Skip to main content
Welcome to
super saver spring
offer ends april 20
save over $140
save over 85%
$0.99
per week for 24 weeks
Welcome to
super saver spring
$0.99
per week
for 24 weeks
// //

Angela Carmichael is senior vice-president, senior partner and general manager of FleishmanHillard in Toronto. Imran Ahmad is a partner at Miller Thomson LLP and specializes in the area of cybersecurity law.

Our shift to a digital society has seen the emergence of a new kind of crime: stealing data and attacking company networks, whether for financial gain, to send a political message, or sometimes simply to prove a point. Not surprisingly, this harsh reality of our digital economy has made cybersecurity a significant priority for organizations, senior management teams and corporate boards across Canada and the world.

The financial costs to defend against cybercrimes are not insignificant: According to Cybersecurity Ventures, it is expected that companies will spend $1-trillion (U.S.) cumulatively over the next five years on cybersecurity products and services. However, spending to defend against the crime doesn't address the reputational damage a data breach can have on an organization, or the longer-term revenue implications that result if in fact a data breach occurs.

Story continues below advertisement

A January, 2017, Leger survey commissioned by corporate reputation consultancy FleishmanHillard showed that nine in 10 Canadians agree that if an organization or business were to have lost, been a victim of theft or mistakenly shared personal information, it would lose significant trust and credibility with Canadian consumers. Moreover, 82 per cent of Canadians say that if this were to happen, they would take their business to a competitor.

So, while it's true that Canadian companies are increasingly preparing for the financial, legal and technical implications of a breach, many continue to overlook developing a communications strategy, which is critical in the early hours and days of a breach when it comes to protecting reputation over the short and long term.

From a privacy and legal perspective, requirements are about to change significantly for companies in Canada. In the very near term, the federal government will be rolling out regulations that implement key provisions to the Digital Privacy Act that relate to breach reporting, notification and record keeping. In other words, corporate Canada will be required to communicate much more frequently with the Office of the Privacy Commissioner on breaches, which will in turn have the right to request and review newly required corporate security-breach logs at any time. Companies will also be required to alert affected individuals in a timely manner where the data breach could result in "significant harm," as well as any organizations, such as credit bureaus, that can help reduce risks for individuals.

What this reinforces is that data incidents are not legal, IT or communications problems exclusively. They affect the entire business and require a multidisciplinary team comprising senior leadership, IT, operations, communications, legal, HR and managers responsible for stakeholder audiences such as investors, customers and business partners.

Ideally, the team should work together before a breach occurs to develop a cyberresponse plan comprising a communications strategy that works in conjunction with an IT-response plan. Collaboration avoids the one-sided approach often seen when organizations work in silos resulting in a disjointed, inconsistent and delayed response to issues or crises.

In thinking through threats to the business, the team should identify organization- and industry-specific risk factors. For instance, a retailer will tend to focus on breaches related to payments and customer information, while a public utility will focus on an interruption of service. Beyond the immediate impact of a breach, the team should consider the longer-term consequences of, for example, the loss of intellectual property, employee or customer records.

Once the risks are established, it is imperative to align how the organization will communicate with stakeholders. Timing should take into account IT security and forensics timeframes, as well as determining broad thresholds for notification to the Commissioner and affected individuals. This will reduce the need for real time decision making in an actual crisis, as well as inappropriate responses.

Story continues below advertisement

Finally, ensure that your organization's first attempt at managing a cybersecurity crisis is not during the real thing. Practising in a controlled setting can identify flaws and gaps in the process because what makes sense in the plan does not always work in practise, and personalities can change in the pressure cooker.

Just as there is no fail-safe method to preventing a cyberincident, there is no foolproof way to managing an organization's reputation in the midst of one. However, recognizing the importance and value of preparation more often than not goes a long way toward protecting the reputation that your organization has worked long and hard to build.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies