wanted to challenge the completeness of the disclosure.
Sharing of the methodology to identify potentially relevant records is encouraged in many jurisdictions, including Ontario where it is part of the Discovery Plan. The Ontario Implementation Committee Model Discovery Plans go further than just sharing search terms, requiring the parties to:
“Identify and prioritize key authors and custodians, record types, relevant time frames, locations, and other parameters within which search will be conducted for relevant records. Consider anticipated volume of records, cost and resources required to search for and review records for relevance, and the importance and complexity of the issues. Prioritize steps to be taken and consider whether a phased approach is appropriate. If so, set out protocol for phased search.”
Sharing and agreeing to record identification methodologies at the outset of a matter is one way to significantly reduce the costs involved in producing electronic records. Wortzman Nickle can assist you in developing and reviewing your identification processes.