Data Breach Notification Law in Canada (2026 Guide)

What Is a Data Breach Under Canadian Law?

Canada's federal privacy law, PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5), defines a "breach of security safeguards" as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a failure to maintain appropriate safeguards. That definition was introduced by the Digital Privacy Act (S.C. 2015, c. 32) and governs every private-sector business that collects, uses, or discloses personal information in the course of commercial activity — with limited exceptions for provincially regulated activity in Quebec, Alberta, and British Columbia.

Three elements must be present before you have a reportable incident under Canadian federal law:

Personal information must be involved. PIPEDA defines personal information as "information about an identifiable individual." That covers names, SIN numbers, financial account details, health card numbers, email addresses when linked to identity, home addresses, passwords, biometric data, and IP addresses when associated with a person. A breach of purely anonymized or aggregate data does not trigger PIPEDA obligations — but organizations must be cautious about re-identification risk.

A safeguard failure must have occurred. A misconfigured cloud storage bucket that exposes client records is a safeguard failure. Ransomware that enters through a phishing email exploiting an unpatched system is a safeguard failure. A disgruntled employee who downloads client data to a personal USB drive without authorization is a safeguard failure. By contrast, if a fraudster impersonates your CEO in an email to trick your accounts-payable team into an unauthorized wire transfer but no personal information leaves the organization's control, that wire fraud is not typically a PIPEDA breach — though other regulatory obligations may apply.

The breach must meet the reporting threshold. Not every safeguard breach requires notification to regulators or individuals. Under PIPEDA, only breaches that pose a "real risk of significant harm" (RRSH) to at least one individual must be reported and disclosed. Below that threshold, you must document the breach in your breach register but take no external reporting action. Quebec's Law 25 uses the phrase "risk of serious injury" rather than RRSH — the practical difference is modest, but the analytical framework and timelines differ materially.

A critical point that tripped up many organizations in 2023 and 2024: the RRSH assessment is not optional or informal. The Breach of Security Safeguards Regulations (SOR/2018-64) specify the factors you must weigh (see Section 3). Skipping the assessment — or conducting a superficial one — is itself a violation. The OPC has issued multiple breach investigation reports noting that organizations failed to properly assess RRSH before deciding not to report.

PIPEDA: The Federal Breach Notification Framework

PIPEDA's breach notification obligations came into force on November 1, 2018 through the Breach of Security Safeguards Regulations, SOR/2018-64, published in the Canada Gazette. They impose three distinct obligations on every affected organization.

Report to the OPC. When you determine a breach poses RRSH, you must report to the Office of the Privacy Commissioner of Canada "as soon as feasible." There is no fixed statutory deadline — this is the most significant structural difference from the EU's GDPR and Quebec's Law 25. "As soon as feasible" is contextual: it means as soon as you have enough facts to make the required disclosures without further material delay. The OPC has published guidance indicating that reports received more than 30 days after the RRSH determination attract scrutiny, and reports received more than 90 days after are likely to result in compliance investigations. In practice, experienced privacy counsel recommends filing the OPC report within 7 to 14 days of the RRSH determination unless there are documented reasons for delay (e.g., the RCMP has asked you to hold notification to protect an ongoing investigation).

Notify affected individuals. Notification to the individuals whose information was involved must occur simultaneously with the OPC report — or as close as practicable. You cannot file with the OPC and then wait weeks to tell your customers. The notification must be direct: by email, phone, letter, or in-person — whatever is most likely to actually reach the individual. Posting a notice on your website is a fallback permitted only when direct notification is not reasonably practicable (e.g., you do not have current contact information for affected individuals).

Maintain a breach record for 24 months. Every breach of security safeguards — whether or not it reaches the RRSH threshold — must be documented in a breach record and retained for a minimum of 24 months from the date of the breach. The OPC has the right to request access to these records at any time. Failure to maintain them is a separate offence from failure to report.

Who is covered. PIPEDA applies to federally regulated industries (banks, insurance, telecommunications, interprovincial transportation, broadcasting) across all provinces, and to all private-sector commercial activity in provinces without substantially similar legislation. Ontario, Manitoba, Saskatchewan, New Brunswick, Nova Scotia, PEI, Newfoundland and Labrador, the territories, and most non-Quebec businesses engaged in interprovincial commerce fall squarely under PIPEDA. Alberta and B.C. have substantially similar provincial laws for employee personal information, but PIPEDA governs commercial data in those provinces. Quebec is unique: Law 25 is substantially similar for the full private sector, but national businesses serving Quebec customers must still comply with the PIPEDA breach notification rules alongside Law 25.

The report form. PIPEDA breach reports are submitted to the OPC via priv.gc.ca using the online breach report form. There is no fee. Organizations are not automatically sanctioned for self-reporting — the penalty provisions of PIPEDA target organizations that knowingly fail to report or obstruct an investigation, not those who self-report promptly. The OPC explicitly encourages early and complete disclosure.

The "Real Risk of Significant Harm" Test — How to Apply It

The RRSH test is the central analytical step in PIPEDA breach response. Getting it wrong — either by over-reporting trivial incidents or by under-reporting genuinely harmful breaches — carries reputational and legal risk. Regulation SOR/2018-64, section 4 specifies the factors to assess.

Factor 1: Sensitivity of the personal information. Some categories of information are inherently sensitive under Canadian privacy law and almost always push a breach toward the RRSH threshold: Social Insurance Numbers, health information (including prescription data, diagnoses, mental health records), financial account numbers and passwords, location data revealing sensitive patterns (e.g., visits to addiction treatment facilities), biometric data, and information about minors. By contrast, first name and business email address from a contact database are low-sensitivity, though context matters — those same fields combined with a salary figure become more sensitive.

Factor 2: Probability that the information has been or will be misused. Evidence of actual exfiltration (logs showing data was copied outward) elevates this factor significantly. Ransomware-as-a-service groups routinely exfiltrate data before encrypting it, so a ransomware attack should be presumed to involve exfiltration until forensics proves otherwise. A misdirected email to a known, cooperative recipient who confirms deletion lowers this factor substantially. Dark web monitoring showing your data for sale is the clearest signal of probable misuse.

Factor 3: Number of individuals affected. Volume matters but is not determinative. A breach affecting 50,000 individuals with low-sensitivity data may score lower on RRSH than a breach affecting five individuals whose complete financial profiles — including SINs, banking credentials, and credit card numbers — were taken by a sophisticated attacker.

Factor 4: Nature of potential harm. PIPEDA lists bodily harm, humiliation, damage to reputation, financial loss, identity theft, negative effects on credit records, and damage to property as qualifying harm types. Identity theft risk — particularly when SINs or financial credentials are involved — is one of the most serious harm types because the effects persist for years and can be extremely costly for individuals to resolve.

Factors 5 and 6: Attacker identification and whether data is already public. A breach by a known former employee with motive raises RRSH. A breach where the exposed data was already substantially available in public directories lowers it — though even publicly available information can enable targeted social engineering.

Practical decision matrix:

Quebec Law 25 — The CAI Requirement and 72-Hour Clock

Quebec's Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, S.Q. 2021, c. 25) introduced the concept of the "confidentiality incident" and created obligations that differ from PIPEDA in three important ways: a hard 72-hour deadline, a permanent incident register, and a broader scope that reaches any organization that holds Quebec residents' personal information — regardless of where the organization is headquartered.

What triggers the 72-hour clock. The clock starts when an organization becomes aware of a confidentiality incident and determines it presents a risk of serious injury to one or more individuals. Law 25 defines a confidentiality incident as any access, use, or communication of personal information not authorized by law, and any loss of personal information. This is deliberately broad — a lost USB drive containing employee records is a confidentiality incident even if there is no evidence of anyone reading it. The 72-hour deadline runs from the point of awareness-plus-determination. For practical purposes, privacy counsel advise treating discovery of any potential serious incident as starting the clock until you can rule out serious injury risk — because the assessment itself should be rapid.

Who you notify and when. First, the CAI (Commission d'accès à l'information du Québec — cai.gouv.qc.ca) within 72 hours of the determination. Second, affected individuals "as soon as possible" — which the CAI interprets as without unreasonable delay after confirming the scope of the incident and the identity of affected individuals. There is no requirement to complete a full forensic investigation before notifying individuals, but you must have a reasonable basis to identify who is affected.

