Rethinking Cyber Risk: Privacy Breaches and the Importance of Legal Strategy
Cyber and privacy breaches are evolving fast. What do Canadian organizations need to do to keep up?
In today’s continually evolving cyber landscape, Canadian organizations can no longer treat cybersecurity and privacy risks as secondary concerns. Instead, these issues sit at the forefront of legal exposure, operational resilience, and risk management.
While ransomware attacks once dominated the cyber landscape, the scope and sophistication of modern cyber and privacy breaches have evolved considerably. Organizations now face a broad range of risks, including business email compromise, social engineering fraud, misdirected funds, and insider threats. A single cyber breach within an organization can expose that organization to significant legal, financial, and reputational consequences. More significantly, as the frequency of privacy class actions rises in Canada and as organizations quickly adopt artificial intelligence systems, businesses must work responsibly to minimize unauthorized disclosure, regulatory exposure, and emerging litigation risks.
Over the last decade, the scope of what constitutes a privacy breach has expanded significantly. Traditionally, privacy breaches were associated with external cyberattacks, such as ransomware or theft of personal information. However, with the growing evolution of technology and AI, breaches can now arise in many different forms. Canadian privacy legislation and regulatory guidance, in the context of protecting personal information, recognize a much broader definition, which includes the unauthorized access, disclosure, loss, or misuse of personal information1 not just by internal employees, but also by third-party service providers and automated systems. Pursuant to Canadian legislation and guidance, organizations must assess whether such an incident creates a “real risk of significant harm” to an impacted individual.2
As a result, companies face growing scrutiny from regulators, as well as increased exposure to third party litigation. Organizations increasingly require specialized breach counsel to assess legal exposure, coordinate incident response, and manage regulatory and litigation risks.
Breach counsel, typically retained at the start of an incident, play a critical role immediately after a privacy incident. Early involvement of experienced breach counsel can significantly reduce legal and operational uncertainty during a quickly evolving incident. Breach counsel work closely with forensics to determine the scope and cause of the incident, report to regulators, and manage internal and external communications. This is all done with the overarching consideration of preserving privilege over the internal analysis and mitigating third party liability risk. Most importantly, breach counsel can help advise organizations on making defensible decisions under significant time constraints and implement strategies to mitigate that risk during the actual breach response.
In British Columbia, privacy is governed by the Personal Information Protection Act3, along with the Privacy Act4, which establishes a statutory tort for the invasion of privacy. As a result, B.C. has quickly become a hotspot for cyber class actions. The courts are now considering the use of data sharing and data misuse, and whether these might be in violation of Canadian legislation.
This was reviewed in the recent case Hvitved v Home Depot, where the Plaintiff sought to certify a class action on behalf of all Canadians who had provided their email addresses for an electronic receipt at Home Depot. The plaintiff alleged that Home Depot violated privacy rights by collecting personal information and disclosing it to Meta, a third party. For about four years, Home Depot had been sharing customer information with Meta’s offline conversions tool, including hashed email addresses, purchase details, and purchase trends. These hashed emails were unique to each customer.
At the certification stage, the court found that when combined with the other elements, individual email addresses and purchase amounts created a detailed profile of consumer behavior, and sharing this data with Meta posed a real risk to privacy. This created a plausible breach of the individual’s reasonable expectation of privacy, which constituted a breach of privacy. The court certified the claim, and this decision was upheld at the BC Court of Appeal.
What this means practically is that no proof of actual harm is required. This allows B.C. courts to certify data breach class actions without evidence of any financial loss.5
The increased use of AI further increases the potential exposure of organizations to different legal risks. The Canadian government has provided some guidance on the use of generative AI tools, including an initial assessment of risk before implementing any new AI tool.6 The Office of the Privacy Commissioner of Canada also put out guidance for processing biometric information, including establishing a legitimate and appropriate purpose, ensuring valid consent was obtained, and implementing data protection measures.7
While Canadian regulators have not yet defined the parameters of liability in this context, the growing consensus is that organizations will be accountable for how they deploy and use AI tools, including what safeguards are put in place to prevent any unauthorized flow of data.
As cyber and privacy risks continue to evolve, Canadian organizations must adopt a more proactive approach to risk management that accounts for emerging threats, new technologies, and third-party exposures. Effective response now depends not only on technical safeguards but also on the timely engagement of breach counsel and a coordinated legal strategy to preserve privilege and manage regulatory obligations. Given the growing complexity of cyber threats, adequate cyber insurance coverage and responsible deployment of new technologies are no longer optional considerations but essential components of an organization’s ability to mitigate and respond to these risks.
- Personal Information Protection Act, SBC 2003, c 63, section 34
- Privacy breach risk self-assessment tool, Office of the Privacy Commissioner of Canada
- Personal Information Protection Act, SBC 2003, c 63
- Privacy Act, RSBC 1996, c 373
- Hvitved v. Home Depot of Canada Inc., 2026 BCCA 39 (CanLII)
- Guide on the use of generative artificial intelligence, Government of Canada
- Guidance for processing biometrics – for businesses, Office of the Privacy Commissioner of Canada