• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • EN | FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Energy Infrastructure Mining Private Equity & Investment Funds View all
Advisory
Crisis & Risk Management Public Policy
View Client Work
International Experience
Insights News Events Subscribe
Arbitration Angle Artificial Intelligence Insights Business Law Talks Podcast Class Actions: Looking Forward Class Action Quick Takes
Economic Outlook New Energy Economy Series Quarterly Fintech Insights Quarterly M&A Insights Sustainability & the CIO
People
Offices
About
Practices
Industries
Advisory Services
Client Work
Insights
News
Events
Careers
Law Students
Alumni
Payments
Search
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 

Mandatory Breach Notification Across Canada

April 04, 2018

Written By Martin P.J. Kratz, QC

By Order in Council 2018-0369 on March 26, 2018, mandatory breach notification under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), comes in force November 1, 2018, for all entities subject to its jurisdiction.

The PIPEDA rules follow Alberta’s leadership, which has had mandatory breach notification for eight years. In Canada, provincial health privacy laws in Ontario, New Brunswick and Newfoundland and Labrador also contain reporting requirements. Most U.S. states have mandatory breach notification requirements. It is recognized that notification of the affected individuals is a key factor in mitigation of risk in instances of cyber breach.

The national mandatory breach notification rules includes a mandatory requirement for organizations to give notice to affected individuals and to the Office of the Federal Privacy Commissioner about data breaches where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual." Unlike Alberta’s law, PIPEDA provides for some factors relevant to consider in determining whether there is a "real risk of significant harm", and what constitutes "significant harm". Under PIPEDA "significant harm" includes, among other things, humiliation, damage to reputation or relationships and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse and other factors.

The notification under PIPEDA is to be given "as soon as possible" after the breach has occurred. Under regulation, the specific content required of both a breach notification to the Federal Privacy Commissioner and to affected individuals has been specified.

Unlike the Alberta law, PIPEDA also requires where notification has been provided to individuals that the organization may be required to notify other organizations and the government where such notifications may reduce risks or mitigate harm. PIPEDA will also require organizations to keep and maintain records of every breach of safeguards involving personal information under their control. The Federal Commission can require an organization to provide a copy of such records to the Commissioner.

Organizations preparing for cyber breaches should contemplate that breach notification can be risk mitigating and will as of November 1, 2018, be mandatory for many organizations in Canada.

Notification responsibilities will arise under law and under many other relationships, for example, with insurers and under financing covenants. Evidence from a study of cyber breaches show that time and money can be saved if an organization has assessed its notification responsibilities before an incident has occurred. Now is the time to consider your notification plan.

Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

Related Links

  • Insights
  • Media
  • Subscribe

Related Expertise

  • Data Governance Protection & Cybersecurity
  • Privacy & Data Protection

Recent Posts

In The News

Follow-Ons and Convertibles in Canada’s Equity Capital Markets

May 29, 2025
       

Client Work

Silver Viper Minerals to Acquire Cimarron Gold-Copper Project from CSAC Holdings Inc.

May 27, 2025
       

Updates

Class Actions: Looking Forward 2025

May 22, 2025
       

Speaking Engagements

Lincoln Caylor Speaks on Report Writing in OBA Investigation Series

May 20, 2025
       

In The News

How To Stay Resilient in an Uncertain World

May 16, 2025
       

Announcements

Bennett Jones Wins Big at Benchmark Litigation Awards

May 09, 2025
       

In The News

Managing Risk Amid Tariff Chaos

May 09, 2025
       

Speaking Engagements

Insights on Tariff Strategy and Cross-Border Trade Compliance

May 08, 2025
       

In The News

John Manley on NPR’s Morning Edition on Mark Carney’s White House Visit

May 06, 2025
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2025. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones