← Quebec Law 25 & PIPEDA

How to Report a Data Breach in Quebec (Law 25 Step-by-Step)

When a breach happens, the clock starts. Law 25 requires you to act, notify the regulator and affected people when there is a risk of serious injury, and keep a register. Here is the step-by-step. See the full Quebec Law 25 & PIPEDA guide, or Law 25 for small business. Want it handled? IT Cares provides incident response and data recovery when a breach hits.

Step 1 — contain and assess

Stop the exposure (reset credentials, isolate systems), then assess: what data, how many people, and is there a “risk of serious injury” (identity theft, fraud, humiliation, damage to reputation)?

Step 2 — notify when risk is serious

If there is a risk of serious injury, notify the Commission d’accès à l’information (CAI) and the affected individuals promptly. The notice must describe the breach, the data involved, and what you and they should do.

Step 3 — keep a breach register

Law 25 requires a register of all confidentiality incidents, even minor ones. Record date, nature, data involved, assessment and actions taken. The CAI can ask to see it.

Action checklist

FAQ

Who do I notify after a data breach in Quebec?

If the breach poses a risk of serious injury, notify the Commission d'accès à l'information (CAI) and the affected individuals promptly. All incidents must be recorded in your breach register regardless of severity.

Do I have to report every data breach in Quebec?

You must record every confidentiality incident in a register, but external notification (CAI and individuals) is required when there is a risk of serious injury. Containing and assessing first tells you which applies.

Free · no obligation

Get a free assessment

Tell us where you are — we send back a clear, no-pressure plan. Leads only, no payment.

No spam, no payment. Reply within 1 business day. Fulfilled by IT Cares.

✅ Thanks — your request is in. We will email a plan within 1 business day.

More Law 25 guides

Explore more topics

Want it done for you? IT Cares — managed IT support across Canada.

Backup & DR

The 3-2-1 Backup Rule for Business (2026)Business Continuity Plan Template: Quebec Law 25 + PIPEDA (2026)Cloud Backup vs Local Backup: Which for Business? (2026)Disaster Recovery Plan Template for Small Business (2026)How to Back Up Business Data (Simple 2026 Routine)Recovering Data After Ransomware (First-Hour Guide, 2026)

Law 25

Privacy Officer Under Quebec Law 25: When & How to Delegate (SMB Guide)Data Residency in Canada: When Your Data Must Stay Home (2026)Law 25 Compliance Checklist for Quebec Small Business: 8 Steps (2026)Quebec Law 25 Penalties & Fines: What Small Businesses Risk (2026)Law 25 for Small Business: What You Actually Have to Do (2026)PIPEDA Compliance Checklist for Small Business (2026)

Managed IT

Break-Fix vs Managed IT Services: The True Cost (2026)How to Choose an IT Support Provider (2026 Checklist)Managed IT Cost Calculator (Canada, 2026)What Managed IT Services Cost in Canada (2026, Per User)MSP vs In-House IT: Which Is Cheaper for an SMB? (2026)Outsourced IT Support for Small Business (2026 Guide)

Microsoft 365

Cloud Migration for Small Business (2026 Step-by-Step)Microsoft 365 Plans & Pricing in Canada (2026)Microsoft 365 vs Google Workspace for Canadian SMBs (2026)Microsoft 365 Security Setup for Canadian SMBs: 12-Point Checklist (2026)How to Migrate Email to Microsoft 365 (No Downtime, 2026)SharePoint vs OneDrive for Business: Where Files Go (2026)

Cybersecurity

Free Small Business Cybersecurity Self-Assessment (2026)Endpoint Protection vs Antivirus: What SMBs Need in 2026Small Business Cybersecurity Incident Response Checklist (Canada, 2026)MFA Setup Guide for Small Business (Step by Step, 2026)Phishing Prevention & Staff Training That Actually Works (2026)Ransomware Protection for Small Business: A 2026 Playbook

More

BlogHomeIT Cares — managed IT support across Canada