The Canadian Bar Insurance Association
Legal Suppliers

The impact of mandatory reporting of data breaches

Canadian companies need to brace themselves for upcoming regulations requiring them to publicly report their data breaches, says Jason Green, principal of Hexigent Consulting, an Oakville-based digital investigations and cybersecurity firm.

“I think it’s going to generate a whole new set of challenges,” Green tells

Under impending mandatory data breach notification rules, Canadian organizations will have to notify the nation’s privacy commissioner and affected individuals when it’s reasonable to believe a data breach they have experienced will cause significant harm, Green says. 

Organizations will be required to keep records of every breach, including a list of the people they informed, he says. 

The Digital Privacy Act, passed mid-2015, revises the Personal Information Protection and Electronic Documents Act (PIPEDA) to include the new regulations, which are still being finalized.

Mandatory breach reporting, already in place in the United States and Alberta, could create risks and significantly increase costs for businesses in the rest of Canada when adopted, Green says. 

Organizations may have to install technology to expediently identify data leaks, he says. They will have to create operational policies and procedures to efficiently report them, he adds.

“I think this is key for a number of those mid-market businesses that don’t have large, complex security teams or privacy-focused individuals,” Green says. “They may have to change the way they do certain things.”

Companies will need to think through the implications of a possible data leak, he says. “They need to say, ‘OK, I’ve been breached and I have to notify all of our affected clients. How do I do that? What level of data can I provide back to the clients? And what are my risks and limitations? So what is it, essentially, that could come from this?'

Organizations may be exposed to a greater risk of litigation, such as class-action lawsuits, he adds. In the past, companies could try to fix breaches quietly in the background. But now that they have to make them public, legal action may follow, he says.

Green points to the massive Equifax cyber data breach south of the border, which the company was obliged to disclose. Since Sept. 7, when the Atlanta-based credit reporting firm revealed the problem, it has been hit with more than 70 class-action lawsuits, according to USA Today

Businesses should ask themselves if they too could be subject to legal action if their data is compromised and whether they need to buy cyber insurance, Green says. 

They could also hire privacy specialists to do a data breach impact assessment, he says.

“In an ideal world, they should bring someone to the table that understands the legislation and the general risk around cyber threats and can come forward with an effective plan for what needs to be changed in the business to be able to meet this legislation,” Green says. 

A major challenge for smaller companies is that the new rules won’t make allowances for their size, he says. 

The maximum fines for delinquent organizations will be $10,000 per incident upon summary conviction and $100,000 for an indictable offence, Green says. “That’s OK, possibly, for large companies that can weigh the risk of paying that fine,” he says. “But for small companies that could be absolutely crushing.”

In data breaches, one of the greatest risks is to a company’s good name, he says. “The moment there is a breach there is a reputational impact.” Financial losses often follow, he adds.

Businesses need to be ready with a good communications strategy, Green says. “You need to manage not only the reporting but everything around it as well: public relations, the messaging to your business partners, to your clients, to your staff,” he says. 

Organizations will be allowed to briefly delay reporting a breach while they investigate its breadth and depth, including whether fraud or other criminal activity is involved and if they are still vulnerable, he says. “The first thing you do is try and close the door.” 

This is sensible because hastily reported information could be incorrect, Green says. “You need to inform people as soon as possible, but you need to inform them of the facts.” 

Consumers, for their part, should protect themselves by being more conscious about what personally identifiable information they provide, he says. “That is the crux of all this.” 

If individuals ask more questions about why their personal data is being requested, companies may demand it less often, and the impact of any future breach will be less severe, Green says. 

 “So I'm hoping all of this drives some changes for the consumer as well as for the companies themselves,” he says.

To Read More Hexigent Consulting Posts Click Here
Lawyer Directory
BridgePoint Financial Services (post to 5.31.19)Toronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/18)Feldstein Family Law (post until May 31/19)Greystones Health Steve Rastin (post until Jan. 31/19)Dewshi Law Practice Gelman & Associates