For last month’s National Cybersecurity Awareness Month, the Government of Canada, in partnership with security organizations, launched a campaign to create awareness and inform the public on the importance of cybersecurity.
The Office of the Privacy Commissioner of Canada (OPC) estimates that in the last 12 months, approximately 28 million Canadians’ personal information was compromised. This included the breach of personal financial data with institutions like Desjardin and Capital One. These incidents serve as a reminder that even if data collection or a breach occurs domestically, cybersecurity has global implications as local data easily becomes cross-jurisdictional with a click of a link. Thus, breach of data can damage the institutions’ operations and reputation, and trigger significant legal and compliance issues. As such, individuals and companies should be aware of the provincial, federal, and international rules that govern them to better manage the legal risks of civil liability.
A data breach can impose civil liability in the event of a cyber intrusion if the party failed to implement safeguards and reasonable security measures. Section 7.2(1)(a) of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) indicates that personal information must be protected by security safeguards proportionate to the sensitivity of the information. PIPEDA states that these methods must include both physical, organizational, and technological measures to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. The organization must also prioritize cybersecurity by ensuring that appropriate data protection measures for the third-party vendors are developed and monitored and that their employee policies and training are sufficient to reduce the scope and frequency of breaches happening.
Another way civil liability might be imposed is when an entity fails to mitigate the damage once a breach has occurred. Section 10.1 (1) of PIPEDA requires organizations subject to PIPEDA to report any breaches of security safeguards involving personal information that pose “a real risk of significant harm” to the Privacy Commissioner, which is likely to result in an investigation. The companies also need to notify affected individuals about those breaches and keep records of all data breaches within the organization.
Additionally, the gravity of the breach can affect the outcome of an M&A process. It is standard practice for buyers to conduct due diligence for data breaches and draft merger agreements with legal protections to manage the risk involved with an M&A deal. One such protection that buyers might use is an adverse change clause, which gives buyers the option to exit a deal if an issue that poses long-term loss or risk arises. Moreover, buyers might lower their buying prices following the long-term risk. During the Yahoo acquisition by Verizon, Verizon lowered its initial offer by $350 million, in the wake of two massive cyber attacks that damaged Yahoo’s reputation.
Although prevention is better than intervention, it is unrealistic to expect businesses and individuals to fully protect themselves against sophisticated cyber security attacks. Thus, a cyber risk management approach should be prioritized in addition to prevention, such as blocking threats by using firewalls. In order to mitigate cyber risks, a carefully prepared cyber incident response plan should be put in place prior to the breach. This plan will allow companies to mitigate the legal risks by detecting the breach in a timely manner, analyzing the scope of the damage, containing the incident by using quarantines and checking any backdoors to reduce the risk of further compromising the data. Finally, the incident response plan should include communications guidelines, such as which legal authorities or third-parties to inform, as well as the PR and communications strategies to mitigate any reputational risk.
Moreover, before any cybersecurity incidents actually occur, companies should purchase cyber-liability insurances to mitigate economic losses, such as loss of income, loss of profits, costs for notifying the customers or monitoring the credit of affected customers for a period of time, legal liability of the third-parties, fines and penalties, and cyber extortion, such as ransomware.
Written by Elif Babaoglu, Contributing IPilogue Editor and JD Candidate at Osgoode Hall Law School. Elif is also the co-director of events at the Osgoode Privacy Law Society.