Canada: Cyber Liability Blog #4: Cyber Risk Management And Why You Should Hire A Privacy Professional

The technological changes in the way that companies collect, administer, store and maintain data has created an entirely new area of undefined risks. With constant developments in technology, it is apparent that these risks will continue to increase. Despite the proactive measures that companies may attempt to implement, these risks occur with greater frequency. Additionally, with the judicial recognition of a new cause of action based on the invasion of privacy, there is a significant potential to expand the ambit of third party liability.[1] As such, it is imperative that businesses look at addressing the issue of cyber liability from a risk based approach. This will allow companies to prioritize the most valuable assets and most relevant threats.

In prioritizing, companies must address how they will respond to possible intrusions and the timeframes in which they respond. To be able to effectively manage information security, companies must ensure that they have the right people with the right skills to address these issues. Information security involves multiple areas of the business including: people, processes, and technologies. Therefore, a company should give serious thought to hiring an expert to develop and monitor the company's information security and to provide guidance on the best approach to protect your company from falling victim to cyber liability. 

A company may initially choose to select their directors or officers as the individuals most qualified to deal with cyber liability issues. However, given the number of factors that need to be considered on an ongoing basis, it will likely prove to be too overwhelming for a director or officer to handle independently. Further, in the event of a breach of privacy, any involvement of a director or officer will be scrutinized and this may result in a civil claim being launched against the director or officer in their personal capacity. For example, a director's failure to disclose a cyber-security risk or a director's over-confident reassurances regarding the state of the company's security practices in place, may lead to personal liability against the director.

Further, the creation of the tort of intrusion upon seclusion in 2012 represents a potential expansion of third party liability, as an employer may be found vicariously liable for the actions of its employees in respect of claims arising from the improper access of personal and financial information. Improper employee conduct could range from carelessly sent emails to the inadvertent disclosure of sensitive workplace information through a cellphone. These all too common risks highlight the need to have a specialized individual or group of individuals guiding the company in making decisions about how data and confidential information should be stored; how employees should be trained on using devices connected to the internet; and what pre-emptive measures need to be taken to protect the company against cyber liability in the event of a breach of the security system.

This specialized individual is referred to as a privacy professional, and their range of responsibilities include ensuring regulatory compliance, reducing the risk of data breaches, and enhancing brand trust, loyalty, and customer expectations. Privacy professionals help to ensure that a company's sensitive information is protected by creating privacy policies, procedures, and governance for the company; facilitating privacy awareness and training; responding to incidents; conducting investigations;  handling privacy related communications; and acting as internal privacy related legal counsel.[2] 

Without the support of a privacy professional, a company may be left vulnerable to significant breaches of privacy, which in turn may result in devastating financial losses for the company. As such, pre-emptive measures should be taken by the company before it's too late, and this can be achieved simply by hiring a privacy professional to ensure that your company is protected.