In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of sector-specific statutory obligations which may apply to them, for example in health or financial services industries.
In this post we discuss the operational advantages of a good privacy breach record-keeping program.
Risk management and mitigation
By now it is well understood by regulators that it is not a case of “if” but “when” an organization will suffer a privacy breach; external threats have increased exponentially since the onset of the pandemic, and no one is immune. In this environment, privacy breaches are known risks for every organization and businesses need to demonstrate that they are taking steps to mitigate that risk, in the same way they manage other risks to their operations. Risk assessments are much more reliable when breaches are tracked; organizations will understand the causes of past breaches and be able to take steps to remediate existing issues.
In a similar fashion, records of corrective measures and improvements brought to existing privacy compliance programs help demonstrate an organization is committed to improving their practices and remaining at the forefront of industry standards with regards to privacy.
M&A and Securities law
Keeping records of privacy incidents is relevant in the M&A context, from both purchaser and vendor perspectives.
For a purchaser, records of privacy incidents provide valuable information about the vendor’s privacy governance structure. Indeed, if a vendor cannot provide such records, or provides incomplete or inaccurate records with regards to legal obligations, this can indicate a general lack of compliance with legal requirements. A purchaser should carefully review any due diligence material pertaining to privacy and data, to identify and assess any additional privacy compliance issues that the vendor may have. Similarly, the existence of a strong breach record-keeping program may increase the purchaser’s trust and avoid discounts or negotiation concessions based on perceived privacy compliance risk. Furthermore, purchasers should consider the contents of the records. For example, if the records show multiple privacy incidents, or multiple incidents of the same type, this could be a sign of general deficiencies in the vendor’s privacy training or administration, which may require the purchaser to devote resources post-closing to correct these deficiencies.
From the vendor’s perspective, producing accurate and detailed records of privacy incidents during the due diligence review process can demonstrate a well-organized approach to regulatory compliance, which can build the purchaser’s confidence and reduce delay. Conversely, inadequate record-keeping may trigger the purchaser to review its position or demand additional representations and warranties, while missing records may also hinder the vendor’s ability to give representations regarding privacy incidents, therefore increasing their post-closing liability.
The increase in reporting requirements for public companies is another reason that businesses should track privacy breaches; managing and mitigating risk reduces the incidence of breaches over time, thus reducing the need to file reports with securities regulators.
Contractual Requirements and Evidentiary Purposes
Finally, organizations need to consider whether they may be otherwise required to keep a record of privacy incidents pursuant to contractual requirements. For example, organizations that process personal information on behalf of other entities pursuant to a data processing agreement (DPA), may be contractually required to keep a record of any incident involving the data they process pursuant to the DPA. Generally speaking, any organization party to agreements involving the transfer or processing of personal information should carefully review those agreements to ensure they can meet their record-keeping obligations.
Furthermore, there are cases in which regulators have, following privacy incidents, used records of past incidents and corrective steps taken as part of their analysis. For example, the Office of the Privacy Commissioner of Canada, in its investigations, has often reviewed changes implemented by an organization following a privacy incident to determine whether or not additional recommendations are required. Similarly, records of privacy incidents may be useful in a litigation defense, as evidence of what measures were implemented to mitigate risks. As class actions stemming from privacy incidents are increasingly frequent, businesses should ensure they have adequate means of proving the steps taken to reduce the harm to individuals that may be caused by the incident.
Maintaining proper records of privacy incidents will be increasingly important for Canadian organizations in coming years, especially considering recent legal changes exposing organizations to steep fines in cases of non-compliance. With ever-increasing occurrences of privacy incidents, it will be fundamental for organizations to be able to demonstrate what they experienced, and how they reacted.
The authors would like to thank Marilou Bouthiette, law student, for her help in preparing this blog post.