Canada’s PIPEDA Breach Notification Regulations Are Finalized!

While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the...
Michael Buckbee
2 min read
Last updated May 19, 2022

While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the word, has a broad consumer data security and privacy law, which is known as the Personal Information Protection and Electronic Documents Act (PIPEDA).

For nitpickers, there are also overriding data laws at the provincial level — Alberta and British Columbia’s PIPA — that effectively mirror PIPEDA.

Get the Free Essential Guide to US Data Protection Compliance and Regulations


Data Security and Privacy: It’s Better In Canada With PIPEDA

In any case, PIPEDA is a consumer-friendly law that’s based on Canadian-born Privacy by Design (PbD) principles. The law has privacy rules requiring consumer consent when collecting personal information and giving consumers the right to access and change their data when incorrect. And companies are obligated to put in place security safeguards and practices, such as data minimization, to limit risks and protect their data. Not surprisingly, PIPEDA is also similar to another PbD- inspired law, the EU GDPR.

Like the GDPR, PIPEDA’s definition of personal information is quite broad: it includes any data about an individual. Along with name, and other obvious identifiers, PIPEDA counts as personal information employee files, credit records, medical records, blood type, social status, and more.

Breach reporting must-haves as spelled out in the new regulation.

In June 2015, the Digital Privacy Act amended PIPEDA to include breach notification requirements. The Act defines a “breach of security safeguards” as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards.

Those of you who’ve been following along with our coverage of various breach notification laws know that the use of “or” above is significant. In short: a breach can involve unauthorized access alone without disclosure, and that means hacking into systems and touching personal information counts as a breach. And in particular, a ransomware attack would be considered a breach under PIPEDA.

Under PIPEDA, organizations are required to notify affected the Privacy Commissioner of Canada and affected individuals “as soon as feasible” when there is a breach that creates a “real risk of significant harm” — which can include mere reputational harm — to an individual. It also requires them to record a record of each breach of safeguards involving personal information, regardless of whether the breach results in a risk of significant harm.

With the breach notification law passed, Canadians had to wait for the Canadian government to finalize the nitty gritty details in new regulations yet to be written, and to set a date for the rules to go into effect. And wait.

PIPEDA’s Breach Notification Rule Goes Into Effect (in November)

A mere three years later, the government finally released the fine print of the regulation in January. If you’re truly interested, you can read the details here (skip past all the regulations on fisheries to page 149).

I scanned this riveting legal prose, so I can save you some time. If after analysis of an incident, it’s decided the breach will cause significant harm, the regulatory authority and the individuals affected will have to be notified with the breach details, including a description of the incident, the personal information accessed or taken, and what the company is doing about the breach (see the above legale-ese from the regulation).

But even if the risk to the affected individuals doesn’t merit a notification, the company still has to record basic information about the breach and retain if for 24-months.

These breach reporting rules will go into effect on November 1, 2018.

Varonis and PIPEDA

As with the GDPR and many other data security and privacy laws, Varonis can also help you comply with PIPEDA. You can learn more about how we support its key principles here.

For the new breach notification rules, our DatAlert product can monitor sensitive personal information and alert IT when this data is accessed, modified, or copied in an abnormal way. More specifically, our UBA threat models can catch ransomware as it accesses and encrypts files.

Want to lean more about how Varonis helps with breach monitoring and reporting? Ask for a free demo today!




What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Cybercrime Laws Get Serious: Canada’s PIPEDA and CCIRC
In this series on governmental responses to cybercrime, we’re taking a look at how countries through their laws are dealing with broad attacks against IT infrastructure beyond just data theft....
Understanding Canada: Ontario’s New Medical Breach Notification Provision (and Other Canadian Data Privacy Facts)
Remember Canada’s profusion of data privacy laws? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that covers all commercial organizations across Canada. Canadian federal government agencies,...
Cloud Security Essentials: The Case for Automated DSPM
Data security posture management (DSPM) has emerged as a standard for securing sensitive data in the cloud and other environments. However, without automation, DSPM doesn’t stand a chance. Automation is crucial to overcoming the challenges of securing data in the cloud.
data-security-compliance-and-datadvantage,-part-iii:- protect-and-monitor
Data Security Compliance and DatAdvantage, Part III:  Protect and Monitor
At the end of the previous post, we took up the nuts-and-bolts issues of protecting sensitive data in an organization’s file system. One popular approach, least-privileged access model, is often...