Measuring “Serious Harm” in a Data Breach

The prevailing legislative standard in Canada for a duty to report a breach of data security (loss of data, compromise, etc) seems to be that there is a real risk of serious harm as a result of the breach.

Have Canadian courts or regulators given useful guidance on when that happens, and what kind of harm is serious and likely? I am especially interested in court rulings, since the threat of litigation can focus the data holder’s mind as much as or even more than a regulator’s order. (Have privacy regulators cracked down on reporting requirements or other useful follow-up to data breaches?)

The U.S. courts have tended strongly to throw out lawsuits – usually brought as class actions – on the ground that the plaintiffs lack standing, because they have not shown damage or likely damage. Mere worry about consequences is not enough.

There are a few exceptions, but very few, and no trend in favour of the exceptions.

Here is a US law firm’s article on some recent case examples. Have Canadian authorities gone in this direction at all?

The U.K. seems to be much more open to assessing substantial damages for the release of private information. This article discusses recent cases.

Interpretation of the statutory test matters not just for litigation or regulation but for reputation, since it is the key to whether the data holder has to give notice to the data subjects or whether the breach can be handled quietly and cheaply in house.

Is Canada (or any particular province) treating this topic right, or not, and why?

Comments are closed.