Page 34 - CCCA63_2008
P. 34
CCCA_V2No3_BreachofTrust-FIN.qxd:CCCA_V1No1_DriversSeat-FIN.qxd 9/18/08 5:33 PM Page 42 Feature dirty laundry, which you might “ privacy concerns against the We know, even from something as recent as the iPhone release, make it public and air your Morin, who points out that not want to do.” it’s a hacker’s joy to have an effective delivery of services, says After that, the aggrieved obstacle put up there, because consumers often forget that the ” consumer can go to the federal they want to work around it. company is also a victim when court and seek damages. privacy is breached. Duncan De Chastelain, Vice-president and “Nobody has done that yet that “You could say to customers, general counsel, GE Money, Mississauga I’ve seen, but there have been a ‘Well, I won’t talk to you unless number of class action lawsuits you have your bill or your filed in connection with breaches,” says Fraser. account number,’” she explains. “But that means half of our cus- As well, businesses that suffer privacy breaches risk losing credi- tomers will be told at least once that we don’t want to talk to bility and market value. The CIBC faxing disaster is a cautionary tale them,” since they often call from work or their car. “And that’s not and a useful example of the cascade of punishing consequences that what we want to do.” can follow a breach, says Janina Kon, a privacy and access law spe- cialist with Streamline Counsel Inc. in Vancouver and co-chair of Who are you? the CBA-BC Freedom of Information and Privacy Law Section. Duncan De Chastelain, vice-president and general counsel with “Number one, there was a million-dollar lawsuit,” she says. GE Money in Mississauga, says one of the issues his company is “Secondly, it appeared on front-page news, so right there, you’ve most concerned about is identity theft, so he’s given some thought got the amount of executive time that would have to go into deal- to what clients might expect in the event of a privacy breach. ing with the situation — it’s not just a legal issue, it’s a serious “In a scenario where we would be concerned that any of our con- brand reputation and customer relations issue. sumer information had been appropriated, we might take steps to “If you calculate the cost of time, it’s huge,” she adds. “They close accounts and reissue them under new numbers,” he says. “We would have had to have everyone from the CEO through the full would think about notifying credit bureaus or consumer reporting executive line, and possibly the board of directors, involved. They agencies and having flags put on those accounts. We might also con- did engage external expertise as well, not just legal expertise but sider offering regular monitoring to customers.” crisis management experts.” Also front and centre, says De Chastelain, is the need to address The privacy commissioner of Canada launched an investigation, consumers’ natural concerns around how a breach happened and adds Kon, so there were costs associated with staff time to respond what the company is doing on an ongoing basis to hedge against to communications from the commissioner’s office. The company that risk. also paid to staff a call centre to respond to customer inquiries and “I think the knee-jerk reaction is, ‘You in corporate Canada had to train front-line staff in how to respond to the client questions that a data breach, therefore you are doing something wrong,’” says De would inevitably surge in through bank branches. Chastelain. “And as we know, even from something as recent as the “It’s a huge list,” Kon says, adding that companies can also suffer iPhone release, it’s a hacker’s joy to have an obstacle put up there, the loss of current customers, potential future customers, and even because they want to work around it. The next data breach is just suppliers and business partners. “There are so many factors that you the next circumvention of whatever particular IT or operational can’t really put a final price tag on it, but you can imagine that it’s controls you put in place.” in the millions.” De Chastelain says the best a company can do is explain clearly how a breach happened, what particular steps you’ve taken to deal Lessons to be learned with it, and why — from a policies and procedures point of view There are valuable lessons to be learned from the companies that — you believe you can prevent it from recurring. “From a cus- have already suffered high-profile privacy breaches. Foremost tomer assurance standpoint, one of the ways you deal with [a among them is: don’t underestimate clients’ desire to ensure their breach] most effectively is by being as transparent as possible.” personal information is adequately protected. Today’s consumers can be swift to take their business elsewhere if they have reason Statutory directives to believe a company is taking a cavalier approach to the task. It’s not as if all of this is happening in the absence of privacy leg- For example, Bell has changed its practices since the Stoddart islation. The Personal Information and Protection of Electronic case. Customer service representatives are no longer supposed to Documents Act (PIPEDA) is a federal statute that sets out ten speak to callers about detailed call records unless the customer has principles focusing on privacy and access rights in the private a bill in hand. sector. All federally regulated companies have been under PIPE- But that situation “really reinforced the struggle” to balance DA since 2001, says Kon, except those based in provinces that 42 CCCA Canadian Corporate Counsel Association FALL 2008