The confidentiality incident register. Unlike PIPEDA's 24-month rolling breach record, Law 25 requires a permanent register — the Registre des incidents de confidentialité — covering all incidents, whether or not they meet the serious injury threshold. Each entry must include: the date the organization became aware of the incident; a brief description of the incident and its circumstances; the nature of the personal information involved; the approximate number of individuals affected; whether there was a risk of serious injury; and the steps taken to reduce risk and notify those affected. The CAI can audit the register at any time without prior notice.

Scope: extra-provincial reach. Law 25 applies to any enterprise that holds personal information about Quebec residents in the conduct of an enterprise in Quebec. A Toronto technology company serving Montreal clients processes those clients' personal information and is therefore subject to Law 25 obligations for that data — including the 72-hour CAI notification. A Vancouver retailer with an e-commerce platform selling to Quebec consumers must comply. National organizations operating across Canada must maintain parallel compliance programs for their Quebec data flows.

Overlap with PIPEDA. For most incidents involving Quebec residents, both PIPEDA and Law 25 apply simultaneously. In practice, the 72-hour CAI deadline drives the operational timeline. Privacy counsel across Quebec advise: file the CAI report within 72 hours, then file the OPC report referencing the CAI filing within the same period or shortly after. Both regulators prefer prompt, complete reporting to delayed, perfect reporting.

Notification Timelines: Federal vs. Quebec vs. GDPR at a Glance

Canadian businesses with international operations — or those whose data flows cross Canadian borders — often need to navigate multiple breach notification regimes simultaneously. The following table contrasts the three frameworks most relevant to Canadian organizations:

Note: The GDPR column is informational for Canadian businesses with EU customers. Quebec and the EU entered a mutual adequacy discussion in 2023 — Law 25's requirements were designed in part to achieve a GDPR-equivalent standard so that Quebec organizations could transfer data to and from the EU without additional mechanisms.

Who to Notify and in What Order

Breach response involves notifying multiple parties, often on overlapping timelines. Sequencing matters: notify in the wrong order and you risk a regulator finding out about your breach from the media before you file, which is a separate compliance problem. The correct order is:

1. Internal stakeholders first (within hours). The moment a potential breach is detected, the organization's Privacy Officer (or equivalent — under PIPEDA s. 10.1, every organization subject to PIPEDA must designate an accountable individual for privacy compliance) must be informed. The CEO or executive sponsor, general counsel or outside privacy counsel, and the IT security lead must all be looped in within the first hours. No external communication — including to affected individuals — should happen before legal counsel is engaged. Internal communications about the breach should be treated as potentially privileged.

2. Law enforcement, if appropriate (within 24 hours for active criminal threats). If the breach involves an ongoing criminal attack (ransomware, a network intruder still in the system), you may need to involve the RCMP or local police immediately — both to protect evidence for a potential criminal prosecution and because some cyber insurance policies require prompt reporting to law enforcement. Note: law enforcement notification does not substitute for regulator notification, and law enforcement occasionally requests a brief delay in individual notification if it would compromise an investigation (document any such request carefully).

3. Quebec: CAI within 72 hours (if Law 25 applies). If any affected individuals are Quebec residents and the incident presents a risk of serious injury, the CAI notification is the most time-critical regulatory obligation. File via cai.gouv.qc.ca using the online incident report form. Include as much information as you have at the 72-hour mark — a complete preliminary report is expected; a final comprehensive report can follow.

4. Federal: OPC as soon as feasible. File the OPC report via priv.gc.ca. If you have already filed with the CAI, reference that filing in the OPC report. Many organizations file both reports on the same day — the CAI 72-hour deadline effectively sets the pace for organizations subject to both regimes.

5. Affected individuals, simultaneously with OPC report. Direct, individual notification — by email, phone call, or physical letter — to each person whose information was involved. For large breaches (thousands of individuals), this is a logistical operation. Start drafting notification letters the moment the RRSH determination is made. Under Law 25, individual notification timing is "as soon as possible" rather than simultaneous — but best practice is to coordinate individual and regulatory notification closely.

