519 672 2121
Close mobile menu

The first 24 hours following a data breach are probably the most critical for reducing potential damage, and protecting your brand. Call our 24-hour hotline immediately if you suspect you are experiencing a data breach: 800.816.9596.

Do we have a breach?

A lack of system performance or other abnormalities may be the result of user error, or a system configuration error. Although any anomalous system behaviour should alert you to the prospect of a data breach, and although certainty is not required, there should at least be some confidence that a real incident is underway.

Immediate Action Steps

Once the decision has been made that a data breach has occurred, the following steps should be implemented without delay:

1. Engage legal counsel experienced with data breach management

Siskinds acts as the “hub” to manage data breach incidents. We engage experienced service providers directly. The reasons are twofold. First, we engage service providers in whom we have confidence and with whom we have typically worked before. This cuts down considerably on the “time to get going.” Second, and most important, when we engage service providers directly, the reports and information that they produce and provide to us are privileged. This means that those materials are not subject to discovery in the event that litigation over the breach is subsequently commenced.

2. Commence record taking

The time and date of all discussions and key decisions should be documented throughout the event. The role of this record keeper should be identified in your Incident Response Plan (“IRP”).

3. Activate the Incident Response Team

All members of the Incident Response Team (“IRT”) should be notified using one or more of the contact methods identified in your IRP.

4. Engage forensics

The containment, eradication and recovery phases of the incident require the involvement of a skilled forensics team from the outset.

5. Secure the premises

If there is a defined area where the data breach occurred, it should be secured to prevent unauthorized access and the loss of any evidence. At the same time, a Command Centre for the IRT should be established and secured.

6. Stop additional data loss

Containment of the incident includes such measures as: disabling the network switch port to which a particular system is connected; blocking access to malicious network resources such as IP’s (at the firewall) and domain source specific URLs; temporarily locking a user account under the control of an intruder; disabling system services or software that an adversary is exploiting; and shutting down all Wi-Fi connections. Note that all machines should be left powered on[i], in order to preserve any cached memory.

In certain situations, your forensic advisor may advise that containment be skipped. With sophisticated adversaries, certain containment measures will alert them and cause them to implement new tools, establish secondary backdoors, or move to a destructive phase.

7. Continue record-keeping

Secure all logs, audits, notes, documentation and any other evidence that has or is gathered during the incident with appropriate identification marks, securing the chain of custody for future prosecution or litigation. All relevant system security/event/IDS logs should be maintained. Provide notice to your ISP or MSP that they preserve and maintain all logs.

8. Interview key persons

As part of the record-keeping process, all parties involved in the incident should be interviewed from time to time to gather their observations and input.

9. Consider notification requirements

Provincial and federal laws impose notification obligations to various governmental offices, the affected data subjects, and law enforcement and other agencies. Because of the short notification periods provided for under these laws, your legal obligations to disclose need to be assessed early on, and that assessment should be constantly updated.

10. Assess priorities and risks

Based on what you know at this point regarding your systems, the extent of the breach, the nature of the breach and other factors, priorities need to be established and other aspects of your response, including communications, need to be progressed.

11. Advise your insurer

If you have cyber insurance coverage, your broker or insurance company representative should be notified at the outset. This ensures that the response is conducted in accordance with the best practices established by the insurer.

12. Notify law enforcement

Law enforcement agencies are increasing their level of cooperation and information sharing. This means that information about the particular threat actor may be known to the police, which may assist the forensics team. In some instances, decryption keys for ransomware are known to law enforcement agencies who can then share that information. In the event of a criminal prosecution, law enforcement can assist with the preservation and storage of evidence.

[i] If your computer is compromised

  1. Disconnect it from the wired or wireless network. If using a docking station undock it and then turn off the wireless network as it will auto-switch to wireless when the wired network is no longer available.
  2. Do not turn off your computer.
  3. Contact your IT department and let them know the situation.

Our Team

Learn more about Michael Weinberger.

Michael Weinberger

Associate - Business & Privacy Law
Learn more about Peter Dillon.

Peter Dillon

Partner - Franchise Law, Technology, Privacy, Cybersecurity

Lawyers Across Our Firm

With over 80 lawyers who focus on diverse areas of the law, we can help you. Start here.

Find a Lawyer


5 out of 5 stars.

Adnan was invaluable in helping us through our various acquisitions as fast a paced growth Fintech company. Despite being in a unique industry, Adnan demonstrated his expertise time and time again by supporting us through difficult negotiations, ensuring our interest were protected at all times, and ensuring the deals were completed in a cordial and timely manner. On top of all of that, we needed regular support with various internal corporate matters, all of which Adnan handled with comfort and ease. Adnan is also very well connected in the industry and was readily able to link us with the necessary experts we needed to handle the various legal matters. Most of all, what impressed me the most, is Adnan’s commitment and dedication and the late hours he spent ensuring he was always available at the critical times to address any issues that came up. - S.K.

5 out of 5 stars.

I am certainly grateful for Jill McCartney and Madeline McKinnon for all the time they spent on the class action for my and many others issue. People like me do not understand all the legal procedures and get impatient but the team was there to answer any questions or concerns no matter how many times I called or e-mailed and encouraged me to do so . In the end Jill made sure I totally understood the decisions.  Thank you so much for caring. Would recommend this firm anytime. - F.A.

5 out of 5 stars.

I am sincerely grateful to Leanne Kuchynski for representing my wife and I in what we considered to be an unprecedented situation. Leanne's compassion, practical advice, openness to feedback, brilliant strategic thinking and outstanding work ethic led to the most optimal outcome while maintaining a superior human experience. Despite the harsh realities of the situation, I felt extremely comfortable that our best interest was Leanne's utmost priority and was confident in her demonstrated ability. She was professional and exceptionally thorough, yet remained remarkably caring.

I use to have a somewhat cautious disposition towards lawyers based on past experiences; however, Leanne completely restored my faith in the profession and earned my unquestionable loyalty for all future legal needs. - S.M.