Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/1045589
11 CANADIANLAWYERMAG.COM/INHOUSE NOVEMBER/DECEMBER 2018 Litigation and Arbitration By Caroline Deschênes Five steps to minimize privacy class action Practical steps to limit the potential for damages. O ver the past decade, the number of privacy class actions has increased dramatically. This is because privacy breaches often af- fect a vast number of individuals who have suffered only a modicum of damages. With the coming into force of new obligatory notification re- gimes, such as that under the Personal Information Pro- tection and Electronic Documents Act as of Nov. 1, this tendency is not going to subside any time soon. A class action can entail substantial costs, including defence fees and negative publicity, not to mention the cost of settlement or court-ordered compensation. So, what can organizations do to minimize these risks? The way an organization reacts to a privacy breach may be determinative of its consequences and the chanc - es of a class action ensuing. A well-thought-out incident response plan is an indispensable tool in such circum- stances. An IRP should include the following five steps. INCIDENT IDENTIFICATION Under the direction of the incident response team, the first step is to identify, as far as possible, the kind of in- formation involved, the nature of the incident, whether the incident is ongoing or occurred in the past and the cause of the incident. This preliminary assessment will indicate the nature of the subsequent actions necessary to minimize the negative effects. INITIAL RESPONSE AND CONTAINMENT Measures should be taken immediately to contain the effects of the incident and prevent the loss of additional information or any other negative impact on the orga- nization or third parties. The nature of these measures will depend on the type of breach that occurred. For ex- ample, the reaction to a cyberattack using ransomware will not be the same as that of an email erroneously sent by a distracted employee. INVESTIGATION Once the incident has been identified and contained, a more in-depth investigation is called for, in order to determine the type of information involved, as well as: • the persons affected by the incident; • whether the information has been lost, stolen, etc.; • whether the information can be recovered or not; • who has accessed the information (in order to be able to take steps to mitigate the risk of the information being more widely distributed; • the cause of the incident (in order to determine if se - curity measures can be implemented immediately). NOTIFICATION Certain legislation, such as Alberta's Personal Informa- tion Protection Act, and as of Nov. 1, PIPEDA, provides for mandatory notification of privacy breaches to the privacy commissioner and/or the individuals concerned. There could also be contractual obligations to notify in the event of a breach. But even if not mandated by a stat - ute or contract, notification may be desirable in order to allow affected individuals to mitigate their damages; for example, by taking steps to prevent identity theft. Under certain circumstances, affected organizations should offer assistance to individuals whose information has been compromised (such as free credit monitoring). If a class action ensues, the organization's reaction to the incident will be closely scrutinized, and if appropriate measures have been taken, this will allow it to signifi - cantly reduce its exposure. COMMUNICATIONS A communications plan should be drawn up in order to limit the negative effects of the incident, particularly on the organization's reputation. Any communication should be carefully thought out, in order to ensure that (1) appropriate language is used, so as to minimize risks in the event of litigation; (2) sufficient information about the incident is provided; and (3) privileged infor - mation is not disclosed. Finally, the execution of all steps of the IRP should be recorded — while ensuring that privilege and evi- dence are preserved — as such information could prove to be useful in defending against a class action. While organizations have little control over devel- opments in the law, they can compensate by adopting measures aimed at obviating the risk of privacy breach- es and limiting the damages. IH Caroline Deschênes is a partner at Langlois lawyers LLP.