person working on a laptop

Mandatory Reporting of Breaches of Security Safeguards

February 01, 2019

Mandatory Reporting of Breaches of Security Safeguards

5 Minute Read

In a recent Droit-Inc article, MNP’s Tom Beaupre and Corey Bloom discuss new federal breach reporting rules and compliance requirements for all Canadian organizations.

Partner, Eastern Canada Leader (Quebec, NCR and Atlantic Canada), Forensics, Investigations and Disputes
Partner, Risk Management

This article was originally published in French on the Droit-Inc site. It has been translated and reproduced with permission

In an article written for, MNP’s Tom Beaupre, QSA, CISSP, CISA, BS, and Corey Anne Bloom CPA, CA, CA.IFA, CFE, CFF, recently discussed new federal breach reporting rules and what the changes mean for Canadian organizations. They highlight the need to shift toward a more security-focused mindset and offer practical steps leaders can take to protect their organizations in a stricter regulatory environment with increasing cyber crime.

With security breaches on the rise, this new framework comes at just the right time.

On the heels of the European Union’s General Data Protection Regulation that took effect in May 2018, Canada is introducing the Breach of Security Safeguards Regulations, which all Canadian organizations will have to comply with as of November 1, 2018.

These new regulations under the Digital Privacy Act require that all data security breaches that could create a “real risk of significant harm” be immediately reported to the federal regulatory authorities.

With the recent news of security breaches at companies like Air Canada and BMO, the timing of these new regulations couldn’t be better.

Impact on all Canadian organizations

While the Digital Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply specifically to organizations that collect, use and disclose personal information in the course of their commercial activities in Canada, the new Breach of Security Safeguards Regulations will have a broader scope. These regulations will apply across the board to all Canadian organizations, including small businesses, in keeping with the federal government’s Small Business Lens program.

Determining “significant harm”

To determine significant harm, organizations need to look at a number of factors. Aside from the risk of identity theft, they also need to weigh the sensitive nature of the data and how it could be misused.

Could the information be used to humiliate someone? Could it damage their reputation or relationships? Could it lead to financial loss, property loss or loss of employment, business or professional opportunities?

Reporting responsibilities

If an organization suffers a security breach that could create a “real risk of significant harm”, it is required to:

  1. Determine whether the breach creates a “real risk of significant harm” (and to what extent).
  2. Notify all affected clients to explain the security breach and the circumstances surrounding it.
  3. Notify the Privacy Commissioner of Canada of the circumstances and cause (if known) of the security breach.
  4. Keep a record of the security breach for at least 24 months.
  5. Comply with the Digital Privacy Act regulations and keep compliance certification documents on hand.

Beyond understanding the risks

Despite the strong recommendation that all organizations subject to PIPEDA have an action plan in place for protecting personal information, businesses are still somewhat in denial about the real risk of cyber attacks.

Presumably this new framework will prompt some deeper analysis as its success will depend on the willingness and ability of organizations to realign their management, resources, internal processes and technologies.

That’s where lawyers, IT security and investigation specialists (forensic accountants) and cyber security professionals will be valuable allies in helping to classify and identify sensitive data, preserve or recover that data, set priorities and put protection programs in place.

Ultimately, requiring Canadian businesses to comply with these new regulations should also lead to better practices for protecting personal information and, generally speaking, stronger cyber security as businesses try to stay one step ahead of cyber fraud.

Tom Beaupre QSA, CISSP, CISA, BS, is a Partner and Quebec Cyber Security Leader with MNP. He can be reached at 514.861.9724 or email [email protected].

Corey Bloom CPA, CA, CA.IFA, CFE, CFF, is a Partner and Eastern Canada Leader with MNP’s Forensics and Disputes Practice. She can be reached at 514.861.9724 or email [email protected].


  • Progress

    May 20, 2022

    Enhanced hospital GST / HST rebates for long-term care facilities

    If you operate a long-term care facility and are currently only claiming the GST / HST rebate for charities or qualifying not-for-profit organizations, it may be time to revisit your eligibility for an enhanced hospital rebate announced in the 2022 Federal Budget.

  • Agility

    May 19, 2022

    Crypto asset mining – A review of recent proposals

    Proposed amendments to tax rules around crypto assets could impact business engaged in crypto mining activities. We explore how new definitions shift GST / HST costs under the proposed changes.

  • Agility

    May 17, 2022

    The power of putting people first

    For your organization to thrive in a modern and competitive workforce, you may need to shift your mindset and your approach towards employee satisfaction.