Happy Data Privacy Week, Canada! 4th Edition
Happy Data Privacy Week, Canada! 4th Edition
It is Day Four of Data Privacy Week and our topic today is about the important ways your organization can manage legal, regulatory and reputational risks when developing public communications about data breaches involving personal information.
McMillan’s Top 5 List of Strategies for Managing Legal, Regulatory and Reputational Risks When Communicating Publicly about Data Breaches
- Develop an Incident Response Plan. A readily deployable incident response plan with clear roles and responsibilities for incident investigation and communications, among other critical functions, will facilitate thoughtful and organized breach communications that will inspire confidence that your organization is in control of the situation and is managing it effectively.
- Understand Your Statutory Requirements and Legal Risks. Canada has a complex legal and regulatory framework of privacy laws that include various public sector, private sector and industry specific laws that can apply directly or indirectly to your organization in certain circumstances. Many of these laws require the delivery of data breach communications to regulators and affected individuals in certain circumstances and, where applicable, include specific content requirements. Even where there are no statutory communication requirements, to reduce potential exposure to damages it may nonetheless become advisable in the circumstances to notify those affected about potential harms and steps that they can take to protect themselves. Breach communications should be carefully developed to address your organization’s legal and regulatory requirements.
- Always Have Breach Communications Vetted by Legal Counsel. OK, this one is a bit of a shameless plug, but we’re serious! In practice, breach communications are often delivered before a thorough investigation can be completed and, as such, it is possible that the initial description of an incident and its potential effects may paint a more dire picture of the organization than is warranted in the circumstances. While breach communications are often prepared with a level of compassion and empathy that is appropriate for the circumstances, care should be taken to avoid inviting unwarranted litigation risk by including statements that may incorrectly be construed as an admission of fault or wrongdoing. On the other hand, where it is known that there has been a failure of the organization’s preventative safeguards (or a failure to implement sufficient safeguards), it is important that the communication not be misleading in any way. As such, it is critical to vet breach communications with legal counsel before they are finalized to ensure your organization maintains a stable litigation posture.
- Prepare Answers to FAQ’s and a Complaint Escalation Procedure. Proactively preparing thoughtful responses to common questions that arrive immediately in response to a widely distributed breach communication provides an organization with a meaningful opportunity to face individual concerns head on before they spiral into regulatory complaints or litigation. Quickly escalating appropriate inquiries to senior management also allows an organization to showcase that it is treating the situation with a high level of priority.
- Avoid Waiving Legal Privilege. When communicating internally and externally about a data breach, it is important not to accidentally waive legal privilege relating to advice about the incident. For example, communications between a lawyer and client for the purposes of seeking or giving legal advice should not be conducted in the presence of individuals who are not involved in the lawyer and client relationship or summarized after the fact to third parties. The incident response plan should address the issue of legal privilege and any associated risks.
McMillan’s Privacy and Data Protection Team provide strategic advice to our clients in connection with data breaches involving sensitive personal and confidential information, including by implementing an effective communications strategy aimed at protecting both legal and reputation interests. Celebrate Data Privacy Week by reaching out to your McMillan Advisor to improve your organization’s data breach preparedness!
Insights (5 Posts)View More
Two-Year Anniversary of Russia’s Illegal Invasion of Ukraine: New Sanctions Designations and Expansion of Export Prohibitions
To coincide with the two-year anniversary of Russia's invasion of Ukraine, Canada announced new sanctions and financial reporting obligations.
Providing updates on the 2024 merger thresholds under Canada's Competition Act and Investment Canada Act.
Adjudicator discretion under the Construction Act. Ontario Court recently confirmed a limit on this discretion in Ledore Investments v. Dixin Construction
The Quebec Court of Appeal quashed, on environmental grounds, a municipal resolution on a minor exemption
The ability to glean personal information from both anonymized and aggregated data creates a risk of re-identification.
Get updates delivered right to your inbox. You can unsubscribe at any time.