Home Breadcrumb caret Magazine Archives Breadcrumb caret Advisor's Edge Breadcrumb caret Planning and Advice Breadcrumb caret Practice Help a business owner who experienced a data breach The situation Your client calls in a panic, saying she noticed suspicious activity when using her computer, and fears her company may have suffered a data breach. What should she do immediately? The specialist Catherine Beagan Flood, Partner at Blakes, Toronto If she works for a large company, hopefully she has an incident response team, […] By Suzanne Yar Khan | September 21, 2018 | Last updated on September 21, 2018 2 min read The situation Your client calls in a panic, saying she noticed suspicious activity when using her computer, and fears her company may have suffered a data breach. What should she do immediately? The specialist Catherine Beagan Flood, Partner at Blakes, Toronto If she works for a large company, hopefully she has an incident response team, which should include senior leaders from her legal, communications, HR and IT departments, explains Catherine Beagan Flood, partner at Blakes in Toronto. These leaders should follow steps in the company’s incident response plan, which include notifying employees not to use their computers and changing passwords after the threat has lifted. If the client doesn’t have a team or plan in place, Beagan Flood recommends setting one up to protect against breaches, as well as blocking specific websites of countries where she doesn’t do business. “Train employees about the risks of malware, because one of the biggest risks is employees clicking on an attachment or a link,” she says. Next, if there’s reason to suspect a serious breach, engage external counsel, including legal, cyber security and public relations experts. Legal can help in “mitigating litigation and regulatory risks, and ensuring evidence is secured properly.” A cyber expert would contain and investigate a breach while public relations would respond to questions from the media and issue public statements. Starting Nov. 1, the Personal Information Protection and Electronic Documents Act will require all private sector companies to report data breaches to Canada’s privacy commissioner, and to notify affected individuals, notes Beagan Flood. Currently Alberta is the only province with mandatory requirements. Finally, the client should “consider her cyber insurance coverage, if she has it, because there may be a duty to give notice of any potential claim.” Suzanne Yar Khan Suzanne has worked with the Advisor.ca team since 2012. She was a staff editor until 2017 and has since worked as a freelance financial editor and reporter. Save Stroke 1 Print Group 8 Share LI logo