It is Day Four of Data Privacy Week and our topic today is about the important ways your organization can manage legal, regulatory and reputational risks when developing public communications about data breaches involving personal information.

McMillan's Top 5 List of Strategies for Managing Legal, Regulatory and Reputational Risks When Communicating Publicly about Data Breaches

  1. Develop an Incident Response Plan. A readily deployable incident response plan with clear roles and responsibilities for incident investigation and communications, among other critical functions, will facilitate thoughtful and organized breach communications that will inspire confidence that your organization is in control of the situation and is managing it effectively.
  2. Understand Your Statutory Requirements and Legal Risks. Canada has a complex legal and regulatory framework of privacy laws that include various public sector, private sector and industry specific laws that can apply directly or indirectly to your organization in certain circumstances. Many of these laws require the delivery of data breach communications to regulators and affected individuals in certain circumstances and, where applicable, include specific content requirements. Even where there are no statutory communication requirements, to reduce potential exposure to damages it may nonetheless become advisable in the circumstances to notify those affected about potential harms and steps that they can take to protect themselves. Breach communications should be carefully developed to address your organization's legal and regulatory requirements.
  3. Always Have Breach Communications Vetted by Legal Counsel. OK, this one is a bit of a shameless plug, but we're serious! In practice, breach communications are often delivered before a thorough investigation can be completed and, as such, it is possible that the initial description of an incident and its potential effects may paint a more dire picture of the organization than is warranted in the circumstances. While breach communications are often prepared with a level of compassion and empathy that is appropriate for the circumstances, care should be taken to avoid inviting unwarranted litigation risk by including statements that may incorrectly be construed as an admission of fault or wrongdoing. On the other hand, where it is known that there has been a failure of the organization's preventative safeguards (or a failure to implement sufficient safeguards), it is important that the communication not be misleading in any way. As such, it is critical to vet breach communications with legal counsel before they are finalized to ensure your organization maintains a stable litigation posture.
  4. Prepare Answers to FAQ's and a Complaint Escalation Procedure. Proactively preparing thoughtful responses to common questions that arrive immediately in response to a widely distributed breach communication provides an organization with a meaningful opportunity to face individual concerns head on before they spiral into regulatory complaints or litigation. Quickly escalating appropriate inquiries to senior management also allows an organization to showcase that it is treating the situation with a high level of priority.
  5. Avoid Waiving Legal Privilege. When communicating internally and externally about a data breach, it is important not to accidentally waive legal privilege relating to advice about the incident. For example, communications between a lawyer and client for the purposes of seeking or giving legal advice should not be conducted in the presence of individuals who are not involved in the lawyer and client relationship or summarized after the fact to third parties. The incident response plan should address the issue of legal privilege and any associated risks.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024