The mandatory breach reporting provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) have been in force since November 2018. Every year the Office of the Privacy Commissioner of Canada publishes aggregate numbers on how many breach reports they receive, and the share of those that involve unauthorized access (the polite phrasing for "we got hacked") keeps rising. BC organisations have a parallel obligation under the BC Personal Information Protection Act (PIPA). The two regimes overlap but are not identical, and the decision tree in the first 72 hours has to account for both.

This article is not legal advice. Breach counsel engaged through your cyber insurer is the correct first call once you suspect a reportable breach. What follows is the operational playbook that runs alongside that legal work.

What PIPEDA Actually Requires

Three things are triggered by a "breach of security safeguards" involving personal information under an organisation's control:

  1. Report to the Privacy Commissioner as soon as feasible, if the breach creates a real risk of significant harm (RROSH) to an individual.
  2. Notify affected individuals as soon as feasible, under the same RROSH test, unless doing so would interfere with an investigation.
  3. Keep a record of every breach of security safeguards for 24 months, whether or not it was reportable. This is section 10.3 of the Act.

The full text of the breach reporting regulations sits at priv.gc.ca and is worth reading in full at least once.

The 72-Hour Playbook

Hours 0 to 12

Contain, preserve, engage counsel

Containment is the same as any cyber incident: isolate affected systems, preserve evidence, stop the bleeding. In parallel, open a file with breach counsel. Everything you document from here should be done under privilege where possible, which is why insurer-appointed counsel matters. Start the breach log (dates, times, who did what, what was found).

Hours 12 to 36

Scope what personal information was affected

List the types of personal information involved: names, emails, phone numbers, government-issued identifiers, financial account numbers, health information, employment records, login credentials, biometric data. For each, identify how many individuals and what jurisdictions they are in. The mix of data types is what drives the RROSH assessment.

Pay attention to the difference between "was accessed" and "was exfiltrated". An attacker who could have accessed a file is treated differently from one who demonstrably copied it.

Hours 36 to 60

Apply the real risk of significant harm test

PIPEDA directs you to weigh two factors: the sensitivity of the information, and the probability it will be misused. The Privacy Commissioner's guidance lists examples of each. Some patterns are almost always RROSH:

  • Social Insurance Numbers, passport numbers, or government IDs exfiltrated.
  • Financial account numbers, credit card data, or online banking credentials exposed.
  • Health information disclosed outside permitted uses.
  • Login credentials with no MFA, reused against other services.

Some patterns often do not meet the threshold on their own: business contact information in a publicly available directory, encrypted data where keys were not compromised, access logs without identifiers. Document your reasoning in either direction.

Hours 60 to 72

Notify the Privacy Commissioner (if RROSH met)

The OPC has a structured report form. It asks for the date the breach was discovered, a description of the circumstances, the personal information involved, the estimated number of affected individuals, the steps taken, and the plans for individual notification. File it electronically at priv.gc.ca.

The form permits supplemental filings as the investigation progresses. It is better to file a complete-but-evolving first report at hour 72 than to wait for full forensic scoping at week six.

Notifying Affected Individuals

Individual notification must be direct (email, letter, phone) in most cases. Indirect notification (public posting) is allowed only where direct contact is impossible or would cause further harm. The notification must include:

  • A description of the breach and its circumstances.
  • The date or period when it occurred.
  • The personal information involved, in terms the reader can understand.
  • The steps the organisation has taken in response.
  • The steps the individual can take to reduce their risk (credit monitoring offers, password rotation, phishing awareness).
  • Contact information for questions.

The communication should be clear, not legalistic. A confusing notice generates more complaints than the breach itself.

The BC PIPA Parallel Track

If the affected personal information is under the control of a BC-jurisdiction organisation (provincially regulated, not federally regulated), the BC Personal Information Protection Act applies alongside or instead of PIPEDA. PIPA was amended in 2024 to introduce mandatory breach notification to the BC Information and Privacy Commissioner and to affected individuals where there is a real risk of significant harm. The substantive test is similar to PIPEDA but the regulator and the reporting channel differ.

For organisations that handle personal information about residents of both BC and other provinces, expect to file in both places.

What Goes in the Breach Record

Section 10.3 requires you to keep a record for 24 months whether or not the breach was reportable. A sufficient record, based on OPC guidance, includes:

  • Date or estimated date of the breach.
  • A general description of the circumstances.
  • The nature of the personal information involved.
  • Whether the breach was reported to the Privacy Commissioner and individuals, and if not, why not.

A simple breach register spreadsheet, maintained by the privacy officer, satisfies this. The OPC can request these records during a later investigation, and having them organised is itself a strong indicator of reasonable safeguards.

Sector-specific and contractual obligations may be faster. Health information custodians, federally regulated financial institutions, FINTRAC reporting entities, and many enterprise customer contracts specify notification windows as short as 24 hours. PIPEDA sets a floor, not a ceiling. See our compliance by industry guide for a sector-by-sector view.

Penalties and Enforcement

PIPEDA contemplates administrative monetary penalties up to statutory maximums for failure to report, failure to notify, or failure to maintain records. Beyond penalties, failure to report that becomes public later is a reputational issue on top of the original breach. The cases where organisations get into the deepest trouble are almost always ones where notification was delayed or avoided.

Prevention and Preparation

The organisations that handle breaches well are the ones who rehearsed. A 90-minute tabletop exercise with legal, IT, communications, and an executive sponsor pays for itself the first time a real incident happens. The output is a tested decision tree, known contacts, and muscle memory for the sequence above.

Build a Breach-Ready IT Environment

Hexafusion supports BC organisations with the technical controls, logging retention, and incident response planning that make a 72-hour response possible. Request a quote and we will review your current readiness.

Request a Quote    Our security services

Related articles: Compliance in Canada by Industry · Cyber Liability Insurance in BC · Ransomware: The First 60 Minutes

← Back to Blog