6. Third-party processors, vendors, and insurers. Check all data processing agreements — PIPEDA and Law 25 both require organizations to impose breach notification obligations on their service providers. A cloud provider, payroll processor, or IT managed service provider that suffers a breach affecting your data must notify you promptly under their contract. Conversely, if you are the processor, check your contracts for notification obligations to the data controller. Notify your cyber insurer within the timelines specified in your policy — late notification is among the most common reasons for claim denial.

What Your Breach Notification Must Say

Both PIPEDA and Law 25 prescribe the minimum content of breach notifications. Getting the content wrong — by omitting required elements, using legalese that obscures the message, or providing misleading information — can result in regulatory enforcement even where the underlying breach response was otherwise adequate.

Under PIPEDA Regulations (ss. 10–13), the notification to individuals must include:

A description of the circumstances of the breach — what happened, how the breach occurred (without compromising an ongoing investigation or law enforcement request), and the approximate date or date range of the breach. Affected individuals are entitled to understand roughly what happened, not a forensic investigation report.

The type of personal information involved — not the specific data of that individual, but the categories: "financial account numbers," "health card numbers," "email addresses and passwords." Be specific enough to be useful; vague formulations like "certain personal information" do not satisfy the requirement.

The steps the organization has taken to reduce risk — what you did after discovering the breach (system isolation, password resets, patch deployment) and what you are doing going forward (enhanced monitoring, encryption deployment). This demonstrates organizational accountability.

The steps the individual can take — specific, actionable steps: place a fraud alert with Equifax or TransUnion Canada; change passwords; monitor banking statements; contact the Canada Revenue Agency if a SIN was involved; watch for phishing follow-up. Generic statements like "monitor your accounts" are insufficient.

The organization's contact information — a named individual or dedicated team, not a generic email inbox, with a phone number that will be answered during business hours for at least 30 days after the notification is sent.

Plain language requirement. The OPC has consistently found that notification letters written in legal or corporate communications style fail to adequately inform affected individuals. Write at a Grade 8 reading level. Lead with what happened, not with who you are as an organization. The subject line of the email notification should say "Important notice about your personal information" — not "Privacy policy update" or "Security communication."

Timing of the OPC report vs. individual notification. The OPC report (priv.gc.ca breach reporting form) requires largely the same information as the individual notification, plus organizational details, forensic findings to date, and the RRSH assessment. File both at the same time or as close as logistically possible. The OPC expects to be notified when you send individual notifications — not to learn about individual notifications from affected individuals calling the OPC directly.

The Breach Register: What Records You Must Keep

PIPEDA's breach record requirement — section 10.3 of the Act, implemented through SOR/2018-64 — is one of the most misunderstood compliance obligations in Canadian privacy law. It applies to all breaches, not just reportable ones, and the OPC can request access to these records at any time without the organization having committed any wrongdoing.

What must be recorded:

• A description of the circumstances of the breach
• The date or estimated date range of the breach
• The date the organization became aware of the breach
• The type of personal information involved
• The number of individuals affected (or an estimate)
• Whether the organization determined the breach posed RRSH and the reasoning behind that determination
• Whether the OPC was notified and, if so, the date of notification
• Whether affected individuals were notified and, if so, by what means and on what date
• The remediation steps taken

Retention period: 24 months from the date of the breach. After 24 months, the records may be destroyed — but organizations often retain them longer as part of their broader privacy audit documentation. The 24-month period applies per-breach, not from the date of the last entry in the register.

Under Quebec Law 25: The Registre des incidents de confidentialité has no sunset date. It is a permanent record of all confidentiality incidents — those that triggered CAI notification and those that did not. The CAI's implementing regulation specifies similar content to PIPEDA's breach record requirements, and the CAI explicitly has the authority to audit the register during any compliance review. A gap in the register — an incident that was detected but not entered — is treated as evidence of systemic compliance failure.

Practical implementation: A simple encrypted spreadsheet or a dedicated field in your IT ticketing system works for organizations with infrequent incidents. Larger organizations or those handling high volumes of personal information should implement a dedicated privacy incident management tool. The register should be owned by the Privacy Officer and reviewed at least quarterly to verify completeness. Some Canadian law firms offer a template register aligned to both PIPEDA and Law 25 requirements — the Canadian Bar Association's privacy law section has published guidance at cba.org.

Step-by-Step Breach Response Plan

The following 10-step plan reflects Canadian regulatory expectations under both PIPEDA and Law 25. Assign each step to a named role before you have an incident — not during one.

