519-679-9660
519-679-9660Contact us
Harrison Pensa LLP
Contact us519-679-9660
    A dark background with blue circles and icons around the words data breach.

    14 January, 2021

    Practice candour when facing security breach

    Businesses that have a privacy breach are required to notify the Privacy Commissioner and anyone whose information was compromised depending on criteria under the Personal Information Protection and Electronic Documents Act (PIPEDA) and other privacy statutes. The PIPEDA threshold buzzword is RROSH, meaning Real Risk of Significant Harm. PIPEDA also requires businesses to keep a record of any security breaches that affect personal information, even if the RROSH threshold has not been met.

    But if there is a security breach where a legal threshold to notify is not met, the business shouldn’t stop there. The next question is whether the nature of the breach is something that could become public, and whether the business would be better off disclosing the breach before the public hears it from someone else.

    Break the news before someone else does

    Having a breach is bad enough – but having customers hear about it from someone else makes it worse. If they hear it in the press or social media first, many people will jump to the conclusion that the business is trying to hide something and is being less than honest. Anything you say about it after will be viewed with suspicion.

    Each situation is different. If, for example, there was a security incident but the business is confident nothing was compromised, it may decide to say nothing. If that got out, it would be easy to justify not announcing it on the basis that no one’s information was compromised.

    Be timely and transparent

    A privacy breach will require time and attention by the business on many fronts, including IT, legal, and public relations. But getting ahead of it in the public eye and controlling the narrative as best can be done is a lot easier and more effective than chasing it. Even if the internal investigation is ongoing and has not yet reached a conclusion, the message can advise what is known, and that further detail will be released as it arises.

    In addition to the cost to remediate, a security breach has the potential to damage a business’s reputation, and lose customers. That damage can be reduced by being transparent about what happened.

    David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn and Twitter.

    A headshot of David Canton.
    About the author

    David Canton

    Consultant
    • Business Law & Financial Services,
    • Data Protection,
    • e-Commerce,
    • Information Technology,
    • Intellectual Property,
    • SaaS,
    • Software Licenses,
    • Technology and Privacy Law
    Meet David
    A headshot of David Canton.
    About the author

    David Canton

    Consultant
    • Business Law & Financial Services,
    • Data Protection,
    • e-Commerce,
    • Information Technology,
    • Intellectual Property,
    • SaaS,
    • Software Licenses,
    • Technology and Privacy Law
    Meet David

    Get connected

    Sign up for our newsletter to stay up to date with current events, news and articles

    Newsletter Sign-Up (Posts)

    CASL
    This field is for validation purposes and should be left unchanged.

    Related Articles

    Newton's cradle with one ball swung to the side, showcasing kinetic energy transfer against a dark background.
    13 March 2025

    Law and science are more similar than you think

    Headshots of six Harrison Pensa lawyers in professional recognized by the 2025 Canadian Legal Lexpert Directory
    11 March 2025

    Harrison Pensa lawyers recognized in 2025 Canadian Legal Lexpert Directory

    Modern office reception area with illuminated sign reading "Harrison Pensa" to announce the firm is named a top 10 Ontario regional law firm.
    11 March 2025

    Harrison Pensa named a Top 10 Ontario Regional Law Firm

    A pen rests on a stack of legal documents with rows of law books in the background for a blog about boilerplate clauses in contracts.
    6 March 2025

    Don’t underestimate boilerplate clauses in contracts

    Harrison Pensa LLP

    London, Ontario (Main Office)
    130 Dufferin Avenue
    Suite 1101 London, ON
    N6A 5R2

    Local: (519) 679-9660
    Fax: (519) 667-3362
    1 (800) 263-0489

    St. Thomas, Ontario
    468-470 Talbot Street
    St. Thomas, Ontario
    N5P 1C2

    Local: (519) 672-9500
    Fax: (519) 667-3362
    1 (800) 263-0489
    AICPA SOC logo with the text "AICPA SOC" and the URL "aicpa.org/soc4so". It also includes the phrases "SOC for Service Organizations" and "Service Organizations" on the border.
    AICPA SOC logo with the text "AICPA SOC" and the URL "aicpa.org/soc4so". It also includes the phrases "SOC for Service Organizations" and "Service Organizations" on the border.
    AICPA SOC logo with the text "AICPA SOC" and the URL "aicpa.org/soc4so". It also includes the phrases "SOC for Service Organizations" and "Service Organizations" on the border.
    © 2025 Harrison Pensa LLP
    Monitored by:AODA OnlineWeb Design & Digital Marketing:tbk Creative