One of the big questions, though, is
when to tell clients about the breach. It
remains a controversial issue.
There are two schools of thought. Advocates of breach notification say victims
have a right to know so they can take action to safeguard their information from
further harm. On the other hand, there
are questions whether notification could
lead to more harm, for example, if a message is left on an answering machine and
others hear it, making matters worse.
“It’s absolutely critical, not only to
have a plan in place, but that it’s actually
been tested by the people involved. Because when you come to a crisis situation
it’s crucial for people to understand what
needs to be done and how to perform the
duties they’ve been assigned.
“You’re in crisis mode. You’re scrambling
and you need to have something to refer to
that lets you know what steps you need to
take to manage a particular crisis.”
Catherine Beagan Flood, a partner in the
Toronto office of the law firm Blakes, said
while there is no legislation outside Ontar-
io’s Personal Health Information Protection
Act governing when people should be told
that their information has been breached,
company executives should consider that a
court may find them negligent if they don’t
disclose an intrusion to clients.
“If someone were to bring litigation
relating to an identity theft, one of the
things that the court would consider is
what steps the company could and po-
tentially should have taken to prevent
the harm to the individual who has been
the subject of the identity theft.”
icholas Cheung, principal,
guidance and support at CICA
and also a co-author of the
agency’s Canadian Privacy and Data Security
Toolkit, said Ontario’s Personal Health Infor-
mation Protection Act is the only legislation in
Canada to require breach notification.
fore such a computer breach occurs.
“You’re dealing with people’s personal
information and it’s very important to
them and time is of the essence,” he said.
“You need to execute right away and
make the right decisions.”
The plan must set out exactly what to
do when a breach is discovered and how
to deal with the fallout, Cheung said, but
it’s equally important that companies
and organizations educate employees
and conduct testing of the plan to make
sure it works.
ompanies could be deemed
to be negligent, particularly
if there is a significant risk of
identity theft, said Beagan Flood, who has
spoken on the subject of privacy legislation
and previously taught a course on privacy
and freedom of information at Osgoode
Hall Law School in Toronto.
“Even though there’s no binding legis-
lation,” Beagan Flood said, “it may pro-
tect the company legally to notify indi-
viduals and to give them advice or assist
them in taking steps to protect them-
selves against any financial harm that
could occur due to the theft of data.”
Warren of Net-Patrol said many com-
panies are simply unprepared for a cyber-
attack and they just don’t want the public
to know that their personal information
is not adequately protected because it
would reflect negatively on the business
Part of the problem, he said, is that the
response plans of many companies and
organizations are audited by the same
people each year.
“It’s kind of like me performing the
same audit checks on the same company.