Skip to content.

OPC Shares Observations after One Year of Mandatory Data Breach Reporting

The Office of the Privacy Commissioner of Canada (OPC) has released an update on mandatory breach reporting over the past year. Since November 1, 2018, the OPC received 680 breach reports, a significant increase compared to the number of reports submitted voluntarily during the same period one year earlier. The data breach reports ranged from larger, well-known organizations to small- and medium-sized enterprises. According to the report, these 680 breach reports affected over 28 million Canadians in the past year.

By way of background, on November 1, 2018, commercial organizations became subject to mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA), requiring them to report breaches of security safeguards involving personal information posing a ‘real risk of significant harm’ to individuals.[1] Before these requirements came into force, such businesses were only required to report data breaches to the OPC on a voluntary basis.[2]

Over the past year, the majority of data breaches reported (58%) involved unauthorized access. More than 20% of the breaches reported involved accidental disclosure, and roughly 25% of reported breaches involved social engineering hacks such as phishing and impersonation.

The volume of reported data breaches reinforces the reality that in today’s world, data breaches are a fact of modern life. It is ultimately not a question of ‘if’, but rather ‘when’, your personal information will be subject to unauthorized access in a cybersecurity incident.

As such, commercial organizations should be aware of their reporting obligations in the event of a data breach, including: (1) the content, form and manner of the report that must be filed to the Office of the Privacy Commissioner of Canada, (2) the content, form and manner of the notification that must be provided to affected individuals; and (3) data breach record keeping requirements. For more information on how commercial organizations can minimize data breaches, please see our earlier post on the mandatory breach notification rules.

For more information on mandatory data breach reporting and practical advice on how to comply with Canadian privacy laws, please contact our Cybersecurity, Privacy & Data Management Group page.



[1] Real risk of significant harm (RROSH) is determined based on the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused. Different privacy regulators take different views of the RROSH threshold. The RROSH test is generally much more watered down than the test for compensable damages or causation of harm in the civil litigation setting.

[2] However, Alberta’s analogous privacy statute has included mandatory breach reporting for nearly a decade.


Stay Connected

Get the latest posts from this blog

Please enter a valid email address