Civil Law and Data Breaches: Privacy, Security, and Liability

Civil Law and Data Breaches

Here’s an unsettling number: halfway through 2023, 30 Canadian organizations have been successfully breached and their data stolen. Given that so much of our data is shared with organizations worldwide, the fact that 41.9 million records were breached in March 2023 alone is troubling.

What right to privacy do you have? How should organizations be securing your data, and can you hold them accountable? Our civil lawyers explain.

Let’s Start With the Basics: What is a Data Breach?

Data is breached when unauthorized persons (usually cyber criminals) are able to access confidential information. This can be things like a business’s customer list, patient files stored by a clinic, or your files stored in the cloud.

Breaches can have serious consequences for those affected. Once cybercriminals gain access to your data, they can use it for financial gain, to harass, or cause reputational damage.

Canada Has Strong Privacy Legislation, Explain Civil Lawyers

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the principal law that lays down laws on how private businesses must handle personal information. It provides guidelines on obtaining consent before using data, how data can be collected, and how data must be secured.

How Organizations Should Secure Your Digital Information

Under PIPEDA and provincial legislation, such as Ontario’s Personal Health Information Protection Act, businesses have the duty to implement reasonable safeguards for the data they hold. This can include things such as encryption, routine data back-ups, ongoing employee training, and minimizing how many people can handle it.

Data security isn’t a one-time activity either. Businesses must stay up to date with protection practices. To learn more about how a business must secure data, speak to our lawyers.

Liability in the Event of a Data Breach (and Why You Should Speak to a Civil Litigation Attorney)

When it comes to liability for data sharing and data breaches, the law isn’t always clear. For instance, the Federal Court of Canada ruled in favour of Meta’s (Facebook) practice of sharing users’ data with third parties. If you feel your data has been shared without permission, it’s advisable you speak to civil rights lawyers. Data protection laws can be complex, and they’ll be best placed to advise you on the next steps after understanding your concerns.

Here’s what an organization is required to do after a data breach:

1. Mandatory Breach Notification

Any organizations subject to PIPEDA must report the breach to the Privacy Commissioner of Canada and the affected individuals. It doesn’t matter if one record is breached or one million, the data breach notification is mandatory. An organization may not report a breach if it doesn’t believe there exists a “creates a real risk of significant harm (RROSH)”.

Businesses, both large and small, have to comply with the breach notification.

2. Monitoring and Mitigating the Impact of the Breach

The organization must monitor online activity to prevent misuse of the data. It must also take steps to mitigate the potential harms of the data falling into the hands of cybercriminals. These can include dark web monitoring and providing affected users support to secure their information.

Has Your Data Been Compromised? Speak to Civil Lawyers Immediately

If your data has been leaked, stolen, or accessed without authorization, don’t forget that you have rights. Organizations may be required to pay financial compensation in addition to offering services to mitigate the breach. Book a free consultation with our civil rights lawyers to discuss your case.