Cybersecurity incidents are serious events that need to be addressed immediately. Our experience has shown us that dealing with issues such as consumer and regulator notifications, fines, and insurance need to be tackled as soon as possible. Below are general answers to frequently asked questions when a business has experienced a data breach.

1. Why should I hire a Breach Coach?

Hiring an experienced Breach Coach is imperative. As lawyers, Breach Coaches are able to guard your information with solicitor client privilege. This adds an extra layer of protection and security to your communications, without the fear of having to hand over your reports to the authorities, or other lawyers wanting to sue you.

2. Do I have to report that I have been hacked?

Generally, there are three reasons as to why your business should report a data incident. Firstly, because it is required by the law. PIPEDA sets out time deadlines to notify customers and a real risk of substantial harm (RROSH) test. Secondly, you may have contractual obligations to do so. Sometimes contracts have clauses in them, which oblige your business to disclose any data incidents. Thirdly, best business practice. Even if you are not required by law to disclose a data incident, you may want to tell your clients anyways. You may want to alert your customers or clients to be vigilant of any potential threats to their personal information. Some businesses go so far as to offer complementary identity theft protection through third parties.

3. Could I face a fine?

Yes. PIPEDA and PHIPA both set out fines. For example, PHIPA can demand up to a $500,000 fine from an organization or institution involved in a data breach.

4. What other resources should I consider?

There are many resources on the internet, but few are as good as the following two:
i) The Office of the Privacy Commissioner of Canada has easy to follow guidelines here.
ii) Equally, the Information and Privacy Commissioner of Ontario has helpful resources for individuals and organizations here.

5. Am I still at risk?

Unfortunately, the data would suggest that businesses that have been hacked are more likely to be attacked a second time. Fortunately, you can take measures to protect your business, and take steps to mitigate being hacked again.

6. Will my insurer cover my losses?

Maybe. It depends on the wording of your policy. Some policies offer cyber protection, but with a variety of exclusions which would effectively leave you unprotected.

Having an experienced Breach Coach offers you legal protection that cannot be found through consultants, accountants, or tech crews. Rapid intervention is key.

The first 24 hours following a data breach are probably the most critical for reducing potential damage, and protecting your brand.

Originally published 13 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.