New Rules for Privacy Breach Reporting

Danny Timmins is MNP’s National Cyber Security Leader

As of November 1, 2018, Canadian organizations are subject to new rules for compulsory breach reporting for cyber security incidents. Below is an FAQ of what you need to know.

What is changing?

An amendment to the Digital Privacy Act (DPA) and the Personal Information Protection and Electronic Documents Act (PIPEDA) – Breach of Security Safeguards Regulations requires all Canadian organizations to report to both federal regulators and the individual affected parties data breaches that causes a “real risk of significant harm.”

Who does this apply to?

The DPA and PIPEDA specifically applies to all organizations which collect, use or disclose personal information as part of their commercial activity in Canada. However, the regulations also apply broadly for all Canadian organizations in general, including small businesses.

New Breach Reporting Responsibilities

When an organization experiences a security breach that may lead to “real risk of significant harm,” their obligations will include:


Performing a formal risk assessment to determine whether (and the degree to which) the breach presents “real risk of significant harm.”


Notifying all affected clients with a description of the breach and its circumstances, including:

  • The approximate timeline for when the breach occurred
  • The personal information compromised or at risk
  • Steps taken to reduce further harm
  • Steps for the individual to mitigate or prevent further harm
  • The organization’s primary contact for follow-up or further information.


Notifying the Canadian Privacy Commissionaire of the circumstances and cause (if known) of the breach, including:

  • When the breach occurred
  • What personal information is at risk
  • The number of affected individuals
  • Steps taken to reduce further harm
  • How the organization will contact affected individuals
  • The organization’s primary contact for follow-up.


Maintaining a record of the breach for a minimum of 24 months.


Meeting Digital Privacy Act regulations and keeping attestation documents verifying compliance readily accessible.

What is ‘significant harm’?

Organizations need to consider more than just the potential for identity theft when determining what constitutes significant harm. It’s also important to think about the nature and sensitivity of the information and likelihood that attackers may be to able to misuse it. Considerations for breeched data include:

  • Could this information humiliate the affected party?
  • Could the breach result in damage to an individual’s reputation or relationships?
  • Could an individual lose their job or future opportunities?
  • Is there potential for financial damages to the individual(s)?
  • Might the breach result in a loss of or damage to property?

When determining the likelihood of a breach to cause ‘significant harm,’ the government does not distinguish between encrypted and non-encrypted information. The assumption should be that encrypted information will be accessed.

What are my risks?

Cyber threats pose significant financial and reputational risks to your organization. These new reporting requirements — which include fines of up to $100,000 — make answering the following questions even more critical for the safety of your operations, employees and customers.

  • Are you prepared to respond to a data breach (i.e., do you have a process to contain the incident, analyze the impact and outlining steps to achieve full remediation)?
  • Do you have clear protocols outlining when to report a breach and what information to communicate?
  • Are your existing cyber security controls and technology sufficient to limit exposure to a cyber security breach and attack?
  • If you do business in Europe, do your cyber security protocols and technology comply with the EU's General Data Protection Regulation (GDPR)?

All Canadian organizations should consider whether they are prepared to meet this new standard. Key readiness measures include: developing a breach response plan, employee training, compliance auditing, establishing limits and rules on data collection and creating an inventory of the personal data that is collected.

As a leading national cyber security services provider, MNP is well equipped to help organizations prepare for this transition. Whether you’re concerned about your resilience to a cyber security threat or need to revise your incident response guidelines to align with new regulations, our team can help you assess, prioritize and implement a practical and effective information security program. Contact Danny Timmins, National Leader, Cyber Security, to learn more.


of Canadian businesses report “significant” levels of change in their organization from cybersecurity, privacy and data ethics activity – MNP Leaders Survey