Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/990152
68 LEXPERT MAGAZINE | JUNE 2018 TECHNOLOGY | COLUMNS | George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law. affected individual data subjects; the mea- sures those individuals can take to reduce the likelihood of harm befalling them; the co-ordinates (email address, 1-800 num- ber, etc.) at which affected individuals can contact you for additional guidance and information about the breach event; and the ability of the individual to bring a com- plaint about your organization to the OPC under PIPEDA. e nature and quality of this notice to affected individuals should allow them to comprehend the importance of the security breach and to help them diminish the like- lihood of harm befalling them. KEEPING RECORDS e new rules on data breach notification require you to keep records of each breach, including those that do not trigger the notifications discussed above. is record- keeping obligation is not a trivial responsi- bility. e information that you keep must allow the OPC to be able to confirm that you have done everything you were sup- posed to do under the breach notification rules; that is, the OPC must be assured, from the paper and electronic trail you keep, that you notified the OPC and rel- evant individuals as required. While seem- ingly a simple task, that is quite challenging in the real world. And finally, you must keep these records for 24 months from the date you discovered the data breach. As you navigate through the new record- keeping requirements, you should remain mindful of privilege issues related to the data breach. It is important, therefore, how you structure your relationship with your outside legal counsel, as well as how the non-legal managers in your organization conduct their communications with your in-house legal colleagues. Just because you have a new statutory record-keeping obli- gation doesn't mean you should be waiving privilege where it is appropriate to main- tain it. AN UP-TO-DATE DATA BREACH POLICY Once you have reviewed the issues dis- cussed above and determined what needs to be done in your organization under the new data breach notification rules, it is im- portant that you update your written data breach policy accordingly. If you don't yet have a formal, written policy, now is the best time to prepare one, given that the firm date for compliance – November 1, 2018 – is fast approaching. ere are a number of important items that should be covered by the policy. It should be clear, for example, who is on the data breach response team. And your rele- vant insurance policy may well provide that you may use only an external law firm pre- approved by the insurance company; this is the sort of matter you want prepared and ready to go, because when the data breach occurs, time will certainly be of the essence. Moreover, don't forget to test your data breach plan; if you haven't tested it in six months, assume you don't really have a plan. I can't emphasize enough how im- portant it is that your organization test the data breach plan in advance; ideally the test will take place on an early weekend morn- ing, when you and your response team least expect it. Computer hackers have a nasty habit of operating at all hours, and not sim- ply when it's most convenient for you. As well, your test conditions should be as realistic as possible; you'll want to simulate a "real world" set of conditions, including the very tight timelines of the new data breach reporting obligations. Remember, practice alone does not make perfect, but rather, "perfect practice makes perfect." CYBER RISK INSURANCE REVIEW While you are considering what updates and fine tunings you need to make to your data breach policy, you should also review your organization's insurance coverage from the perspective of the specific threats posed to you by data breaches and indus- try-standard data security. is is generally called assessing "cyber risk." And if your organization does not have a cyber-risk insurance policy, now is cer- tainly the time to consider your options. e insurance market has made great strides in the past half-dozen years in bringing to market various offerings in this space. And while you should be care- ful not to be over-insured, it certainly is a bad idea to be underinsured. It is important, in this regard, to un- derstand thoroughly your first-party li- ability: that is, what costs, expenses and damages could come to roost on your shoulders. But you also need to compre- hend the third-party liability issues as well, i.e., what damages would impact your customers, or partners in your sup- ply chain, if you were compromised. Essentially, if you acquired a cyber-risk policy several years ago, now is an optimal time to review that coverage with your insurance broker. Just in the last couple of years some new products have come to market, and at different price points than previously. Particularly if you are in the midst of updating your data breach policy, you will be in a good position to under- stand your up-to-date risk profile, and to articulate what changes make sense to your cyber-risk insurance coverage. DON'T FORGET to test your data breach plan; if you haven't tested it in six months, assume you don't really have a plan. I can't emphasize enough how important it is that your organization test the data breach plan in advance; ideally ... on an early weekend morning.