Main menu


Incident Aftermath – Business Considerations for Records Management

In previous publications, we discussed legal obligations and procedural considerations for maintaining records of privacy incidents. Although specific obligations vary by jurisdiction, maintaining some form of record tracking privacy incidents is a statutory obligation for private organizations subject to Quebec, Alberta, or federal law. Organizations should also be aware of sector-specific legal obligations that may apply to them, for example in the healthcare or financial services industries.

This post discusses the operational benefits of a good privacy breach record keeping program.

Risk management and mitigation

So far, regulators are well aware that organizations suffer privacy breaches when, not if. Since the outbreak of the pandemic, external threats have increased exponentially and no one is immune. In this environment, privacy breaches are a known risk to all organizations, and companies need to demonstrate that they are taking steps to mitigate that risk in the same way they manage other risks to their operations. there is. Risk assessments are much more reliable when breaches are tracked. Organizations can understand the causes of past breaches and take steps to remediate existing issues.

Similarly, a record of corrective actions and improvements made to existing privacy compliance programs can help demonstrate an organization’s commitment to improving its practices and staying at the forefront of industry standards when it comes to privacy. increase.

M&A and Securities Law

Maintaining a record of privacy incidents is relevant in the context of M&A, both from a buyer’s and vendor’s perspective.

For buyers, privacy incident records provide valuable information about the vendor’s privacy governance structure. Indeed, when a vendor fails to provide such records, or provides incomplete or inaccurate records with respect to legal obligations, this indicates a general lack of compliance with legal requirements. There is a possibility that Purchasers should carefully review Dew’s diligence materials relating to privacy and data to identify and assess any additional privacy compliance issues that the vendor may have. Similarly, the presence of a strong record keeping program may increase buyer confidence and avoid discounts or bargaining concessions based on perceived privacy compliance risks. In addition, the purchaser should consider the content of the records. For example, if the records show multiple privacy incidents, or multiple incidents of the same type, this may be an indication of general deficiencies in the vendor’s privacy training or controls, and the purchaser should not It may be necessary to spend resources after closing to fix flaws in .

From a vendor’s perspective, creating an accurate and detailed record of privacy incidents during the due diligence review process can demonstrate a well-organized approach to regulatory compliance, build trust and delay can be reduced. Conversely, improper recordkeeping may cause the purchaser to review its position or seek additional representations and warranties. On the other hand, lack of records can hamper the vendor’s ability to make representations regarding privacy incidents, thus increasing post-closure liability.

Increased reporting requirements for public companies is another reason companies need to track privacy breaches. Managing and mitigating risk reduces the incidence of breaches over time and reduces the need to file reports with securities regulators.

Contractual Requirements and Evidence Purposes

Finally, organizations should consider whether they need to keep records of privacy incidents according to contractual requirements. For example, an organization that processes personal information on behalf of another entity pursuant to a data processing agreement (DPA) may be contractually required to maintain a record of incidents involving data it processes pursuant to the DPA. Generally speaking, organizations that are parties to agreements involving the transfer or processing of personal information should carefully review those agreements to ensure that they are able to meet their record retention obligations.

Additionally, after a privacy incident, regulators may have used records of past incidents and remedial actions as part of their analysis. For example, the Canadian Privacy Commissioner’s office, in its research, frequently reviewed changes implemented by organizations following privacy incidents to determine whether additional recommendations were needed. Incident records can be useful in defending litigation as evidence of what steps have been taken to mitigate risk. Class action lawsuits resulting from privacy cases are becoming more and more frequent, ensuring that companies have adequate means of proving the steps taken to mitigate the harm to individuals that may be caused by the incident. need to do it.

Maintaining good records of privacy incidents will become increasingly important for Canadian organizations in the years to come. Being able to demonstrate what your organization has experienced and how it has responded in the face of an ever-increasing number of privacy incidents is the basis.

The authors would like to thank law student Marilou Bouthiette for helping prepare this blog post.