1. Contain immediately. Isolate affected systems — take the compromised device offline, revoke compromised credentials, block attacker IP addresses, disable affected integrations. Do not shut systems down in a way that destroys forensic evidence (volatile memory, log files). The goal of containment is to stop the bleeding, not to restore normal operations yet.
2. Activate your breach response team. Notify your Privacy Officer, IT lead, legal counsel, and executive sponsor within hours of initial detection. Assign a single incident commander who has authority to make decisions on notification timing, external communications, and resource allocation. Start a shared secure log of all response actions with timestamps.
3. Preserve evidence. Before reimaging, patching, or reconfiguring affected systems, preserve forensic evidence: take bit-for-bit disk images, export security logs, capture network flow data, screenshot any attacker messages or ransom notes, and document the chain of custody for all evidence. This evidence is essential both for your forensic investigation and for any subsequent regulatory or criminal proceeding.
4. Identify the scope. Engage a qualified forensic investigator to determine: what systems were affected, what data was accessed or exfiltrated, when the breach began, and how the attacker gained access. Do not guess at scope — regulatory notifications based on incorrect scope estimates require amendments that attract additional scrutiny.
5. Conduct the RRSH assessment. Apply the seven-factor test (see Section 3) to the personal information confirmed as involved. Document the assessment in writing, note the factors and their weight, and reach a clear determination: RRSH yes or no. If in doubt, err on the side of reporting — there is no penalty for reporting a breach that turns out to be below the RRSH threshold; there is significant risk for failing to report one that exceeded it.
6. Notify the CAI (72 hours — if Law 25 applies). If any affected individuals are Quebec residents and the serious injury threshold is met, the CAI notification must be filed within 72 hours of the determination. Use the CAI online portal at cai.gouv.qc.ca. Submit whatever facts you have at the 72-hour mark; a supplementary report can follow as your investigation matures.
7. Notify the OPC (as soon as feasible). File the federal breach report via priv.gc.ca. Reference any CAI filing. Coordinate the OPC filing with the individual notification so they go out on the same day.
8. Notify affected individuals. Send individual notifications that meet the PIPEDA and Law 25 content requirements (Section 7). For large groups, prepare a communications plan — dedicated breach response phone line, FAQ document, email template. Notify individuals before any public announcement, unless law enforcement prohibits it.
9. Document in your breach register. Enter the incident in your PIPEDA breach record and, if applicable, your Law 25 confidentiality incident register. Even if the breach did not meet the RRSH threshold, it must be recorded. Include the RRSH assessment, its conclusion, and the reasons.
10. Remediate and conduct a post-incident review. Deploy patches, reset credentials, implement additional controls (MFA, encryption, segmentation). Conduct a formal post-incident review within 30 days: what failed, what worked, what needs to change. Update your breach response plan. If your current IT provider did not detect the breach promptly, evaluate whether the relationship needs to change.

The 10-step plan is not a one-time exercise. Run a tabletop simulation annually — a 90-minute facilitated exercise where you walk through a hypothetical breach scenario — to test whether your team can execute under pressure. The Canadian Centre for Cyber Security (cyber.gc.ca) publishes free tabletop exercise guides that are directly usable by small businesses.

What a Breach Costs a Canadian SMB

IBM's annual Cost of a Data Breach report (2025 edition) placed Canada's average breach cost at $6.07 million CAD across all company sizes — but that figure is heavily skewed by enterprise incidents. For Canadian SMBs with 50 to 500 employees, the realistic cost picture looks materially different and is worth understanding before a board decides what privacy compliance investment is warranted.

Cyber insurance — available from most major Canadian insurers including Intact, Aviva, and Chubb Canada — typically covers forensics, legal fees, notification costs, and some business interruption. Premiums for SMBs run $2,000 to $15,000 annually depending on revenue and the sensitivity of data held. The underwriting process itself is a useful compliance exercise: insurers now ask detailed questions about MFA deployment, backup practices, endpoint protection, and employee training that mirror the security safeguard expectations under PIPEDA and Law 25.

