A version of this post appeared on LinkedIn.
It might surprise you to learn that for some time Alberta was the only province that had mandatory breach reporting requirements. In every other Canadian jurisdiction, organizations that exposed or lost sensitive personal information had virtually no legal obligation to notify affected individuals.
On November 1, an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) made breach reporting mandatory in circumstances where a “breach of security safeguards” might expose a Canadian to a “real risk of significant harm.”
According to the new regulation, “real risk of significant harm must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused.”
What does this mean for communications professionals?
Every organization operating in Canada that cares for personal information, including employee information, needs to understand its obligations and be prepared for the worst-case scenario.
As a first step, an internal working group should audit the personal information the organization collects, stores or processes, and map the ways in which that information could be exposed. We often think of big cyber-attacks, but the regulations also cover misuse of information, lost devices or files, and other smaller-scale events that could expose private or sensitive data.
The internal team should be comprised of representatives from your communications, legal, information technology and security departments. Together you need to devise a plan that seeks to answer a few key questions:
- How would the team find out about a breach?
- Who needs to be on the breach response team?
- What will each member of the team be tasked with doing?
- Who are the key stakeholders and what methods are available to reach them?
As part of the planning process, the team should determine the need for external experts and ensure relationships are established well in advance. In almost all cases, your company will want to engage external legal counsel that specializes in privacy law. In many scenarios, you will need assistance from third-party forensic experts and communications professionals. You might even need a partner capable of handling mass-mailing services for notification, or an external call center capable of handling significant volume, as the new law requires you to provide a contact number for affected individuals to call for more information.
It’s also not a bad time to ask your risk department if you have a cyber policy, and whether that policy will cover the costs of forensic, legal and public relations support following a breach.
The team also needs to be clear about the methods of notification available. If your company is lucky enough to have reliable contact information on file, such as emails, addresses or phone numbers, you can contact those individuals directly. If you don’t have that information, you will likely be required to use indirect methods, such a paid-digital and newspaper advertisements, website updates and targeted social media postings.
Most importantly, the team must consider the reputational impacts of a data breach and consider strategies and tactics for managing your organization’s brand following a breach.
For years, the Edelman Trust Barometer, our keystone annual global study on the state of institutional trust, has highlighted data security and privacy as a key issue. In 2014, 80 per cent of global consumers told us that the failure to keep customer information secure impacts their trust in a company. In 2018, “safeguarding privacy” rose to the top of the list as the most important trust building mandate for institutions across the globe.
I often hear from clients during a breach that they never thought it would happen to them. The truth is that it’s happening to everyone. According to a report released by Statistics Canada, Cyber Security and Cybercrime in Canada, 2017, more than one in five Canadian companies were hit by a cyber-attack last year and only 10 per cent reported it to law enforcement agencies.
When we think of privacy breaches, we often think of the big ones like Yahoo!, Facebook, or Home Depot, but all signs indicate that we’re about to hear about breaches of all sizes a whole lot more.
Is your company prepared?
Greg Vanier is a senior vice president, Crisis & Risk, Toronto.