Your client calls in a panic, saying she noticed suspicious activity when using her computer, and fears her company may have suffered a data breach. What should she do immediately?
Catherine Beagan Flood,
Partner at Blakes, Toronto
If she works for a large company, hopefully she has an incident response team, which should include senior leaders from her legal, communications, HR and IT departments, explains Catherine Beagan Flood, partner at Blakes in Toronto. These leaders should follow steps in the company’s incident response plan, which include notifying employees not to use their computers and changing passwords after the threat has lifted.
If the client doesn’t have a team or plan in place, Beagan Flood recommends setting one up to protect against breaches, as well as blocking specific websites of countries where she doesn’t do business. “Train employees about the risks of malware, because one of the biggest risks is employees clicking on an attachment or a link,” she says.
Next, if there’s reason to suspect a serious breach, engage external counsel, including legal, cyber security and public relations experts. Legal can help in “mitigating litigation and regulatory risks, and ensuring evidence is secured properly.” A cyber expert would contain and investigate a breach while public relations would respond to questions from the media and issue public statements.
Starting Nov. 1, the Personal Information Protection and Electronic Documents Act will require all private sector companies to report data breaches to Canada’s privacy commissioner, and to notify affected individuals, notes Beagan Flood. Currently Alberta is the only province with mandatory requirements.
Finally, the client should “consider her cyber insurance coverage, if she has it, because there may be a duty to give notice of any potential claim.”