Insights Header image
Insights Header image
Insights Header image

Happy Data Privacy Week, Canada! 4th Edition

Jan 25, 2024 Publications 3 minute read

It is Day Four of Data Privacy Week and our topic today is about the important ways your organization can manage legal, regulatory and reputational risks when developing public communications about data breaches involving personal information.

McMillan’s Top 5 List of Strategies for Managing Legal, Regulatory and Reputational Risks When Communicating Publicly about Data Breaches

  1. Develop an Incident Response Plan. A readily deployable incident response plan with clear roles and responsibilities for incident investigation and communications, among other critical functions, will facilitate thoughtful and organized breach communications that will inspire confidence that your organization is in control of the situation and is managing it effectively.
  2. Understand Your Statutory Requirements and Legal Risks. Canada has a complex legal and regulatory framework of privacy laws that include various public sector, private sector and industry specific laws that can apply directly or indirectly to your organization in certain circumstances. Many of these laws require the delivery of data breach communications to regulators and affected individuals in certain circumstances and, where applicable, include specific content requirements. Even where there are no statutory communication requirements, to reduce potential exposure to damages it may nonetheless become advisable in the circumstances to notify those affected about potential harms and steps that they can take to protect themselves. Breach communications should be carefully developed to address your organization’s legal and regulatory requirements.
  3. Always Have Breach Communications Vetted by Legal Counsel. OK, this one is a bit of a shameless plug, but we’re serious! In practice, breach communications are often delivered before a thorough investigation can be completed and, as such, it is possible that the initial description of an incident and its potential effects may paint a more dire picture of the organization than is warranted in the circumstances. While breach communications are often prepared with a level of compassion and empathy that is appropriate for the circumstances, care should be taken to avoid inviting unwarranted litigation risk by including statements that may incorrectly be construed as an admission of fault or wrongdoing. On the other hand, where it is known that there has been a failure of the organization’s preventative safeguards (or a failure to implement sufficient safeguards), it is important that the communication not be misleading in any way. As such, it is critical to vet breach communications with legal counsel before they are finalized to ensure your organization maintains a stable litigation posture.
  4. Prepare Answers to FAQ’s and a Complaint Escalation Procedure. Proactively preparing thoughtful responses to common questions that arrive immediately in response to a widely distributed breach communication provides an organization with a meaningful opportunity to face individual concerns head on before they spiral into regulatory complaints or litigation. Quickly escalating appropriate inquiries to senior management also allows an organization to showcase that it is treating the situation with a high level of priority.
  5. Avoid Waiving Legal Privilege. When communicating internally and externally about a data breach, it is important not to accidentally waive legal privilege relating to advice about the incident. For example, communications between a lawyer and client for the purposes of seeking or giving legal advice should not be conducted in the presence of individuals who are not involved in the lawyer and client relationship or summarized after the fact to third parties. The incident response plan should address the issue of legal privilege and any associated risks.

McMillan’s Privacy and Data Protection Team provide strategic advice to our clients in connection with data breaches involving sensitive personal and confidential information, including by implementing an effective communications strategy aimed at protecting both legal and reputation interests. Celebrate Data Privacy Week by reaching out to your McMillan Advisor to improve your organization’s data breach preparedness!

Insights (5 Posts)View More

Featured Insight

Sanctions Enforcement Rising: Border Seizures and Forfeitures, Administrative Penalties and a New Reporting Obligation for Sanctions Evasion Offences

Changes to Canada’s sanctions regime under Bill C-59 will add reporting requirements for importers/exporters, create AMPs, and grant new CBSA seizure powers.

Read More
Jun 13, 2024
Featured Insight

Goodbye CDOR, Hello CORRA: CDOR’s Final Month and CORRA Loan Trends

CDOR will cease being published after June 28, 2024; CORRA is now used in credit agreements with certain trends developing in its use.

Read More
Jun 11, 2024
Featured Insight

Anonymization of Personal Information under Quebec Law

On May 15, 2024, Quebec published its final regulation on anonymization which establishes specific guidelines on how to properly anonymize personal information.

Read More
Jun 5, 2024
Featured Insight

Far from being FARA – Canada’s Proposed Foreign Influence Transparency Registry Law Leaves the Details for Another Day

Canada's proposed foreign agent registry doesn't mirror the problematic aspects of FARA, but many details are left to future regulations and guidance.

Read More
Jun 5, 2024
Featured Insight

Building Uniformity: Saskatchewan’s Franchise Disclosure Act Receives Royal Assent

First introduced last fall, Saskatchewan’s Bill 149, The Franchise Disclosure Act, received Royal Assent on May 8, 2024 (the “Act”).[1] In doing so, Saskatchewan now joins British Columbia, Alberta, Manitoba, Ontario, New Brunswick, and Prince Edward Island as the seventh Canadian province to enact franchise-specific legislation.

Read More
Jun 4, 2024