Law 25 data breach notification

Info · Vol/mo CA ~150 (est) · KD 9 (est) · Quebec Law 25 & PIPEDA Compliance

In this guide & where to go next

Part of the Quebec Law 25 & PIPEDA Compliance series. Related: What Is Pipeda Compliance Law 25 Privacy Policy Requirements

Want it handled? IT Cares — hands-on managed IT across Canada.

Under Law 25, organizations must report a confidentiality incident to the Commission d'accès à l'information (CAI) and to affected individuals when the incident presents a risk of serious injury, and must keep a register of all confidentiality incidents. Notification must occur with diligence once that risk is identified. A confidentiality incident includes unauthorized access, use, disclosure, or loss of personal information, so the duty extends well beyond classic hacking scenarios.

What counts as a confidentiality incident

Law 25 uses the term confidentiality incident rather than data breach, and it is defined broadly. It includes:

Unauthorized access to personal information, such as an employee viewing records they should not.
Unauthorized use of personal information beyond its intended purpose.
Unauthorized disclosure, such as sending data to the wrong recipient or a third party.
Loss of personal information, including a lost laptop, stolen device, or deleted records without backup.

This broad definition means many everyday events can qualify, not just sophisticated cyberattacks. A misdirected email containing client data or a ransomware infection that encrypts personal files both fall within scope, which is why every organization needs a clear process to assess incidents quickly.

The risk of serious injury threshold

Not every confidentiality incident must be reported to the CAI and individuals, but every one must be logged. The trigger for notification is whether the incident presents a risk of serious injury. To assess this, organizations consider factors such as the sensitivity of the information involved, the anticipated consequences of its misuse, and the likelihood that it will be used for a harmful purpose.

Serious injury can include bodily, material, or moral harm, for example identity theft, financial loss, humiliation, or damage to reputation. The assessment must be made promptly and documented. Because the threshold involves judgement, organizations benefit from a predefined assessment process so that, under the pressure of an actual incident, the decision to notify is consistent, defensible, and made without unnecessary delay.

Notification steps and the incident register

When a confidentiality incident presents a risk of serious injury, the organization must take several steps:

Notify the CAI promptly using its prescribed reporting process.
Notify affected individuals so they can take protective measures, unless doing so would hinder an investigation.
Take reasonable measures to reduce the risk of injury and prevent new incidents of the same kind.
Record the incident in a register of confidentiality incidents, which the CAI can request.

The register must capture every confidentiality incident, including those that do not meet the reporting threshold. Maintaining this log is itself a legal obligation and demonstrates that the organization monitors and manages incidents systematically rather than ad hoc.

Preparing your breach-response capability

Meeting the notification obligation depends entirely on being able to detect and scope an incident quickly. You cannot report what you cannot see, so the technical foundation, logging, monitoring, endpoint protection, and tested backups, is what makes timely notification possible. Without it, an organization may not even realize a breach occurred until long after the fact.

A practical breach-response capability combines technology and process: detection and alerting to spot incidents, a written response plan defining who assesses risk and who notifies the CAI and individuals, and rehearsed steps so the team acts decisively under pressure. A managed IT and cybersecurity partner can provide the monitoring and detection layer and help maintain the response plan and incident register, ensuring that when an incident occurs, your organization can investigate, contain, and report it within the timelines Law 25 expects rather than scrambling after the fact.

FAQ

When must I report a breach under Law 25?

You must notify the CAI and affected individuals when a confidentiality incident presents a risk of serious injury, and you must do so with diligence once that risk is identified. All confidentiality incidents, even minor ones, must also be recorded in your incident register regardless of whether they meet the reporting threshold.

What is a confidentiality incident?

A confidentiality incident is any unauthorized access, use, or disclosure of personal information, or the loss of personal information. This is broader than a typical hacking breach and includes events like misdirected emails, lost devices, and ransomware, so organizations must assess each one against the serious-injury threshold.

Do I have to keep a record of every incident?

Yes. Law 25 requires organizations to maintain a register of confidentiality incidents that captures every incident, not only those reported to the CAI. The Commission can request this register, so maintaining it accurately is itself a compliance obligation and evidence of a functioning privacy program.

Get expert help

Talk to IT Cares →