Common Mistakes That Trigger Regulatory Action

The OPC's annual reports on breaches received and the CAI's enforcement decisions since Law 25's breach provisions came into effect share a consistent set of failure patterns. These are the mistakes most likely to convert a manageable breach into a regulatory investigation:

1. Conducting a superficial or undocumented RRSH assessment. Organizations that say "we decided there was no significant harm" without a written, factor-by-factor analysis are in a weak position when the OPC or CAI asks how that decision was made. The assessment must be written, dated, and signed by an accountable person. It must engage each of the regulatory factors, not just the ones that point toward "no RRSH."

2. Notifying individuals but not the regulator (or vice versa). PIPEDA requires both simultaneously. Organizations that notify the OPC but delay individual notification, or that notify individuals and forget the OPC report, have committed a separate compliance failure on top of the breach itself. Both channels must be activated at the same time.

3. Missing the Law 25 72-hour deadline because the PIPEDA "as soon as feasible" standard felt more comfortable. For organizations subject to both regimes, the 72-hour CAI clock is the operative deadline. Organizations that apply the flexible PIPEDA standard to their Quebec obligations consistently miss the Law 25 deadline and face CAI enforcement without having violated PIPEDA at all.

4. Failing to maintain breach records for non-reportable incidents. The OPC regularly finds in investigations that organizations have no records of past incidents because they concluded the incidents were below the RRSH threshold and therefore not worth documenting. This is wrong. Every breach — regardless of RRSH assessment outcome — must be in the 24-month breach record.

5. Using a notification letter that is legally protective rather than actually informative. Letters written to protect the organization — emphasizing what the organization did right, burying the description of what happened, and providing vague recommended actions — frequently result in OPC findings that individual notification was inadequate. The notification letter is for the affected individual, not for the organization's legal defense file.

6. Failing to notify vendors and processors of their own breach obligations. If your cloud HR provider suffers a breach of your employee data, PIPEDA requires them to notify you promptly — and you are still the accountable organization for notifying affected individuals and regulators. Review your contracts now: do they contain breach notification provisions consistent with PIPEDA and Law 25 timelines? Many pre-2018 contracts do not.

7. Delaying notification because the investigation is not "complete." Regulators do not expect a completed forensic investigation before receiving a breach report. They expect a good-faith report with the facts known at the time, followed by supplementary updates as the investigation matures. Organizations that wait for a final forensic report before filing routinely miss the 72-hour CAI deadline and the OPC's "as soon as feasible" standard.

Case Study: Montréal Professional Services Firm (Anonymized)

The following case is drawn from a composite of incidents handled by Canadian privacy counsel and IT response firms in 2024–2025. Details are anonymized to protect client confidentiality.

The incident. A 22-person accounting firm based in Montréal suffered a ransomware attack on a Tuesday evening. The attacker gained access via an internet-facing RDP port left open from a pandemic-era remote work setup that was never closed. By the time the firm's IT consultant detected the attack the following morning, the attacker had been in the environment for approximately 11 hours, had encrypted all network shares, and — based on evidence later confirmed by forensic investigation — had exfiltrated approximately 800 client files. Those files included tax returns, financial statements, and supporting documents containing SIN numbers, banking details, and business income information for 800 client individuals and small businesses.

The RRSH and serious injury assessments. The firm's privacy counsel conducted the RRSH assessment the same day the attack was discovered. The conclusion was unambiguous: 800 SIN numbers combined with banking and financial data, in the hands of a known ransomware-as-a-service group that routinely sells exfiltrated data, clearly met the RRSH and serious injury thresholds. Both the CAI (72-hour Law 25 deadline) and the OPC (PIPEDA) notifications were required.

The response timeline. Hour 0: Discovery. Hours 2–4: containment and legal counsel engagement. Hour 6: forensic firm engaged. Hour 18: preliminary forensic report confirming exfiltration scope. Hour 24: RRSH and serious injury assessments completed and documented. Hour 48: CAI preliminary notification filed; OPC report filed. Hour 60: individual notification emails sent to all 800 affected clients, with a dedicated toll-free number staffed by a privacy incident firm. Hour 72: public statement on firm website (not replacing individual notification — supplementing it for clients whose email addresses had changed).

