In recent years, a spate of high-profile privacy breaches have made it increasingly clear to consumers and regulators that businesses must take stronger precautions in safeguarding user data and protecting privacy rights. These incidents have become so common that for many companies, the question of whether they will fall victim to cybercrimes has become a matter of when, not if.
The consequences of a privacy breach may be drastic. Companies such as Equifax, Yahoo, and Target – which have all suffered data breaches involving more than 100 million customer accounts – have borne significant reputational costs. Given the importance of the collection and use of consumer data to many business models in the digital economy, these reputational harms usually translate into a long-term loss of business. Significant privacy breaches also tend to attract consumer class action lawsuits, and may result in a substantial decline in a company’s share price.
Companies faced with a privacy breach also had to face the growing ire of regulators, who have begun to move away from self-regulatory approaches and towards more robust oversight models. For example, under both the EU General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), companies faced with a privacy breach may now be required to report those incidents. Specifically, PIPEDA requires companies that have suffered a data breach resulting in a “real risk of significant harm” to report the incident to the Privacy Commissioner of Canada. Companies must additionally report such a breach to the affected individuals and to any third-party organizations or government institutions if doing so might mitigate the harm done to the affected individuals. Failure to notify is punishable by a fine of up to $100,000 per violation, and may also help ground a data breach class action.
In light of the myriad reputational, financial, and regulatory consequences that can flow from a privacy breach, companies must spend greater resources on safeguarding their customers’ data and on preparing response plans that help minimize the fallout of a breach. While the optimal approach will vary depending on the size and nature of the organization, there are a number of key strategies that companies should consider, including:
- strengthening ongoing employee training and education;
- acquiring cyber liability insurance;
- appointing a Chief Privacy Officer; and
- identifying external advisors that can help respond to a breach, such as public relations firms and specialist legal advisors.
Companies should view their investment into cyber security as an opportunity to distinguish themselves from the competition and not simply as a necessary cost of doing business. According to research conducted by PWC, consumers are increasingly losing faith in the ability of companies to handle their personal data responsibly.
The message is clear: consumers seek greater control over their data and want businesses to be more responsive and transparent. Businesses that convincingly address these concerns and empower their users will be rewarded with greater customer loyalty are better positioned to retain their customers in the event they suffer a breach.
The author would like to thank Felix Moser-Boehm, articling student, for his assistance in writing this legal update.