M&A Lawyers Found to Breach Privacy by Posting Information to Securities Database

The Alberta Privacy Commissioner (Commissioner) has found two law firms engaged to advise on an M&A transaction to be in breach of Alberta's Personal Information Protection Act (PIPA) when data was posted by the law firms to SEDAR, the System for Electronic Document Analysis and Retrieval. In the relevant transaction, Builders Energy Services Ltd (Builders) acquired Remote Wireline Services Ltd (Remote) and then amalgamated with it and continued the business formerly operated by Remote. Both companies were in the oilfield service business. The acquisition agreement contained representations and warranties about the Remote business which included a requirement to list employee names, a list of any employment agreements and details regarding company pension plans. When relevant employee information was passed by Remote to its solicitors for forwarding to Builders' solicitors, it included personal information about the employees (including home addresses and SINs). The personal information was not requested by Builders. The solicitors for Builders did not notice that the data provided contained personal information and the information found its way into schedules to the acquisition agreement and, from there, because it was a material contract, into a SEDAR filing, freely available to the public on the SEDAR web page. The Commissioner held that the personal information was clearly not "necessary" for the parties to carry out the transaction within the meaning of PIPA. Further, the Alberta Securities Commission can authorize the removal of sensitive information before a contract is posted to SEDAR. The question before the Commissioner was who should be held responsible for the unauthorized disclosure. The Commissioner found that both Builders and Remote were "accountable" for the improper disclosure; however, no recommendations were made regarding them because Remote had been amalgamated (and therefore had ceased to exist as a separate entity) and because Builders had subsequently created a privacy policy and appointed a Privacy Officer. Regarding the two firms of solicitors, the Commissioner found both firms to have been accountable for the disclosure and made recommendations for both firms, which, in general, involved training of personnel (both lawyers and non-lawyers) regarding the implications and importance of privacy law requirements and regarding the firms' processes for dealing with privacy issues during transactions. For the Commissioner's Report, see: http://www.oipc.ab.ca/ims/client/upload/P2005_IR_005.pdf Summary by: The Editor