Canada is no longer a safe haven when it comes to avoiding damages arising out of privacy breaches. Class actions are here. Regulatory and criminal investigations are here and so too are individual actions resulting in damage awards. The losses are mounting and regulators are crying for legislation to impose substantial fines. The times, they are a changing. If you are interested in examples of Canadian breaches where losses have occurred, read on.

It is no secret that there is a startling rise in privacy breaches in Canada these days, with a resulting increase in regulatory investigations and legal actions arising out of those breaches. Where a few years ago it was easy to find examples of breaches but difficult to find examples of losses arising from them, the environment in the US, and increasingly in Canada, has changed. Class action litigation and individual actions relating to privacy breaches in Canada are no longer just hypothetical, they are a new reality. The actions tend to involve disclosure of personal information through insecure disposal of records, theft and loss of unencrypted data on mobile devices, and unauthorized access to records. Set out below is a discussion of some of the recent cases resulting in actual losses.

Alex Halderman, a University of Michigan assistant professor who specializes in data privacy, says, “Almost anything you sign up for online these days requires you to hand over your personal information to use it. Then, every action you take online is logged by these companies — it’s that information that really needs to be safeguarded.” Too often, though, the safety walls that are supposed to keep this information private are breached. What can happen to the data that companies and governments are charged with protecting?

In 2011, Sony’s online PlayStation network users found themselves shut out from the fun. After a hiccup with the servers, engineers discovered that there had been a serious data breach. Usernames, addresses, email addresses, birth dates, passwords, and credit card numbers were stolen. Cynthia Larose, an attorney specializing in privacy matters, said, “Taken as a whole, the number of customers affected, the PR impact, and now the legislative inquiries,” this incident ranks “at the top” of data breaches to date. The breach affected 100 million users and cost Sony an estimated $1 billion. Such breaches are an ongoing and serious concern for businesses all over the world, and the need for privacy insurance is only growing more pressing.

We are only now at the very early stages in seeing how Canada is going to deal with new privacy laws, such as PIPEDA. This applies to provincially-regulated companies and their collection, use, and disclosure of personal information, as well as the safeguarding of that information. While there have been actions regarding privacy breaches in Canada, we haven’t seen the likes of Sony yet.

The US has experienced a number of high-profile “cyberthreat” or privacy breach cases, including lawsuits brought against Sony and LinkedIn. Testifying before Congress, FBI Director Robert Mueller said cyberthreats will soon surpass terrorism as the country’s biggest threat. It is already a costly one: the average cost of a data breach in 2010 was $7.2 million. There is the perception that such cases simply do not happen in Canada. Most companies do not view privacy breaches or cyberthreats as a major risk because litigation has been muted thus far. These companies do not have comprehensive coverage against such risks, leaving them very much exposed.

The truth is privacy breaches are becoming commonplace in Canada; recently, Calgary-based Telvant was a target of a cyber-attack. The IT company has a hand in managing 60 percent of all gas and oil pipelines in North America and Latin America. Such attacks, says Travis Davies of the Canadian Association of Petroleum Producers, are “the new normal.” The big exposures are for small and medium enterprises, which do not have the resources or processes in place to handle a policy breach. These breaches could be covered by other, general insurance policies, but typically, they are not.

The decision to bring in strategic advisors is not one that businesses arrive at lightly. Whether they are hesitant to spend the money or wary of having an “outsider” come in, many delay getting the help they need until the challenges they face loom large or opportunities have slipped away. Instead of responding to a crisis, businesses can use strategic advisors to prevent a crisis and to ensure they are able to look towards the future with greater confidence and security.

There are certain myths about working with strategic advisors that persist:

Myth #1: That’s My Job.

In some cases, executives may see advisors as competition. It can become quite personal to a manager who perceives that their boss expects them to perform the services that are being outsourced. They may also see it as failure or ineptitude on their part that the company needs to turn to external help.

The truth is that when executives have reached their capacity in handling transactional business, they need help. It is difficult to plan for tomorrow when today is consumed with putting out fires. Further, strategic advisors are not brought in for broad, general areas of focus. Rather, we are brought in to apply niche expertise to a business’s strategic challenges. This not only provides the specialized knowledge necessary to augment an executive’s skill set, but also creates needed change, and allows improvements to happen faster.