The Ratchford Files: Getting in Front of Data Breach Issues

Canadian consumers are worried about data breaches, Navigator’s survey reveals, and they believe it’s time for government to act

A problem that began in the arcane world of online gaming back in 2011 has become one of the most challenging corporate issues of 2015.
In April 2011, hackers accessed the names, addresses and credit card data of 77 million users of the Sony PlayStation Network. Suddenly, the public became aware of the consequences of data breaches. Initially, Sony offered an apology and some free games to those affected. It ended up settling an international class action suit for about $20 million.
Most experts agree that the PlayStation breach was relatively minor in the context of what has happened since.
The protection of personal information has quickly emerged as one of the most complex legal issues and top-of-mind crises that companies face, whether the threat is hackers or human error. The situation is exacerbated by the multinational networks of partners, suppliers, vendors, customers and employees who have direct and indirect access to that information.
Under current privacy law, those collecting personal data are prohibited from distributing it without obtaining prior consent. The number and the scale of data breaches, however, may portend a shift towards much more explicit obligations to keep such data secure, and penalties for failing to do so.
Already, the pressure on governments to take action is on the rise and legislation is before Parliament in the form of Bill S-4, the Digital Privacy Act.
Navigator’s proprietary research (see previous article) indicates a growing intolerance for the status quo. An overwhelming number of Canadians indicate that much tougher laws and regulations are required to better protect consumers. Almost as many believe that data breaches will not be effectively dealt with until government and regulators impose much stricter policies and practices.
In the near term, it is reasonable to conclude that the political traction of this issue is likely to have a material impact on the purview of corporate general counsel.
It is the GC’s role to identify laws that apply to their employers’ operations and to ensure there is a rigorous compliance process in place. That means increased focus on internal information technology systems, as well as those of an array of business partners.

In the near term it is reasonable to conclude that the political traction of this issue is likely to have a material impact on the purview of corporate general counsel.

The search for compliance gaps will be increasingly difficult, given the global nature of information acquisition, use and storage. For example, Canada’s anti-spam laws place restrictions on Canadian companies but do not affect those who conduct business outside the country.
Another consideration is how the rules in key jurisdictions affect practices beyond their scope. In the case of the U.S. Sarbanes-Oxley Act of 2002 (also known as the Public Accounting Reform and Investor Protection Act and the Corporate and Auditing Accountability and Responsibility Act), new reporting requirements in the U.S. reverberated globally.
However these emerging trends play out, one thing is already certain: For companies of all sizes, there is an urgent need to plan for data breach crises and their steep reputational — and financial — costs in competitive markets. The widespread public expectation that business leaders will be fully prepared to contend with data breaches and their consequences is already well entrenched, according to Navigator’s research.
Of course, successfully managing those expectations is just one part of the data breach challenge.

John Ratchford is a Principal and General Counsel at Navigator. He has been a practising lawyer for over 19 years.