person working on a laptop

Mandatory Reporting of Breaches of Security Safeguards

February 01, 2019

Mandatory Reporting of Breaches of Security Safeguards

5 Minute Read

In a recent Droit-Inc article, MNP’s Tom Beaupre and Corey Bloom discuss new federal breach reporting rules and compliance requirements for all Canadian organizations.

Corey Bloom
Corey Bloom, CPA, CA, CA•IFA, CFE, CFF
Partner, Eastern Canada Leader (Quebec, NCR and Atlantic Canada), Forensics, Investigations and Disputes
Tom Beaupre
Tom Beaupre, QSA, CISSP, CISA, BS
Partner and Lead Cybersecurity - Quebec

This article was originally published in French on the Droit-Inc site. It has been translated and reproduced with permission

In an article written for, MNP’s Tom Beaupre, QSA, CISSP, CISA, BS, and Corey Anne Bloom CPA, CA, CA.IFA, CFE, CFF, recently discussed new federal breach reporting rules and what the changes mean for Canadian organizations. They highlight the need to shift toward a more security-focused mindset and offer practical steps leaders can take to protect their organizations in a stricter regulatory environment with increasing cyber crime.

With security breaches on the rise, this new framework comes at just the right time.

On the heels of the European Union’s General Data Protection Regulation that took effect in May 2018, Canada is introducing the Breach of Security Safeguards Regulations, which all Canadian organizations will have to comply with as of November 1, 2018.

These new regulations under the Digital Privacy Act require that all data security breaches that could create a “real risk of significant harm” be immediately reported to the federal regulatory authorities.

With the recent news of security breaches at companies like Air Canada and BMO, the timing of these new regulations couldn’t be better.

Impact on all Canadian organizations

While the Digital Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply specifically to organizations that collect, use and disclose personal information in the course of their commercial activities in Canada, the new Breach of Security Safeguards Regulations will have a broader scope. These regulations will apply across the board to all Canadian organizations, including small businesses, in keeping with the federal government’s Small Business Lens program.

Determining “significant harm”

To determine significant harm, organizations need to look at a number of factors. Aside from the risk of identity theft, they also need to weigh the sensitive nature of the data and how it could be misused.

Could the information be used to humiliate someone? Could it damage their reputation or relationships? Could it lead to financial loss, property loss or loss of employment, business or professional opportunities?

Reporting responsibilities

If an organization suffers a security breach that could create a “real risk of significant harm”, it is required to:

  1. Determine whether the breach creates a “real risk of significant harm” (and to what extent).
  2. Notify all affected clients to explain the security breach and the circumstances surrounding it.
  3. Notify the Privacy Commissioner of Canada of the circumstances and cause (if known) of the security breach.
  4. Keep a record of the security breach for at least 24 months.
  5. Comply with the Digital Privacy Act regulations and keep compliance certification documents on hand.

Beyond understanding the risks

Despite the strong recommendation that all organizations subject to PIPEDA have an action plan in place for protecting personal information, businesses are still somewhat in denial about the real risk of cyber attacks.

Presumably this new framework will prompt some deeper analysis as its success will depend on the willingness and ability of organizations to realign their management, resources, internal processes and technologies.

That’s where lawyers, IT security and investigation specialists (forensic accountants) and cyber security professionals will be valuable allies in helping to classify and identify sensitive data, preserve or recover that data, set priorities and put protection programs in place.

Ultimately, requiring Canadian businesses to comply with these new regulations should also lead to better practices for protecting personal information and, generally speaking, stronger cyber security as businesses try to stay one step ahead of cyber fraud.

Tom Beaupre QSA, CISSP, CISA, BS, is a Partner and Quebec Cyber Security Leader with MNP. He can be reached at 514.861.9724 or email [email protected].

Corey Bloom CPA, CA, CA.IFA, CFE, CFF, is a Partner and Eastern Canada Leader with MNP’s Forensics and Disputes Practice. She can be reached at 514.861.9724 or email [email protected].


  • Confidence
    Holding a portfolio on one hand, comparing data on another

    July 28, 2021

    How to optimize value from an Internal Audit co-sourcing partnership

    Co-sourcing your internal audit function can help you navigate several contemporary challenges — including the need for greater agility and subject matter expertise, as well as cost and resourcing pressures. Here we investigate practical steps to find the right vendor and make this relationship as seamless, targeted, and cost effective as possible.

  • Progress
    person reviewing graphs on their phone

    July 26, 2021

    Automating finance, so you can focus on your business

    Cloud accounting and bookkeeping solutions allow you to focus on the critical parts of your business instead of shuffling through paperwork every week.

  • Progress

    July 22, 2021

    Cloud accounting and bookkeeping can transform your real estate and construction operations

    Priorities are changing after the long hours that came with navigating COVID-19. Here’s how you can free up time to focus on what really matters.