A couple of weeks ago, I participated in a timely and lively LexisNexis Canada webinar on “How to Handle a Data Breach Like a Pro.” The webinar is free and archived for you to view. For the past two Wednesdays, I’ve been posting Pro Tips from the webinar. Pro Tips #1 to #3 are posted here . Pro Tips #4 to #6 are posted here. Here’s the final set of Pro Tips.
Pro Tip #7
A Data Breach Pro won’t wait until the breach happens to allocate responsibility between the company and its data sharing partners, outsourcing partners and service providers.
In the webinar, we discussed the fact that the organization that is in “control” of personal information is responsible for complying with the breach record keeping and breach reporting and notification obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Remember that you do not need to have possession of the personal information to be in control of it. Also, there can be more than one organization in control.
This is important. In order to know that you have appropriate contractual provisions in place and have properly allocated responsibility with your data sharing partners, outsourcing partners and service providers, you need review those contracts and establish an inventory of personal information over which you have control. You then need to get buy-in from your data sharing partners, outsourcing partners and service providers about who is responsible for what, so that everyone is on the same page.
Pro Tip #8
Practice, learn, repeat.
A Pro doesn’t develop a policy and stick it in a binder or leave it aging out on a SharePoint site. It is important to practice a breach response in order to ensure that employees report suspected breaches and these breaches are investigated, and appropriate action is taken. Organizations that plan and practice end up spending less on a breach response when the breach occurs and likely suffer less internal organizational chaos.
Practicing a response doesn’t have to be an all-or-nothing exercise. Start small if you want. Begin with devising some realistic scenarios or pull the scenarios from the Alberta Privacy Commissioner’s breach orders. Run through scenarios to decide how you would apply your breach response protocol and evaluate the breach reporting and notification obligations. Mock up a breach report. Try your hand at developing the individual notice. This exercise will reveal a lot about your preparedness. It may also reveal where further education may be required to develop a privacy-aware organizational culture.
Pro Tip #9
When a breach happens, focus on the affected individual.
The temptation will be to focus on shareholders, directors, regulators and the press. But the focus of your breach response must be on the affected individual. All kinds of stakeholders will be clamouring for information and attention.
However, the affected individual is, well, the one who is affected. Your company probably spend enormous amounts of time and effort trying to connect and engage with your customers and employees. Yet, when the breach happens, there is a tendency for these affected individuals to become numbers.
Speak directly to the affected individuals in all of your communications. Remember that individuals will have individual reactions. It might have been “only” a name, address, email address and credit card number. However, to a person who has previously been a victim of identity theft or knows someone who has been and who had to spend many frustrating months (sometimes years) resolving issues, this can trigger a very strong reaction. Plan for how you will deal with individuals with their individual concerns. You might have to pick up the phone and call an especially concerned individual. A Pro will do that.
Pro Tip #10
The last Pro Tip is that you want to have some basic employee and public relations material drafted or advisors on hand to help. Too often, employees are left to speculate, and public statements hit the wrong note. Advance planning is especially important if you are a public company or likely to attract press attention.
Some organizations forget about their employees. When there is a breach, there are going to be a lot of confidential meetings and internal activity. Employees speculate. Some employees may start to talk to the outside. You will want to control the narrative internally and externally. A Pro plans for how employee and public relations will be handled and who will take the lead.
That’s all for the Pro Tips. Don’t forget to check out the webinar and check back next week for responses to questions we didn’t get to answer during the webinar plus more.