• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • EN | FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Energy Infrastructure Mining Private Equity & Investment Funds View all
Advisory
Crisis & Risk Management Public Policy
View Client Work
International Experience
Insights News Events Subscribe
Arbitration Angle Artificial Intelligence Insights Business Law Talks Podcast Class Actions: Looking Forward Class Action Quick Takes
Economic Outlook New Energy Economy Series Quarterly Fintech Insights Quarterly M&A Insights Sustainability & the CIO
People
Offices
About
Practices
Industries
Advisory Services
Client Work
Insights
News
Events
Careers
Law Students
Alumni
Payments
Search
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 

Mandatory Breach Notification Across Canada

April 04, 2018

Written By Martin P.J. Kratz, QC

By Order in Council 2018-0369 on March 26, 2018, mandatory breach notification under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), comes in force November 1, 2018, for all entities subject to its jurisdiction.

The PIPEDA rules follow Alberta’s leadership, which has had mandatory breach notification for eight years. In Canada, provincial health privacy laws in Ontario, New Brunswick and Newfoundland and Labrador also contain reporting requirements. Most U.S. states have mandatory breach notification requirements. It is recognized that notification of the affected individuals is a key factor in mitigation of risk in instances of cyber breach.

The national mandatory breach notification rules includes a mandatory requirement for organizations to give notice to affected individuals and to the Office of the Federal Privacy Commissioner about data breaches where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual." Unlike Alberta’s law, PIPEDA provides for some factors relevant to consider in determining whether there is a "real risk of significant harm", and what constitutes "significant harm". Under PIPEDA "significant harm" includes, among other things, humiliation, damage to reputation or relationships and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse and other factors.

The notification under PIPEDA is to be given "as soon as possible" after the breach has occurred. Under regulation, the specific content required of both a breach notification to the Federal Privacy Commissioner and to affected individuals has been specified.

Unlike the Alberta law, PIPEDA also requires where notification has been provided to individuals that the organization may be required to notify other organizations and the government where such notifications may reduce risks or mitigate harm. PIPEDA will also require organizations to keep and maintain records of every breach of safeguards involving personal information under their control. The Federal Commission can require an organization to provide a copy of such records to the Commissioner.

Organizations preparing for cyber breaches should contemplate that breach notification can be risk mitigating and will as of November 1, 2018, be mandatory for many organizations in Canada.

Notification responsibilities will arise under law and under many other relationships, for example, with insurers and under financing covenants. Evidence from a study of cyber breaches show that time and money can be saved if an organization has assessed its notification responsibilities before an incident has occurred. Now is the time to consider your notification plan.

Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

Related Links

  • Insights
  • Media
  • Subscribe

Related Expertise

  • Data Governance Protection & Cybersecurity
  • Privacy & Data Protection

Recent Posts

Client Work

Plains All American Executes Definitive Agreements for C$5.15 Billion Sale of NGL Business to Keyera

June 19, 2025
       

Articles

Bennett Jones on Tax Disputes: June 2025

June 18, 2025
       

Client Work

Canadian Pacific Railway Company Closes C$1.4 Billion Debt Offering

June 16, 2025
       

In The News

Canada Needs to Build Economic Resilience: Bennett Jones Economic Outlook

June 16, 2025
       

Speaking Engagements

Legacy Builders Live Webcast

June 12, 2025
       

Client Work

Bennett Jones Acts for Dow Chemical in Successful $3.56 Billion Contract Claim

June 11, 2025
       

Speaking Engagements

Uncovering the CETA Opportunity

June 11, 2025
       

Client Work

DCM Group, a Thrust Capital Partners Portfolio Company, Acquires Metcor

June 09, 2025
       

Updates

Economic Outlook: Building Resilience and Capacity in a Disrupted World

June 2025
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2025. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones