Over the past decade, the number of privacy class actions has increased dramatically. This is because privacy breaches often affect a vast number of individuals who have suffered only a modicum of damages. With the coming into force of new obligatory notification regimes, such as that under the Personal Information Protection and Electronic Documents Act as of Nov. 1, this tendency is not going to subside any time soon.
A class action can entail substantial costs, including defence fees and negative publicity, not to mention the cost of settlement or court-ordered compensation. So, what can organizations do to minimize these risks?
The way an organization reacts to a privacy breach may be determinative of its consequences and the chances of a class action ensuing. A well-thought-out incident response plan is an indispensable tool in such circumstances. An IRP should include the following five steps.
Under the direction of the incident response team, the first step is to identify, as far as possible, the kind of information involved, the nature of the incident, whether the incident is ongoing or occurred in the past and the cause of the incident. This preliminary assessment will indicate the nature of the subsequent actions necessary to minimize the negative effects.
Initial response and containment
Measures should be taken immediately to contain the effects of the incident and prevent the loss of additional information or any other negative impact on the organization or third parties. The nature of these measures will depend on the type of breach that occurred. For example, the reaction to a cyberattack using ransomware will not be the same as that of an email erroneously sent by a distracted employee.
Once the incident has been identified and contained, a more in-depth investigation is called for, in order to determine the type of information involved, as well as:
• the persons affected by the incident;
• whether the information has been lost, stolen, etc.;
• whether the information can be recovered or not;
• who has accessed the information (in order to be able to take steps to mitigate the risk of the information being more widely distributed;
• the cause of the incident (in order to determine if security measures can be implemented immediately).
Certain legislation, such as Alberta’s Personal Information Protection Act, and as of Nov. 1, PIPEDA, provides for mandatory notification of privacy breaches to the privacy commissioner and/or the individuals concerned. There could also be contractual obligations to notify in the event of a breach. But even if not mandated by a statute or contract, notification may be desirable in order to allow affected individuals to mitigate their damages; for example, by taking steps to prevent identity theft.
Under certain circumstances, affected organizations should offer assistance to individuals whose information has been compromised (such as free credit monitoring). If a class action ensues, the organization’s reaction to the incident will be closely scrutinized, and if appropriate measures have been taken, this will allow it to significantly reduce its exposure.
A communications plan should be drawn up in order to limit the negative effects of the incident, particularly on the organization’s reputation. Any communication should be carefully thought out, in order to ensure that (1) appropriate language is used, so as to minimize risks in the event of litigation; (2) sufficient information about the incident is provided; and (3) privileged information is not disclosed.
Finally, the execution of all steps of the IRP should be recorded — while ensuring that privilege and evidence are preserved — as such information could prove to be useful in defending against a class action.
While organizations have little control over developments in the law, they can compensate by adopting measures aimed at obviating the risk of privacy breaches and limiting the damages.
Caroline Deschênes is a partner at Langlois lawyers LLP.