On November 1, 2018, Canada reached a new milestone in the development of its data breach notification rules under the Personal Information Protection and Electronic Documents Act (PIPEDA). Under the updated legislation, businesses that collect, use, and disclose personal information will be required to report if there is a breach of security safeguards that poses a “real risk of significant harm” to individuals. Failure to report or keep records related to these significant data breaches may result in fines of up to $100,000.
To determine if there is “real risk of significant harm”, organizations must consider the sensitivity of personal information and the circumstances of the breach, and the probability that the personal information has been, is being, or will be misused.
In today’s digital world, we are constantly sharing information online and communicating through social media platforms. Data breaches happen and will continue to happen in the foreseeable future. In order to prepare and respond to issues related to data and privacy—and comply with the rules under PIPEDA—we offer the following guiding principles:
Assume when, not if
The data revolution is here and businesses need to be ready. Data breaches and privacy issues are arguably inevitable, with new cases making headlines on an almost daily basis. For example, Canada Post recently admitted to a privacy breach involving thousands of cannabis customers in Ontario. From small businesses to major corporations, organizations are learning the hard way about how damaging these online attacks can be. However, having a plan in place and preparing your employees for future incidents can make a big difference.
Own the issue
Data breaches are serious and can have major consequences. From business losses to reputational damage, there is a lot at risk when you are handling—or mishandling—sensitive information. When a breach occurs, it is important for companies to be aware of how their behaviour is influencing public perception. Customers and stakeholders value transparency and authenticity, and will be far less forgiving if a company falls victim to a breach and fails to be forthright or attempts to hide their mistakes.
Demonstrate your values
Every crisis is an opportunity to demonstrate leadership. While it may not be top of mind in the immediate aftermath of a breach, the attention generated by a crisis gives companies the chance to show alignment with the values that people admire like trustworthiness, honesty, and respect.
While data breaches and cyberattacks are devastating, the risks are higher for companies that aren’t prepared. From broken trust to permanent reputational damage, companies need to be aware of the impact privacy-related issues can have on their business. In the immediate aftermath of a breach, the focus will be on containing the incident and determining its cause; however, having a response plan that includes communications and considers the values of customers, stakeholders, and the public will make a big difference.
From planning, to response, to recovery, our team of experts can prepare you to respond to potential challenges and select platforms that enhance your visibility. Learn more about our crisis management services.
——— Written by Kevin McCann, Partner, and Bridget Burgess former Consultant, NATIONAL Public Relations