DATA BREACH AND PRIVACY LITIGATION AND ENFORCEMENT

CD: To what extent are lawmakers and regulators increasing their scrutiny of data leaks and privacy breaches involving companies?

Koller: Companies that experience a data breach are far more likely to be the target of a regulatory investigation than at any point in the past. Privacy and security have always been important, but many consumers did not realise the amount or depth of information being collected about them. In response to recent large and well-publicised data breaches, lawmakers and regulators alike are taking notice. Several states have amended their breach notification laws, expanding the types of information covered or including a requirement for affected companies to notify state attorney generals. On the regulatory side, clients are facing increased scrutiny, even when the breach affects a relatively small number of individuals. Once an investigation begins, regulators generally do not limit their scope of review to the immediate facts surrounding the breach, but rather assess a company’s entire compliance programme.

Cameron: Canada has recently witnessed significant legislative amendments and regulatory activity with respect to data breaches. For instance, the Digital Privacy Act has made a number of important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), including a mandatory requirement for organisations to give notice to affected individuals and to the Office of the Privacy Commissioner of Canada about data breaches in certain circumstances. It will also require organisations to keep records of all breaches. Once these provisions come into force, organisations will be required to notify individuals and report to the Commissioner all breaches where it is reasonable to believe that the breach creates a real risk of significant harm to the individual. “Significant harm” is defined as including, among other harms, humiliation, damage to reputation or relationships and identity theft. A “real risk” requires consideration of the sensitivity of the information, the probability of misuse and any other prescribed factors. Increased regulatory scrutiny has also emerged in the financial services and securities field, where regulators have actively issued guidance in recent months.

Apr-Jun 2017 issue

BakerHostetler

Fasken Martineau DuMoulin LLP

Good Harbor Security Risk Management, LLC