In the electronic age, corporate reputations and even balance sheets can take a big hit from a few keystrokes — all with little fault on the part of the company that takes the hit.
The Sony hacking scandal is just the most recent example that underscore the point. Ontario has even recognized a new privacy tort of intrusion upon seclusion that’s being used to seek judgments against organizations whose human-resources or customer data is misappropriated, misused or simply misplaced.
Where companies are being sued after their data somehow escapes containment, Gowling Lafleur Henderson LLP partner Wendy Wagner says a qualified-privilege defence may be valid, provided there’s no evidence of malice. This might apply, for example, if employees are exchanging frank e-mail comment on the qualifications of a potential vendor company.
The more typical case involves the loss or theft of health-care, human-resources or credit records. In these cases, Gowlings libel litigator Richard Dearden says “the No. 1 rule is, don’t try to cover up.. ... You’ve got to try to resolve it.” And the best first step may be a simple apology, he says.
Wagner adds that there may be legal obligations to disclose a privacy breach and that advance planning for such an event is absolutely indispensable. “You’re not going to be able to react in a sufficient way when it’s happening,” she warns.
John Ratchford, principal and general counsel with Toronto-based Navigator Communications, advises quick disclosure of a data breach, even if the full extent of the problem has not yet been defined. “If you don’t move quickly, the delay will later seem like it was deception,” he says. Otherwise, the company may lose the benefit of the doubt that people naturally grant to victims of a crisis.
He notes that some jurisdictions now have “apologies” legislation that allows companies to take responsibility in crises without the danger of such statements being entered into evidence in a civil suit.
While most large corporations have trained media-relations professionals who are able to take the heat in a crisis, Ratchford says it’s also a good idea to train a senior executive, ideally the CEO, in order to demonstrate that the problem is taken seriously and being addressed at the highest levels of the organization.