In 2011, Sony’s online PlayStation network users found themselves shut out from the fun. After a hiccup with the servers, engineers discovered that there had been a serious data breach. Usernames, addresses, email addresses, birth dates, passwords, and credit card numbers were stolen. Cynthia Larose, an attorney specializing in privacy matters, said, “Taken as a whole, the number of customers affected, the PR impact, and now the legislative inquiries,” this incident ranks “at the top” of data breaches to date. The breach affected 100 million users and cost Sony an estimated $1 billion. Such breaches are an ongoing and serious concern for businesses all over the world, and the need for privacy insurance is only growing more pressing.
We are only now at the very early stages in seeing how Canada is going to deal with new privacy laws, such as PIPEDA. This applies to provincially-regulated companies and their collection, use, and disclosure of personal information, as well as the safeguarding of that information. While there have been actions regarding privacy breaches in Canada, we haven’t seen the likes of Sony yet.
In the US, there have been a number of large privacy breaches, resulting in hundreds of millions, and even billions, of dollars in losses. We haven’t had those dramatic court-awarded damages yet in Canada. The first, and largest, damage award for a breach of PIPEDA to date is $5,000 plus costs. The liability for not protecting that information has, so far, been quite small. The issue is, though, that if a class action is initiated, this rather nominal amount per individual may be multiplied by thousands of claimants, and together with litigation defense costs, costs to notify all those affected by the breach, and costs to rectify the situation as well. There are now existing in Canada a number of privacy breach class actions at various stages of the litigation process.
For large organizations, that might be a quarter’s earnings; unpleasant but not devastating. Small companies typically don’t have the resources to whether the storm. How do you pay for it? Beyond the initial costs, how do you handle the brand damage and loss of public and consumer confidence?
Where are we now? People recognize that there are exposures, but we are still very much feeling out how we will deal with privacy liability. It is an issue that is not going away anytime soon, and with the recent breach and theft of 2 million Ontario voters’ data, we’re going to be learning a bit faster than we’d like. Privacy insurance isn’t a luxury; it’s not a frivolity. It’s a survival tool.