The Incident Response Plan: the Cornerstone of Effective Crisis Management

Confidentiality incidents are costly, unpredictable, and occasionally fraught with important consequences for private enterprises, including those operating in Québec. Given the importance of managing these incidents with celerity and efficiency, organizations should be diligent and proactive by developing appropriate processes so as not to be caught unawares in the event of a crisis. One such process is an Incident Response Plan.

Enterprises’ Obligations

Under the new requirements of the Act respecting the Protection of Personal Information in the Private Sector (ARPPIPS), enterprises are now responsible for diligently notifying the Commission d’accès à l’information (the “Commission”), and individuals whose personal information is affected by a confidentiality incident in the event that there is a risk of serious harm. It is worth noting that confidentiality incidents may be defined broadly to cover events of widely varying severity, from an e-mail sent to the wrong recipient, for example, to a major cyber-attack. The Regulation respecting confidentiality incidents,¹ which came into force in December 2022, states the information that must be included in the notification to the Commission and to the persons concerned.

In addition, businesses are also required to keep a record of all confidentiality incidents, which must necessarily include the information specified in the aforementioned regulation at articles 3-5.

While these requirements may seem relatively straightforward, they underpin the implementation of other tools and processes. In fact, meeting these requirements depends on the enterprise’s ability to:

• Detect confidentiality incidents, including the technical tools and processes for identifying internal and external threats
• Quickly identify the cause of confidentiality incidents
• Promptly assess the risk of serious harm
• Implement measures to mitigate harm
• Bring together the appropriate resources and key people for the assessment and decision-making processes

These capabilities may be developed, for example, by establishing an Incident Response Plan (IRP), thereby enabling enterprises to be diligent and proactive, protect themselves from unexpected confidentiality incidents, and minimize the risk of harm to clients, employees, and partners.

What is an IRP?

An IRP is a document that ensures that human and technical procedures, processes, and mechanisms are defined in preparation for potential incidents. It is designed to enable quick responses to incidents, thereby minimizing the risks to the organization (regarding business continuity, customers, technological systems, and so on). Its scope may extend beyond confidentiality incidents to cover all security-related occurrences in general. For example, an IRP generally covers the following:

• The composition of the team responsible for handling incidents
• The respective roles and responsibilities of each team member
• A process for reporting incidents to the appropriate level (Board of Directors, Executive Board, and others)
• Procedures for preserving evidence
• Tests to measure the IRP’s effectiveness

The Importance of an IRP

To begin with, an IRP promptly identifies the incident management team, which is prepared to take the appropriate actions. Along with identifying the parties involved and ensuring their availability, which is crucial (time management being central in the event of an incident), the IRP ensures that the appropriate people are called upon to intervene. For example, the management of an incident may require the presence of a qualified communications advisor, who will provide an opinion on any external or internal memorandums or releases to be issued by the enterprise.

Similarly, an experienced reputational risk manager may advise the enterprise on the risks it faces if the incident is reported, insofar as the business may effectively decide to disclose the incident or not. As you may recall, notification of an incident to the Commission and to the person(s) concerned is mandatory only when there is a risk of serious harm. Even if a enterprise concludes that there is no risk of serious harm, notification may be appropriate as a means of averting damage to its reputation.

Also, the presence of a lawyer is essential. Consulting a legal professional and allowing him or her to provide certain instructions will ensure that the information that is shared is covered by lawyer-client privilege. In some cases, the presence of an IT or forensics expert may also be necessary.

The IRP also makes it possible to establish an incident classification matrix or grid to enable those involved to assess, quickly and accurately, the risk of serious harm that an incident may cause (and to notify the Commission and the persons concerned promptly). The sooner this risk is assessed, the lower the risk of harm to the people concerned and the quicker the action plan can be deployed.

Having such a grid or matrix enables the enterprise to determine who needs to be involved in handling the incident. For example, a less serious incident may not require the involvement of the incident management team as a whole. Likewise, this enables responders to determine the appropriate reporting level in accordance with the seriousness or critical nature of an incident, and also the key participants who must relay the information to the appropriate hierarchical level within the enterprise.

Lastly, the IRP makes it possible to centralize decision-making on incidents, thereby ensuring greater coherence and consistency. While the assessment of the risk of serious harm is framed by certain parameters, including the sensitivity of information and the likelihood of its use for harmful purposes, the latter consideration is contextual, and centralized decision-making enables key players with the necessary skills and powers to engage in careful assessment.

An IRP as a Mitigation Measure

While setting up an IRP is not a strict obligation under the ARPPIPS, it is essential to ensure effective management of confidentiality incidents and reduce risks, particularly regarding finance and reputation.

Depending on the circumstances surrounding the incident, a business with an IRP is less likely to be found negligent by a regulatory body such as the Commission or a court of law. In some cases, the Commission’s surveillance section has given favourable consideration to the existence of a plan for managing incidents in its investigations or ruled in its conclusions that a business must adopt such a procedure.² Nevertheless, the measures introduced by a business to resolve a breach or mitigate its consequences may be adopted by the Commission as part of imposing a financial penalty.

As an illustrative example, in a case involving Equifax Inc., the Office of the Privacy Commissioner of Canada concluded that the enterprise was unable to respond promptly and completely to a confidentiality incident, in particular due to inadequate monitoring by its affiliate, Equifax Canada Co. Following this investigation, Equifax Inc. undertook to define roles and responsibilities with respect to incident responses.

In short, when it comes to confidentiality incidents, prevention is better than cure. Effective management of a confidentiality incident is not simply a matter of taking action once the incident has occurred – it also depends, to a large extent, on concrete actions taken beforehand.

The ARPPIPS does not require enterprises to achieve specific results. Hence, the more diligent a enterprise is in adopting tools designed to minimize risk to the individuals whose personal information it has collected, the less exposed it will be to business risks and sanctions.

If you have any questions on these issues, please feel free to contact our team, who will be pleased to provide advice and support.

[1] Regulation respecting confidentiality incidents, c. A-2.1, r.3.1., art. 3 to 5.

[2] See the Commission’s decision of February 16, 2015 following a complaint against TransUnion.