In our previous post, we discussed the legal obligations and procedural considerations surrounding keeping records of privacy incidents. While specific obligations vary by jurisdiction, maintaining some form of record that tracks privacy incidents is a legal requirement for private sector organizations subject to Quebec, Alberta or federal laws. Organizations should also be aware of sector-specific statutory obligations that may apply to them, for example in the healthcare or financial services sectors.
In this article, we discuss the operational benefits of a good privacy breach record-keeping program.
Risk management and mitigation
By now, it is well understood by regulators that it is not a question of “if” but “when” an organization will experience a privacy breach; external threats have increased exponentially since the start of the pandemic, and no one is immune. In this environment, privacy breaches are a known risk to every organization and companies must demonstrate that they are taking steps to mitigate this risk, in the same way that they manage other risks to their operations. Risk assessments are much more reliable when violations are tracked; organizations will understand the causes of past violations and be able to take steps to address existing issues.
Similarly, records of corrective actions and improvements to existing privacy compliance programs help demonstrate that an organization is committed to improving its practices and staying at the forefront of industry standards. confidentiality.
Mergers & Acquisitions and Securities Law
Keeping records of privacy incidents is relevant in the context of mergers and acquisitions, from both the perspective of the buyer and the seller.
For a buyer, privacy incident records provide valuable insight into the vendor’s privacy governance structure. Indeed, if a supplier cannot provide such records, or provides incomplete or inaccurate records with respect to legal requirements, this may indicate a general lack of compliance with legal requirements. A buyer should carefully review any privacy and data due diligence documentation to identify and assess any additional privacy compliance issues the seller may have. Likewise, having a strong breach logging program can increase buyer confidence and avoid negotiation discounts or concessions based on perceived privacy risk. Additionally, buyers should consider the content of the recordings. For example, if records show multiple privacy incidents, or multiple incidents of the same type, this could be a sign of general deficiencies in the vendor’s privacy training or administration, which may require the buyer to spend post-closing resources to correct these shortcomings. .
From a supplier’s perspective, producing accurate and detailed records of privacy incidents during the due diligence review process can demonstrate a well-organized approach to regulatory compliance, which can build buyer confidence. and reduce delays. Conversely, inadequate record keeping may cause the buyer to reconsider its position or require additional representations and warranties, while missing records may also hamper the seller’s ability to make representations regarding privacy incidents. , thereby increasing its liability after closing.
Increased reporting requirements for public companies is another reason companies should track privacy breaches; risk management and mitigation reduces the incidence of breaches over time, thereby reducing the need to file reports with securities regulators.
Contractual requirements and proof purposes
Finally, organizations should consider whether they might otherwise be required to maintain a privacy incident log as per contractual requirements. For example, organizations that process personal information on behalf of other entities pursuant to a data processing agreement (DPA) may be contractually required to maintain a record of any incident involving the data they process pursuant to the DPA. Generally, any organization that is party to agreements involving the transfer or processing of personal information should carefully review those agreements to ensure that it can meet its record-keeping obligations.
In addition, there are instances where regulators have, following privacy incidents, used records of past incidents and corrective actions taken as part of their analysis. For example, the Office of the Privacy Commissioner of Canada, in its investigations, has often reviewed the changes implemented by an organization following a privacy incident to determine if additional recommendations are needed. or not. Similarly, records of privacy incidents can be useful in a defense against litigation, as evidence of the measures implemented to mitigate the risks. As class action lawsuits stemming from privacy-related incidents are becoming more common, companies need to ensure they have adequate means to prove the steps taken to reduce the harm to people that may be caused by the incident.
Keeping proper records of privacy incidents will be increasingly important for Canadian organizations in the years to come, especially given recent legal changes exposing organizations to steep fines for non-compliance. With the constant increase in the occurrences of privacy-related incidents, it will be fundamental for organizations to be able to demonstrate what they have experienced and how they have reacted.
The authors would like to thank Marilou Bouthiette, law student, for her help in preparing this blog post.