How Canada’s mandatory breach notification has affected the P&C industry

Canada’s new mandatory breach notification requirements have increased the number of reported claims, leading to a re-shuffling of claims costs for insurers, according to a privacy lawyer.

“It definitely leads to more claims and it makes its presence [known] in three ways,” Eric Dolden, a partner at Dolden Wallace Folick LLP, said of the new legislation, introduced in November 2018. The three ways are through:

• class-action lawsuits
• individuals seeking small claims compensation
• in-house costs (such as staffing costs for an organization associated with responding to worried customers following a breach)

Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on Nov. 1, 2018, requiring organizations to disclose data breaches that pose a “real risk of significant harm.” In April 2019, the federal Office of the Privacy Commissioner of Canada reported that it had already seen a four-to-five times increase in the number of breaches reported to its office since the requirements came into effect.

On Friday, Dolden spoke at NetDiligence’s 6^th annual Cyber Risk Summit in Toronto. He was part of the panel 2019 Claims & Losses Update.

Dolden said he is defending a case for the City of Calgary in which a city employee gave away medical information about all of the city workers who are on workers compensation.

“Before I got involved, the city’s legal department gave breach notice to about 10,000 current or former employees,” Dolden told conference attendees. “It only took one employee to walk into a lawyer’s office in downtown Calgary and start a class action. So we got a class action seeking $90 million in damages and we are just now going for initial judicial approval of the settlement amount.”

The second type of claim comes from from individuals who, after getting a breach notice, want a full apology or other variations, Dolden said. For example, some people may say, “‘I talked to a lawyer and he or she says I can get $2,000 in damages. I want $1,500 or I’m going to sue you in small claims court,’” he said, adding that “we welcome that a bit more than the specter of a class action.”

The third is simply the increased cost of “help centres” following a breach.

From a business interruption perspective, insureds sometimes don’t anticipate how long it takes to unwrap BI losses, said panellist Simon Oddy, a partner and forensic accountant with Baker Tilly. The BI component of the last 60, 90, or 120 days can’t be figured out in a week, he said.

Oddy said he also sees situations in which an insured will try to handle a breach at arms-length from the insurance process, taking two or three months to develop their own experts and advisors and view of the loss.

“At that point, you’re asking a lot of questions that simply lead to frustration,” he said. “They lead to frustration, because the insureds just answered all of those questions with their own [financial] advisors. And so here we are, three months in: We’re a cash-strapped business that is now putting pressure on its insurance broker…and insurers because [now] this problem is impacting their business revenues. Not achieving their budget and cash flow is a problem.”

And yet, these companies are taking two or three months to evaluate their own damages and hand that in for review, Oddy said. “Can we get our insureds to talk to us when we’re reviewing the loss, or when insurers’ advisors are going to be reviewing this loss? Can they start talking to us much sooner, so that we don’t have to go in [frustrated] in the third or fourth month?”