How should a company deal with potential threats to the privacy and security of its data?

Companies of every type are falling victim to intentional breaches of the privacy and security of their data. Most recently, the WannaCrypt ransomware attack left hundreds of thousands of computers around the world affected, including the U.K.’s National Health Service, FedEx, and universities from China to Canada.

The internet is a torrent of information, and as soon as data exchanges hands, risk is created. That’s why well-drafted contracts will include clauses to protect the confidentiality and security of information that has been disclosed. In an effort to protect themselves from liability, companies who disclose information to others will include indemnification clauses in their contracts for breaches of data security, while those companies who process or store such disclosed information will also try to include indemnity clauses in their sub-contracts. Adequate insurance coverage is prudent, but effective cybersecurity is essential.

In a recent telephone survey by Fair, Isaac and Company, a variety of Canadian businesses were asked about data breaches. While around three-quarters recognized the growing risk, less than half were planning to improve their cybersecurity, either by putting the appropriate safeguards in place or obtaining cybersecurity risk insurance.

Why so few? It appears that such extensive data breaches are a relatively new phenomenon, leaving it easier to be reactive than proactive. The “it won’t happen to me and it’s too expensive to do anything about it” mentality can be risky. Regardless, at the very least, a swift response after a breach has occurred is essential.

Affected customers or users may seek damages against your business if their information becomes public. Class action lawsuits are common and if one is filed, it is important that your business be able to demonstrate the steps taken to to protect customer data. This will help to minimize the severity of the claims made against it and, consequently, the liability it will incur.

So, what should a company do if it is the victim of a security breach, or wants to avoid becoming one?

First - be sure to take the appropriate precautionary measures.

In Ontario, companies are responsible for all aspects of the safekeeping and safeguarding of data. That means putting policies and procedures in place to keep data private and secure.

According to the Information and Privacy Commissioner of Ontario (IPC), recommended precautionary measures to consider include:

  • Physical measures (e.g., locks, alarms);
  • Technological measures (e.g., password protection, encryption, use of firewalls);
  • Organizational measures (e.g., contractual duties like on a need-to-know basis, use of security clearances); and
  • Checking to make sure these measures are kept up-to-date and any deficiencies are being uncovered, documented and addressed.

In the event of a data breach, having and following established protocols to respond to and minimize the leak can go a long way in persuading a court that the company’s liability should be limited or reduced.

This was the situation in the Ontario Superior Court of Justice’s 2016 ruling on Home Depot’s proactive response to a data breach. In this case, Home Depot contacted all affected customers to give them notice of the breach and offered them free remedial resources, such as credit monitoring and identity theft insurance. The Court pointed out that Home Depot could have done nothing more to prevent the breach or remedy the breach once it had occurred.

Second - be sure to comply with emerging laws and regulations related to data breaches.

In Ontario, a number of amendments to the Personal Information Protection and Electronics Document Act (PIPEDA) were made in the new Digital Privacy Act,which received royal assent in 2015. The amendments include allowing the Privacy Commissioner to enter into agreements with companies to ensure their compliance, as well as making it mandatory to report, notify, and keep records of data breaches with “real risk of significant harm”.

The IPC emphasizes the following risk management steps:

  • Notifying the affected parties as soon as possible;
  • Working to contain the data breach;and
  • Performing an internal investigation, including:
  • Reviewing company policies and procedures;
  • Uncovering how the data breach could have occurred; and
  • Recommending how a data breach can be prevented from happening again in the future.

While no one can completely eliminate the possibility of a cyber attack, following these precautions can significantly reduce your company’s exposure to liability for a security breach. It’s better to be safe than sorry!