When must a breach be reported
Under PIPEDA, a breach must be reported to the OPC and notified to affected individuals if it creates a real risk of significant harm (RROSH). Factors include:
- The sensitivity of the information involved.
- The likelihood the information has been or will be misused.
- Other relevant factors (e.g., the cause of the breach, who obtained the information).
What notification must contain
Notifications must be conspicuous, given as soon as feasible, and must contain enough information to help you understand the significance of the breach and to reduce the risk or mitigate the harm.
Provincial rules
Alberta PIPA requires mandatory notification to the OIPC since 2010.
Quebec's Law 25 requires notification to the CAI and affected individuals for any confidentiality incident that presents a risk of serious injury.
PHIPA, HIA, HIPA, and similar health-privacy laws have their own notification obligations for custodians.
What you can do if affected
Review the notification carefully and follow any protective steps suggested.
Change passwords and enable multi-factor authentication on affected accounts.
Request a fraud alert on your credit file at Equifax or TransUnion.
File a complaint with the OPC or applicable provincial commissioner if the response was inadequate.