Is breach reporting mandatory in Canada?

Yes. Under PIPEDA organizations must report any breach of security safeguards involving personal information if it is reasonable to believe the breach creates a real risk of significant harm to individuals. Reports must be made to the Office of the Privacy Commissioner of Canada and affected individuals must be notified.

What are the penalties for not reporting a data breach in Canada?

Failure to report a breach, notify affected individuals or maintain breach records under PIPEDA can result in fines of up to $100,000 CAD per violation. Organizations may also face reputational damage, civil litigation and regulatory scrutiny from the Office of the Privacy Commissioner.

How quickly must we report a data breach in Canada?

PIPEDA requires that breach reports be made to the Privacy Commissioner as soon as feasible after determining that a breach has occurred. While PIPEDA does not specify a fixed deadline, organizations should aim to report within 72 hours of confirmed breach discovery. Provincial privacy laws may impose stricter timelines.

Breach Response

What to Do After a Data Breach in Canada

Your legal obligations and the forensic steps that protect your organization.

After a data breach in Canada organizations must report to the Office of the Privacy Commissioner under PIPEDA, notify affected individuals if there is a real risk of significant harm, maintain records of every breach for at least 24 months and preserve digital evidence for forensic investigation. Failure to comply can result in fines up to $100,000 CAD per violation.

A data breach triggers immediate legal obligations under Canadian federal and provincial privacy legislation. Acting quickly and methodically protects your organization from regulatory penalties, civil litigation and further compromise. This guide covers the steps you must take from the moment a breach is discovered.

Emergency Breach Response Incident Response Services

Response Steps

Immediate Actions After a Breach

1. Contain the Breach

The first priority is to stop the breach from continuing. Isolate affected systems, revoke compromised credentials, block malicious IP addresses and close exploited access points. Do not shut down or wipe systems as this destroys forensic evidence. Containment actions should be documented with timestamps so they can be included in your breach report and any subsequent legal proceedings.

2. Preserve Evidence

Engage a digital forensics team to capture volatile evidence before it is lost. This includes memory dumps, running process lists, active network connections, log files and disk images. Chain of custody must be maintained from the moment evidence is collected. Forensic evidence may be needed for regulatory investigations, insurance claims, civil litigation or criminal prosecution. Sherlock Forensics provides court-admissible evidence collection following established forensic standards.

3. Assess the Scope

Determine what data was compromised, how many individuals are affected, what systems were accessed and how the breach occurred. This assessment drives your notification obligations. Under PIPEDA you must determine whether the breach creates a "real risk of significant harm" to affected individuals. Factors include the sensitivity of the data involved, the likelihood of misuse and the number of individuals affected.

4. Report to the Privacy Commissioner

If the breach creates a real risk of significant harm you must report it to the Office of the Privacy Commissioner of Canada (OPC). The report must include a description of the breach, the type of personal information involved, the number of individuals affected, the steps taken to reduce harm and your contact information. PIPEDA requires reporting "as soon as feasible" after determining a breach has occurred. Best practice is to report within 72 hours of confirmed discovery.

5. Notify Affected Individuals

When a breach poses a real risk of significant harm to individuals you must notify them directly. Notifications must include a description of the breach, the type of personal information involved, the steps the organization is taking to reduce harm, steps individuals can take to protect themselves and contact information for someone who can answer questions. Notification must be conspicuous and delivered directly to the affected individuals unless direct notification would cause further harm.

6. Notify Third Parties

In some cases you may be required to notify other organizations that can help reduce the risk of harm. This may include law enforcement, credit bureaus, payment processors or regulatory bodies beyond the OPC. If the breach involves provincially regulated data in Alberta, British Columbia or Quebec you may have additional notification obligations under provincial privacy legislation such as BC PIPA or Alberta PIPA.

7. Maintain Breach Records

PIPEDA requires organizations to maintain records of every breach of security safeguards involving personal information regardless of whether the breach triggered reporting obligations. Records must be maintained for at least 24 months and must be available for inspection by the Privacy Commissioner on request. Records should include the date of the breach, a description of the circumstances, the personal information involved, the risk assessment and the actions taken in response.

Compliance

PIPEDA Penalties for Non-Compliance

Violation	Penalty
Failure to report a breach to the OPC	Up to $100,000 CAD per violation
Failure to notify affected individuals	Up to $100,000 CAD per violation
Failure to maintain breach records	Up to $100,000 CAD per violation
Intentional obstruction of a Commissioner investigation	Up to $100,000 CAD per violation

Frequently Asked Questions

Data Breach Response FAQs

Is breach reporting mandatory in Canada?: Yes. Under PIPEDA organizations must report any breach of security safeguards involving personal information if it is reasonable to believe the breach creates a real risk of significant harm to individuals. Reports must be made to the Office of the Privacy Commissioner of Canada and affected individuals must be notified.
What are the penalties for not reporting a data breach in Canada?: Failure to report a breach, notify affected individuals or maintain breach records under PIPEDA can result in fines of up to $100,000 CAD per violation. Organizations may also face reputational damage, civil litigation and regulatory scrutiny from the Office of the Privacy Commissioner.
How quickly must we report a data breach in Canada?: PIPEDA requires that breach reports be made to the Privacy Commissioner as soon as feasible after determining that a breach has occurred. While PIPEDA does not specify a fixed deadline, organizations should aim to report within 72 hours of confirmed breach discovery. Provincial privacy laws may impose stricter timelines.

Authority Resources

Canadian Privacy References

Government Sources

Related Services

Get Started

Need immediate breach response?

Our forensics team is available for emergency engagements across Canada.

Order Online

Experiencing a Breach Right Now?

Call us immediately. We provide emergency breach response with forensic evidence preservation and regulatory compliance guidance.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada