Litigation counsel useful following a cyber breach
By AdvocateDaily.com Staff
Businesses that suffer privacy breaches should retain outside counsel as quickly as possible to help them deal with the full legal repercussions of such an event, Fredericton litigator Matthew Pearn tells AdvocateDaily.com.
The federal government recently provided more detail on its planned mandatory breach reporting regime under the Personal Information Protection and Electronic Documents Act (PIPEDA), but Pearn, an associate with Foster & Company, says that’s not the only thing cyberattack targets have to worry about.
“Strategically, you need to think not only about your obligations under the law but also about defending future lawsuits. Your preparation needs to include both an investigation and an attempt to fix any harm done,” he says. “The earlier you can engage counsel for these sorts of considerations, the better.”
While many companies will have in-house legal help, Pearn says that litigation counsel are often better placed to protect their clients, especially in the heightened post-breach environment.
“The early stages of an investigation can present red herrings and inaccurate speculation about the source of a breach,” he says. “Hiring a lawyer provides an opportunity to avail yourself of advice.
"But in addition, when you’re trying to figure out how a breach occurred, some of those internal conversations are ones you may want to claim privilege over at a later date. By having litigation counsel in the room, you may be able to shield some of them from discovery later on.”
Outside counsel can also assist clients with ever-evolving breach-reporting standards, Pearn adds. The federal government amended PIPEDA in 2015 to include a requirement that businesses covered by the Act report certain leaks of personal information.
Draft regulations issued this fall suggest organizations will be forced to notify both the Office of the Privacy Commissioner of Canada and affected individuals of security breaches that present a “real risk of significant harm” to individuals.
The notice to the privacy commissioner must be in writing, while the notice to individuals can be delivered by email, letter, telephone or in person, detailing the following information:
- a description of the circumstances of the breach;
- the personal information that is the subject of the breach;
- the steps the organization has taken to reduce the risk of harm to the affected individual;
- the steps the person could take to reduce their own risk of harm resulting from the breach;
- a toll-free number or email address where the affected individual can obtain further information about the breach;
- information about the organization’s internal complaint process and how to complain to the privacy commissioner.
“These obligations are fairly onerous and time-consuming,” Pearn says. “And by reporting to individuals, organizations will be opening up the possibility of claims being advanced against them.”
He says businesses with relatively narrow data on individual customers will have less trouble complying with the new rules than others, such as those in the insurance or health industries, that have stored a broad variety of information about individuals.
“That will make dealing with a privacy breach more challenging for them, at least in terms of reporting,” Pearn says.