In our previous publication, we discussed the legal obligations and procedural considerations associated with keeping records of privacy incidents. While specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a legal obligation for private sector organizations subject to Quebec, Alberta or federal laws. Organizations should also be aware of sector-specific statutory obligations that may apply to them, for example in the healthcare or financial services industries.
In this post we discuss the operational advantages of a good privacy breach logging program.
Risk management and mitigation
It is now well understood by regulators that it is not a question of “if” but “when” an organization will suffer a privacy breach; External threats have grown exponentially since the start of the pandemic, and no one is immune. In this environment, privacy breaches are recognized risks for any organization, and businesses must demonstrate that they are taking steps to mitigate that risk in the same way they manage other risks to their operations. Risk assessments are much more reliable when tracking breaches; organizations will understand the causes of past violations and be able to take steps to fix existing issues.
Similarly, data on remedial actions and improvements made to existing privacy compliance programs helps demonstrate an organization’s commitment to improving their practices and staying at the forefront of industry privacy standards.
M&A and Securities Law
Keeping records of privacy incidents is important in the context of M&A, both from the perspective of the buyer and the seller.
For a buyer, privacy incident data provides valuable information about the seller’s privacy governance structure. Indeed, if a seller cannot provide such data, or provides incomplete or inaccurate data regarding legal obligations, this may indicate a general lack of compliance with legal requirements. A buyer should carefully review any privacy and data due diligence materials to identify and evaluate any additional privacy compliance issues the seller may have. Similarly, having a robust breach log-keeping program can increase buyer confidence and avoid negotiation discounts or concessions based on perceived privacy risk. Additionally, buyers should consider the content of the data. For example, if the data shows multiple privacy incidents or multiple incidents of the same type, this may be a sign of general deficiencies in the seller’s privacy training or administration, which may require the buyer to share post-closure resources to correct these deficiencies. .
From the seller’s perspective, producing accurate and detailed privacy incident data during the due diligence review process can demonstrate a well-organized approach to regulatory compliance, which can build buyer confidence and reduce delay. Conversely, insufficient record keeping may cause the buyer to reconsider its position or seek additional representations and warranties, while missing records may also impede the seller’s ability to make representations regarding privacy incidents, thus increasing their liability after closure.
Increased reporting requirements for public companies is another reason businesses need to track privacy breaches; risk management and mitigation reduces the incidence of violations over time, thereby reducing the need to file reports with securities regulators.
Contractual requirements and purposes of evidence
Finally, organizations should consider whether they may otherwise be required to maintain a log of privacy incidents in accordance with contractual requirements. For example, organizations that process personal information on behalf of other entities pursuant to a data processing agreement (DPA) may be contractually required to keep a record of any incident involving the data they process pursuant to with DPA. In general, any organization party to agreements involving the transfer or processing of personal information should carefully review those agreements to ensure they can meet their data retention obligations.
Additionally, there are cases in which regulators, following privacy incidents, have used data from past incidents and remedial steps taken as part of their analysis. For example, the Office of the Privacy Commissioner of Canada, in its investigations, has often reviewed changes implemented by an organization following a privacy incident to determine whether or not additional recommendations are required. Similarly, privacy incident data can be useful in a legal defense as evidence of what measures have been implemented to mitigate risks. As class actions arising from privacy incidents are increasingly common, businesses must ensure that they have adequate means of proving the steps taken to reduce the harm to individuals that may be caused by the incident.
Keeping proper records of privacy incidents will be increasingly important for Canadian organizations in the coming years, especially considering recent legal changes that expose organizations to large fines in cases of non-compliance. With the ever-increasing occurrences of privacy incidents, it will be essential for organizations to be able to demonstrate what they experienced and how they responded.
The authors would like to thank Marilou Bouthiette, law student, for her assistance in preparing this blog post.