The Lexpert Guides to the Leading US/Canada Cross-Border Corporate and Litigation Lawyers in Canada profiles leading business lawyers and features articles for attorneys and in-house counsel in the US about business law issues in Canada.
Issue link: https://digital.carswellmedia.com/i/597942
34 | LEXPERT • December 2015 | www.lexpert.ca CYBERCRIME The New York Times (August 5, 2014) reported that the data breach suffered by Target cost the company $148 million. Home Depot's quarterly SEC filing indicated that it incurred $43 million in data- breach-related expenses in the third quarter of 2014 alone. According to a report issued by IBM and the Ponemon Institute in May 2014, the average cost of a data breach for the companies it surveyed across all sectors of the economy was $3.5 million. And a study published in 2014 by McAfee (Net Losses: Estimating the Global Cost of Cyber- crime) estimated the total cost of cybercrime to the global economy at more than $400 billion. In addition to the direct economic cost of an intrusion, data breach- es usually have serious reputational consequences for the breached en- tity. For example, intrusions can have a negative impact on how the company is viewed by consumers and investors alike. Data breaches erode consumer trust and investor confidence. The recent hacking of the Ashley Madison website is a graphic, if not unique, example of the way a data breach can call into question the long-term viability of an online company's business model. In some instances, data breaches have led to the loss of shareholder value. For example, Heartland Payment Systems, one of the largest processors of credit card transactions in the United States, suffered a data breach in 2008 that resulted in the exposure of account data linked to over 100 million credit cards issued by more than 650 fi- nancial service companies. That intrusion is reported to have cost the company almost $40 million. Worse still, following the announce- ment of the breach, Heartland's stock price plummeted 77.6 percent. Data breaches have also spawned class-action litigation on both sides of the 49th parallel, involving, among others, Sony Corpora- tion, Home Depot and Target. Forty-four lawsuits were commenced against Home Depot in Canada and the United States. Jurisdictional considerations have placed some restrictions on class-action plaintiffs regarding their ability to file suit in a cross-border breach context. A class action commenced against Target before the Superior Court of Québec was dismissed on March 23, 2015, on the grounds that the court did not have jurisdiction over Target. In coming to this deci- sion, the court noted that by the plaintiff 's own admission, the breach occurred in the United States and affected only persons who shopped there. In fact, it was for this reason that Target's Canadian subsidiary – which had in the interim ceased its operations and sought creditor protection under the Companies' Creditors Arrangement Act – was not named as a defendant in the Québec proceedings. Technology has turned the world into a highly connected place. In many ways, the Internet has dissolved the traditional boundar- ies of cross-border commerce. The Internet – and especially the e- commerce phenomenon – has given even the smallest of businesses a global reach. Although the benefit of electronic-based business is undoubted, companies carrying on business (in whole or in part) through the Internet should adopt policies for dealing with data breaches, including notifying potential users and regulatory authori- ties. These policies must take into account that an intrusion may require the organization to comply with many extraterritorial regula- tory schemes dealing with data-breach notification. Many European countries, and an increasing number of jurisdic- tions in the United States, require businesses and other organizations to report the unauthorized accessing of personal or financial infor- mation to the authorities. In Canada, legislation at the federal level (the Personal Information Protection and Electronic Documents Act, or PIPEDA) and some provincial jurisdictions establish obligations regarding the collection, use, disclosure and handling of personal information. For now, however, there are few mandatory reporting requirements in Canada following a data breach. On June 18, 2015, the Digital Privacy Act (the Act) came into effect in Canada. It amended PIPEDA by introducing significant amend- ments to the private-sector privacy regime. The amendments include mandatory data-breach notification rules. However, those rules will only come into force once regulations are complete. Once in effect, the mandatory notification rules introduced by the Act will require an organization to report a data breach to the Privacy Commissioner if the organization reasonably believes that the intrusion creates "a real risk of significant harm to an individual." The assessment of what constitutes a real risk of significant harm will be based on a number of factors, including the sensitivity of the in- formation compromised and the probability that the information in question has been, is being or will be misused. "Significant harm" is broadly defined and includes bodily harm; damage to reputation or relationships; humiliation; loss of employment; financial loss such as the impact on a person's credit record; identity theft; and damage to or loss of property. In these cases, the breached entity must do the following: • Report the breach to the Privacy Commissioner as soon as feasible. • Notify the individuals affected (unless prohibited by law from doing so). Such notification must be conspicuous and must, if possible, be given directly to the individuals affected. "Although the benefit of electronic-based business is undoubted, companies carrying on business through the Internet should adopt policies for dealing with data breaches, including notifying potential users and regulatory authorities."