Page 33 - CCCA63_2008
P. 33
CCCA_V2No3_BreachofTrust-FIN.qxd:CCCA_V1No1_DriversSeat-FIN.qxd 9/18/08 5:33 PM Page 41 Feature of Jennifer Stoddart, the privacy commissioner of Canada. The journalist hired an American data brokerage company called Locatecell.com to deliver months of records from Stoddart’s home and cottage accounts with Bell Canada, as well as a month of cellphone calls logged with Telus Mobility. A repre- sentative of Locatecell obtained the records by calling the phone companies and using pretexting. Pretexting can make life particularly difficult for companies like Bell, which struggle constantly to achieve the right balance between adequately protecting personal information and pro- viding effective and efficient customer service. “You should hear what these people [pretexters] sound like,” says Suzanne Morin, the assistant general counsel for regulato- ry law and policy at Bell Canada who handled the Stoddart phone records caper. “They’re very good. Very, very good.” Companies are well-advised to acquaint themselves with these and other potential breach causes, say experts, because they can be extremely expensive to fix—and with a company’s reputation on the line, the stakes are high. For example, in the Stoddart pretexting case, says Morin, “Bell spent thousands of dollars seeking a temporary and eventually a permanent injunction” against Locatecell and its directors. Growing costs Of course, the costs of privacy breaches aren’t limited to the expenses involved in seeking injunctions. Once a breach has taken place, an affected consumer can complain to the federal Janina Kon privacy commissioner, whose investigation can be a long and Privacy and Access Law Specialist Streamline Counsel Inc., Vancouver involved process that requires significant time and attention from in-house counsel. And, says Fraser, “the commissioner can Damage control Despite your company’s best efforts to prevent a privacy breach, one has happened anyway. Now what? According to David Fraser, a privacy lawyer Of course, managing a breach will be Finally, says Fraser, every company with McInnes Cooper in Halifax, a prudent easier if your company already has an should have a crisis list with contact company should assume that breach notifi- established plan for that. Fraser recom- information for the in-house lawyer, the IT cation legislation applies to them, and pro- mends having a “strong, robust and well- manager, internal security, and an exter- ceed accordingly. The key is transparency. communicated” protocol that can be rap- nal lawyer with legal skills in privacy. The “If the company shows a strong com- idly escalated to the right level — usually list should also contain the name of a pub- mitment to finding out what happened, get- to a privacy officer — in the event of lic relations or crisis management compa- ting to the bottom of it, taking all steps to a breach. ny with experience in damage control. mitigate any harm, I’ve seen increased The protocol should kick in with an “These names should be compiled ahead consumer trust in that company,” he says. immediate triage, says Fraser, so the com- of time, like having 911 stickers on your “If customers have the sense the company pany can assess the harm. “What kind of phone,” says Fraser. “You don’t want to is taking it seriously and being very forth- significant wounds need to be quickly have to Google for that information.” coming, that goes a long way towards addressed? And then they need to decide: Many more suggestions for handling ROBERT KARPA increasing trust that could otherwise be are they going to notify the consumers? privacy breaches are available from the lost. If it’s mishandled or not disclosed, that Office of the Privacy Commissioner of Are they going to notify law enforcement Canada (www.privcom.gc.ca). officials? How are they going to do that?” can destroy the relationship of trust.” AUTOMNE 2008 CCCA Canadian Corporate Counsel Association 41
