“Privacy Breach Case Simulation” with Dina Maxwell

By: Calvin Wang, JD Candidate 2024
 

Dina Maxwell is Senior Legal Counsel and Privacy Lead at PwC Canada, where she manages and advises on a wide range of privacy and data protection related issues, including policy development, privacy training, and incident response. A fellow U of T alum, Dina brought her wealth of legal knowledge and expertise in leading this case simulation, where we recreated a response to a privacy breach at a firm.

We began with a brief introduction into the relevant background information on privacy law in Canada, especially as relates to data breaches and privacy interests. We learned a bit about requirements for corporations in reporting incidents as well as principles underlying these laws. With this information in mind, we got started with a fact pattern, in which we played the roles of an incident response team reacting to a privacy breach at a social media company. To see the full fact pattern, go to https://futureoflaw.utoronto.ca/node/130.

We were given information in multiple stages to represent the 5 steps taken in incident response to privacy breach: Identify, Contain, Notify, Protect, and Eradicate. In every stage, each team would come up with suggestions that they would make to the company and Dina would tie our suggestions to real life practices or steps that she might take. For instance, questions arising from Step 3: Notify might include: Who do we notify? What do we notify people about? How much information do we provide?

A fascinating feature of this event was the diversity in creative responses and solutions that were suggested by fellow students, each with unique benefits and drawbacks. After each response, Dina would pull out the strengths to different approaches and relate them to actual practices in the world of privacy law. As a result, we would get a better and better understanding into the way a real case would actually play out from the perspective of a seasoned veteran like Dina.

What surprised me the most was how interdisciplinary each of these steps really were! While law was still a primary concern, it was only one of many factors to consider. Notably, public relations and technological capabilities were two other highly relevant considerations that demanded just as much attention in developing our solutions. What was especially highlighted was the interconnectedness that lawyers in this situation would need to have with team members and experts in other fields in order to address the problem.

This was the perfect learning opportunity for individuals hoping to get a taste of what being a privacy lawyer is all about. While classes might provide some level of insight into certain fields of law, a simulation of practical experience and guidance from a veteran of the industry can offer unique perspectives. I thought this was particularly valuable even to students not previously focused on privacy law to be able to explore potential career paths that might not have been previously considered and to be able to see if privacy law is something that one might be looking to get into. All in all, a case simulation such as this was a great opportunity to escape the bubble of academia and take a peek at the real world.