A mid-sized accounting company operating in eastern Canada, which we will refer to as “Co. East”, had built quite a respectable client list in their 10 year lifespan, getting much of its business through word of mouth, and was anticipating a great 2016.

Two unexpected developments take place that threaten Co. East’s bright future. In order to keep costs down, the company hired interns from the local university. One of the Interns, “Mr. A”, in an attempt to gain favour with his employers, decided to take home a copy of all the company’s client files in order to work on a massive filing project. In his zeal to reorganize the company’s filing system, Mr. A copied all the client files onto a flash drive to take home with him so he can do some of the work after hours, failing to follow company policy about flash drives. He then lost track of the flash drive.

About a week later, Mr. A decided to tell his boss. The boss was livid, because the data was not encrypted, and confused, because of a lack of knowledge on laws governing notice to clients in these types of situations. It wasn’t clear that anyone had opened the client files, or if that would have made a difference. The owner of Co. East does not act, crossing his fingers that nothing will arise from the lost flash drive.

Around the same time, Co. East experienced a hacking incident. An outside third party gained access to Co. East’s system. The owner of Co. East, not knowing what else to do and not sure what information the hackers accessed, retained a systems expert to remediate the company’s computer systems as well as advise as to what documents had been accessed. It is determined that 100 tax returns for various clients had been accessed by the hacker. Co. East’s owner decided to seek legal advice, and is advised to put all affected clients on notice. Counsel also provided advice regarding the lost flash drive, which eventually (and fortunately) ends up being found in the bottom of one of Mr. A’s desk drawers.

Co East’s owner is currently in the process of contemplating whether or not to retain a public relations firm to help him deal with the hit to the company’s reputation. Remediation, legal and notification costs of $75,000 have already been incurred.

Co. East does not have any insurance policy in place that would help cover these costs.

Lessons learned:

  • Privacy breaches are a real risk to businesses in today’s environment. Privacy breaches do not necessarily have to involve a cyber/hacking incident. Lost files or devices are a risk of which companies should be aware.
  • A privacy breach can cost a lot of time, money and can destroy business reputations. The financial impact of a privacy breach can be mitigated by a cyber liability policy which may not only cover the losses incurred by a company to remediate its systems, but may also provide invaluable (and timely) access to advice that will guide an Insured through a breach situation.
  • As part of a reasonable risk-management strategy, companies have to give serious thought to putting a privacy breach response plan into place. A cyber liability policy should also be considered as part of this risk-management breach strategy. Co. East could have avoided its $75,000 lesson had the appropriate policy been in place.