The costs. Forensic investigation: $38,000. Privacy counsel fees: $67,000 (initial response plus three months of regulatory correspondence). Individual notification and call centre: $22,000. System rebuild and security upgrades — including MFA deployment, encrypted backup implementation, and endpoint detection — handled by a qualified IT service provider: approximately $45,000. No ransom was paid. Cyber insurance covered the forensic and notification costs under an existing policy. Total direct cost: approximately $172,000. No regulatory fine was issued, because the firm's response — prompt reporting, complete individual notification, and thorough breach register entry — demonstrated the compliance posture that regulators reward.

The key lesson. The firm's prior IT setup had no MFA on the RDP server, no offsite backup, and no breach response plan. The post-incident remediation cost more than five years of proactive security investment would have. When the firm subsequently retained IT Cares for breach-ready managed IT, endpoint protection, and encrypted backup, the annual cost was under $12,000 — a fraction of what the breach cost in its first 90 days.

Breach Notification Readiness Checklist

Use this checklist to assess your organization's readiness before an incident occurs. Every "no" is a gap that costs more to fix during a breach than before one.

• ✅ Privacy Officer designated — a named individual (not a committee or a role without a name) with authority to make breach notification decisions, listed in writing as the accountable person under PIPEDA
• ✅ Breach response plan documented — a written plan that specifies: who does what, in what order, with what tools, when a breach is detected; reviewed and tested within the past 12 months
• ✅ RRSH assessment template ready — a fillable form that walks through all seven PIPEDA RRSH factors so the assessment can be completed under time pressure without missing a factor
• ✅ CAI and OPC contact information accessible offline — cai.gouv.qc.ca report form link and priv.gc.ca breach report form link saved in a printed incident response binder; online portals should not be the only way to reach regulators during a breach
• ✅ Breach register established — a secure, access-controlled record (spreadsheet or system) for documenting all breaches per PIPEDA s. 10.3 and Law 25 Registre requirements; current with all incidents from the past 24 months
• ✅ Qualified forensic responder identified — a pre-arranged relationship with a Canadian IT incident response or digital forensics firm that can be engaged within hours; do not try to find one during a live incident
• ✅ Privacy counsel retained — an outside law firm with privacy expertise identified and a standing engagement letter in place; the first hours of a serious breach require immediate legal advice on notification obligations
• ✅ Cyber insurance active — a current policy covering forensics, legal fees, notification costs, and business interruption; policy reviewed within the past 12 months to confirm coverage is adequate for current data volumes
• ✅ Staff trained on internal breach reporting — employees know how to recognize and report a potential breach (phishing, suspicious access, lost device) to the Privacy Officer without delay; training documented in HR records
• ✅ Vendor contracts reviewed — all data processing agreements with cloud providers, payroll processors, and IT vendors contain breach notification obligations consistent with Law 25 (72-hour) and PIPEDA timelines
• ✅ Notification letter template drafted — a plain-language template for notifying affected individuals, reviewed by privacy counsel, ready to be adapted and sent; not drafted from scratch during a breach
• ✅ Tabletop exercise completed — a facilitated simulation of a breach scenario conducted in the past 12 months; gaps identified and addressed; using Canadian Centre for Cyber Security (cyber.gc.ca) guidance

Related Privacy and Compliance Guides

Canada's breach notification rules sit within a broader privacy compliance framework. These guides cover the adjacent obligations every Canadian business should have in place:

• Law 25 for Small Business: What You Actually Have to Do (2026) — the full list of Law 25 obligations, from privacy officer designation to privacy impact assessments
• PIPEDA Compliance Checklist for Small Business (2026) — the ten principles, accountability requirements, and what auditors actually look for
• Quebec Law 25 Penalties and Fines: What Small Businesses Risk (2026) — CAI enforcement cases, fine calculations, and penalty mitigation strategies
• Small Business Cybersecurity Incident Response Checklist (Canada, 2026) — the technical side of incident response: containment, evidence preservation, recovery
• Ransomware Protection for Small Business: A 2026 Playbook — prevention controls and the first-hour response if ransomware strikes
• Recovering Data After Ransomware (First-Hour Guide, 2026) — backup recovery, data integrity verification, and when professional data recovery is needed
• Data Residency in Canada: When Your Data Must Stay Home (2026) — cloud provider selection, cross-border data transfer rules, and Law 25 residency requirements

Frequently Asked Questions