Companies of every type are falling victim to intentional breaches of the privacy and security of their data. Most recently, the WannaCrypt ransomware attack left hundreds of thousands of computers around the world affected, including the U.K.’s National Health Service, FedEx, and universities from China to Canada.
The internet is a torrent of information, and as soon as data exchanges hands, risk is created. That’s why well-drafted contracts will include clauses to protect the confidentiality and security of information that has been disclosed.
In a recent telephone survey by Fair, Isaac and Company, a variety of Canadian businesses were asked about data breaches. While around three-quarters recognized the growing risk, less than half were planning to improve their cybersecurity, either by putting the appropriate safeguards in place or obtaining cybersecurity risk insurance. Why so few? It appears that such extensive data breaches are a relatively new phenomenon, leaving it easier to be reactive than proactive. The “it won’t happen to me and it’s too expensive to do anything about it” mentality can be risky. Regardless, at the very least, a swift response after a breach has occurred is essential.
Affected customers or users may seek damages against your business if their information becomes public. Class action lawsuits are common and if one is filed, it is important that your business be able to demonstrate the steps taken to to protect customer data. This will help to minimize the severity of the claims made against it and, consequently, the liability it will incur.
So, what should a company do if it is the victim of a security breach, or wants to avoid becoming one?
First – be sure to take the appropriate precautionary measures.
In Ontario companies are responsible for all aspects of the safekeeping and safeguarding of data. That means putting policies and procedures in place to keep data private and secure.
According to the Information and Privacy Commissioner of Ontario (IPC), recommended precautionary measures to consider include:
Physical measures (e.g., locks, alarms);
Technological measures (e.g., password protection, encryption, use of firewalls);
Organizational measures (e.g., contractual duties like on a need-to-know basis, use of security clearances); and
Checking to make sure these measures are kept up-to-date and any deficiencies are being uncovered, documented and addressed.
In the event of a data breach, having and following established protocols to respond to and minimize the leak can go a long way in persuading a court that the company’s liability should be limited or reduced. This was the situation in the Ontario Superior Court of Justice’s 2016 ruling on Home Depot’s proactive response to a data breach. In this case, Home Depot contacted all affected customers to give them notice of the breach and offered them free remedial resources, such as credit monitoring and identity theft insurance. The Court pointed out that Home Depot could have done nothing more to prevent the breach or remedy the breach once it had occurred.
Second – be sure to comply with emerging laws and regulations related to data breaches.
In Ontario, a number of amendments to the Personal Information Protection and Electronics Document Act (PIPEDA) were made in the new Digital Privacy Act, which received royal assent in 2015. The amendments include allowing the Privacy Commissioner to enter into agreements with companies to ensure their compliance, as well as making it mandatory to report, notify, and keep records of data breaches with “real risk of significant harm”.
The IPC emphasizes the following risk management steps:
Notifying the affected parties as soon as possible;
Working to contain the data breach;and
Performing an internal investigation, including:
Reviewing company policies and procedures;
Uncovering how the data breach could have occurred; and
Recommending how a data breach can be prevented from happening again in the future.
While no one can completely eliminate the possibility of a cyber attack, following these precautions can significantly reduce your company’s exposure to liability for a security breach. It’s better to be safe than sorry!
– – –
This article is provided for informational purposes only and does not create a lawyer-client relationship with the reader. It is not legal advice and should not be regarded as such. Any reliance on the information is solely at the reader’s own risk. Clausehound.com is a legal tool geared towards entrepreneurs, early-stage businesses and small businesses alike to help draft legal documents to make businesses more productive. Clausehound offers a $10 per month DIY Legal Library which hosts tens of thousands of legal clauses, contracts, articles, lawyer commentaries and instructional videos. Find Clausehound.com where you see this logo.