Boards must take privacy breach response seriously: Levine
By AdvocateDaily.com Staff
Levine says she has recently noticed that cybersecurity issues are more likely to be elevated to board-level discussions, defying previous trends.
“It’s not sufficient any longer to just shrug and say, ‘I don’t really understand technology, that’s an operational issue,’ because the public won’t accept it,” she explains. “Increasingly, boards need to ask the same kinds of hard questions they do in other areas. Nobody would ever think of saying that a board should not be financially or culturally aware.
“Now they have to bring the same kind of awareness and oversight to cyber and information technology issues,” Levine adds.
When it comes to privacy breaches, she says the number of cautionary tales grows by the day, with any number of hospitals, retailers, and other businesses forced to deal with the fallout from a hack or cybersecurity lapse.
“It’s not just tech companies that have to be concerned with this, because attacks can have a long-lasting and substantial impact on all aspects of the organization, including its revenues and reputation. And there is obviously a range of legal liabilities that can arise too,” Levine says. “It’s something that all boards must be thinking about so that they don’t have to figure out what to do on the fly when disaster strikes.”
In order to avoid being caught short, she suggests boards implement policies and procedures laying out a plan of action in the case of a breach.
“They should also be considering matters like insurance, reporting lines, and crisis management plans. Public relations advisors should be lined up and ready to go,” Levine says.
She says organizations will have different reporting obligations depending on their industry sector and the nature of the information they hold on individuals.
The Office of the Information and Privacy Commissioner for British Columbia has put together a breach-response protocol to help businesses develop a roadmap for dealing with them and to understand their legal obligations under the province’s Freedom of Information and Protection of Privacy Act. The protocol lays out four basic steps for organizations:
- Step One: Report and Contain
- Step Two: Risk Evaluation
- Step Three: Notification
- Step Four: Security Safeguards and Prevention Strategies
Meanwhile, on Nov.1 the new mandatory breach-reporting regime under the federal Personal Information Protection and Electronic Documents Act came into force.
Organizations subject to PIPEDA will now be required to file a report with Canada’s Privacy Commissioner about any breach of security safeguards that create a “real risk of significant harm,” and notify individuals affected by the breach.
There are also new record-keeping and record retention requirements.
While breach notification requirements have existed in Alberta since 2010, and in many US states since the early 2000’s, until recently, many Canadian boards have been slow to add people with privacy knowledge to their teams.
Levine says she’s pleased to see that the tide seems to be turning.
“Board governance must extend to all areas of risk, including privacy and cyber-risk. There simply is no going back,” she says.