The answer is yes, but under very specific conditions. Savon Bubulle Inc. will have to disclose the incident in a case where personal data has been compromised and where its leak would present a real risk for the people affected! As it operates a transactional site, the soap factory saw several pieces of information identifiable to its customers compromised by the cyber incident.

In this type of situation, both provincial and federal law provide for a duty of disclosure. In this column, I present your main responsibilities as a business leader and the consequences that await you if you decide to keep the secret.

1. First reflex: who to notify?

Following a cyberattack, I recommend that you make it a priority to disclose the incident to your board of directors, your management team, and other internal members whose information was affected, such as your employees.

You will also need to notify your customers and business partners if their personal information has been compromised.

Under provincial and federal law, you must go further and notify any individual whose personal information is affected by the breach of security safeguards (a former client, an intern).

Another condition applies: your notification obligation only kicks in when the leak presents a “real risk of serious harm” to the individuals whose data was affected. In the case of Savon Bubulle Inc., its customers provided banking information in order to purchase certain products online. This data is critical and could be used with malicious intent. These are the types of circumstances covered by this criterion. Conversely, the names and addresses of Savon Bubulle Inc. newsletter subscribers will generally not be considered critical information.

2. Your disclosure obligations to government organizations

At the federal level, the law requires you to notify the Office of the Privacy Commissioner (OPC) of any breach of security measures used to protect personal information.

At the provincial level, your obligations are similar. Rather than the Office of the Commissioner, you will have to notify the Access to Information Commission (Commission). Note that the specific terms are defined by Bill 64, which is still under detailed study but whose adoption is imminent.

If your company operates internationally, it will need to comply with transnational disclosure rules. For example, if Savon Bubulle Inc. offers goods or services in the European Union, it will need to comply with the General Data Protection Regulation .

If you suspect identity theft, unauthorized use of a computer, mischief against computer data or any other act of cybercrime, you should also contact the police. For a more complete list of cybercrimes, I recommend you consult the attached site.

3. Your contractual obligations

Savon Bubulle Inc. has contracts with several suppliers and service providers. If you are in the same situation, I advise you to look at these contracts to see if they provide for cybersecurity obligations. It will be important to check if a notification obligation is provided for.

4. Informal norms

Federal and provincial regulators may require you to report any cybersecurity incidents if you are a member of one. This is the case with the Investment Industry Regulatory Organization of Canada (IIROC). Federally regulated financial institutions (FRFIs) must also report incidents to the Office of the Superintendent of Financial Institutions Canada (OSFI).

5. Consequences of non-disclosure

A company manager might be tempted to ignore his disclosure obligation in order not to harm his reputation, but this decision would have serious consequences.

Bill C-11 at the federal level and Bill 64 at the provincial level give new powers to the Office of the Commissioner and the Commission that allow them to recommend or impose criminal and administrative sanctions for a violation of the reporting obligation. These administrative sanctions can be as high as $10 million or an amount corresponding to 2% of the company's turnover. Criminal sanctions can be as high as $25 million or 4% or 5% of the company's gross total revenue!

So you will have understood, I certainly do not advise you to keep the secret!

Note that disclosure must also be made within a certain time frame. However, provincial and federal law only provide that it must be made diligently and as soon as possible, but without further details.

Recently, the Superior Court of Quebec ruled that a 46-day delay between a data breach and disclosure to affected investors was reasonable. Its reasoning was based in particular on the time needed to identify the individuals, companies and information affected and to put corrective protective measures in place.

Stay tuned, as a statement of appeal has been filed against this decision!