Data breaches now represent significant litigation risks. Here are some important steps to take when your company falls victim.

Cybersecurity has become a top-of-mind concern for senior C-suite executives — and it’s no surprise why, as recent data breaches against some major organizations have gained significant profile. Thus, senior executives and risk managers need to not only focus on preventing a data breach, but also be prepared to deal with the repercussions of one when it does take place.

“The pervasiveness of cyberthreats is such that it is no longer realistic to think your organization won’t be hacked,” says Christine Ing, a partner with Blake, Cassels & Graydon LLP (Blakes) in Toronto and co-practice group leader of the law firm’s national technology group. “It’s really a question of ‘when’ and not ‘if’ it will happen, and all organizations should develop and maintain a plan of action in the event of a security breach. . . . The more prepared an organization is for being hacked, the more quickly it will be able to react properly to control the situation and mitigate its impact.”

In fact, the impact of a data breach on a business could be quite significant and include loss of core business functions, reputation and customer trust. It may even result in ensuing litigation and class actions, as the risk of this happening has increased significantly in Canada most recently, says Catherine Beagan Flood, a partner with Blakes in Toronto who practises class action defence.

“Historically, it was very difficult for plaintiffs’ counsel to get class actions certified in cases of a privacy breach, but we’ve seen a trend during 2014 toward certification of those types of claims,” she explains. “So, the scale of the litigation claims that companies face has become much more significant.”

In turn, there are several things Beagan Flood recommends that companies need to do to protect themselves in the event of a data breach. First, releasing an official statement to the media soon after a breach has taken place is a great strategy in many cases, and allows you to get in front of the issue. Saying, “No comment,” or not returning journalists’ telephone calls can exacerbate the damage your company faces because it loses control of the message. Hacked: Responding to a Cybersecurity Breach Data breaches now represent significant litigation risks. Here are some important steps to take when your firm falls victim. 

“Unless there’s a security or law enforcement reason to not disclose a breach at an early stage, the best response often is to issue an early, proactive press release to the media that describes, to the extent that you’re able to, both the scope of the breach and what your company has done and is doing to contain it and to fix the problems for affected individuals,” Beagan Flood says.

In some cases, issuing notification of a breach is not only a great strategy, it’s also the law. That’s because there are certain privacy laws that may require notice to regulators and individuals affected by the breach.

“There are more notification requirements for health information than for other types of personal information,” Beagan Flood notes. “And you also need to consider the likelihood of harm to individuals. It’s more likely you’ll have legal duty to give notice to individuals if there’s real potential they’ll be subject to identity theft or fraud — and if your notice will enable them to mitigate that risk.”

Currently, she adds, only Alberta has a private sector privacy statute that requires breach notification in some circumstances; a number of provinces have health privacy information that requires notice as well.

“But there’s currently a bill before the House of Commons that, if enacted, will create a national mandatory breach notification requirement throughout the private sector. If it’s passed, we expect to see more privacy class actions in Canada because there will be even more circumstances in which a breach has to be reported,” Beagan Flood says.

One thing you need to be aware of when issuing a press release or a notice is that the content itself may have a significant impact on litigation risk. In fact, the statements of claim that are increasingly being brought against companies often quote from the companies’ notices to individuals, alleging that those notices constitute admission of elements of the claim.

“It’s important to get litigation advice before issuing a press release or notices to individuals because what you say in that notice may well be quoted against you later in litigation,” Beagan Flood says.

“The Privacy Commissioner of Canada has issued a privacy breach checklist that includes a list of information that she recommends be included in the notice to individuals — and it will be important to show you took that list into account. Another major step you should take to mitigate litigation risk is to conduct an internal investigation to determine the extent of the breach, how it happened, who was involved, and also how to contain the breach and fix the problem.

“You need to make sure that the investigation is, and will be perceived to be, independent and impartial,” Beagan Flood notes. “It would be a good idea to have external counsel be the one to conduct the investigation simply because solicitor-client privilege will be maintained over counsel’s work, including the investigation report and witness statements.”