Ransomware in Canada: PIPEDA notification and the forensic report

After a ransomware event involving personal information, PIPEDA requires notification to the Office of the Privacy Commissioner of Canada when the breach creates a "real risk of significant harm" to affected individuals. The forensic report is the evidentiary backbone of that determination. It must establish what data was accessed, what was actually exfiltrated (a separate question), what categories of personal information were exposed, and the indicators that support or refute the harm assessment. This article walks through what the forensic report needs to cover and how it interfaces with the OPC notification process.

Table of contents

1. The PIPEDA breach notification framework
2. Real risk of significant harm: what counts
3. What the forensic report must establish
4. Access vs exfiltration: the critical distinction
5. The OPC notification timeline
6. Working with cyber insurance and panel firms
7. Record-keeping obligations
8. FAQ

1. The PIPEDA breach notification framework

PIPEDA's mandatory breach notification regime took effect November 1, 2018, under Schedule 4 to the Digital Privacy Act. The framework requires:

• Notification to the Office of the Privacy Commissioner of Canada (OPC) of any breach that creates a real risk of significant harm to one or more individuals.
• Notification to affected individuals as soon as feasible.
• Notification to other organizations that may be able to help mitigate the harm (for example, an issuing bank, a credit bureau, or a government agency).
• Record-keeping of all breaches involving personal information for at least 24 months, including breaches that do not require notification.

For BC organizations, BC PIPA provides a parallel notification regime. Quebec organizations are subject to Quebec Law 25's separate framework. Federally regulated industries (banking, telecommunications, transportation) have additional sector-specific requirements.

2. Real risk of significant harm: what counts

The "real risk of significant harm" determination is the gatekeeper. Without it, no notification is required. With it, notification is mandatory and the timeline is short.

Significant harm includes:

• Humiliation
• Damage to reputation or relationships
• Loss of employment, business, or professional opportunities
• Financial loss
• Identity theft
• Negative effects on credit record
• Damage to or loss of property

The risk is assessed based on the sensitivity of the information involved and the probability that it will be misused. Both factors matter: highly sensitive information with low misuse probability may not trigger notification; less sensitive information with high misuse probability may.

Practical examples that often trigger notification:

• SIN numbers exposed to a known threat actor with leak-site activity.
• Banking or financial account information exposed.
• Health information exposed.
• Government-issued ID exposed.
• Login credentials for active accounts exposed.

Examples that may not trigger notification:

• Already-public information.
• Information encrypted with a key the actor does not have.
• Information for which the actor's intent is clearly limited (for example, a misdirected email to a known internal recipient).

3. What the forensic report must establish

The forensic report needs to provide counsel with a defensible factual foundation for the harm assessment. The report should address:

• Scope of the incident. What systems were compromised, when, and through what initial access vector.
• Data accessed. What data the actor had the technical ability to view or modify.
• Data exfiltrated. What data the actor actually transferred out of the environment. This is a different determination from data accessed.
• Categories of personal information exposed. Mapped to the specific data elements (SIN, financial account, credentials, health, etc.).
• Number of individuals affected. With the methodology that produced the count.
• Threat actor attribution. Where supportable, the actor or campaign, and what is known about their handling of stolen data.
• Containment status. Whether the actor still has access, whether persistence has been removed, and whether the environment is now secure.

The report should be structured for two audiences: counsel making the harm determination, and the OPC reviewing the eventual notification.

4. Access vs exfiltration: the critical distinction

Access to data is not the same as exfiltration of data. The distinction matters because the harm calculus is different.

Access without exfiltration typically supports a lower-harm assessment. The actor may have viewed data but not retained it. Without exfiltration, the actor cannot misuse the data after the response is complete.

Exfiltration is the higher-harm scenario. Once data is in the actor's possession, it can be sold, leaked, or used for further attacks indefinitely.

Forensic determination of exfiltration depends on:

• Network log analysis showing outbound transfers.
• EDR telemetry capturing process activity and file access.
• Cloud audit logs for cloud-stored data.
• Direct evidence on endpoints (large outbound transfers, archive creation, staging directories).
• Threat-actor leak-site monitoring.

The report must distinguish high-confidence exfiltration findings from inferred ones. Where the evidence is strong, say so. Where it is circumstantial, say that too.

5. The OPC notification timeline

PIPEDA requires notification "as soon as feasible" after the breach is identified. The OPC has not specified a precise number of hours or days, but the practical expectation is days, not weeks.

The notification process:

1. Internal identification. The breach is detected and counsel is notified.
2. Forensic engagement. Within hours of identification.
3. Initial scoping. Forensic team and counsel agree on scope and timeline.
4. Real risk of significant harm assessment. Counsel-led, supported by the forensic record.
5. OPC notification. If notification is required, file through the OPC's online breach reporting form.
6. Affected individual notification. Through the most effective channel for the population (direct contact preferred where possible).
7. Other organization notification. Where an issuing bank, credit bureau, or other organization can mitigate harm.
8. Follow-up with the OPC. As the investigation matures, additional information may be filed.

For matters where the forensic investigation will take weeks, an interim notification is often appropriate. The OPC accepts updates as the picture matures.

6. Working with cyber insurance and panel firms

Most Canadian businesses subject to ransomware events have cyber insurance coverage. The insurer typically directs the response through a panel firm that handles detection, containment, and recovery.

Forensic investigation usually runs alongside or after the panel firm's work. Roles are complementary:

• Panel firm: Detection, containment, recovery, negotiation if applicable.
• Forensic team: Defensible scope analysis, exfiltration determination, regulator-ready report.
• Counsel: Privilege framework, harm assessment, regulator interface.

Engaging the forensic team through counsel preserves litigation privilege over the work. Coordination is best handled through scheduled status calls rather than ad hoc.

7. Record-keeping obligations

PIPEDA requires record-keeping of every breach involving personal information for at least 24 months, even when notification was not required. The record should include:

• Date and circumstances of the breach.
• Personal information involved.
• Number of individuals affected.
• Whether the breach was notified to the OPC and affected individuals, with reasons.
• Steps taken to reduce or mitigate the risk of harm.

The forensic report supports this record-keeping by providing the underlying factual basis. We deliver reports in a format that maps to the OPC's record-keeping expectations.

Reference: Office of the Privacy Commissioner of Canada, breach reporting guidance. PIPEDA Schedule 4.

8. FAQ

Q: How quickly must we notify the OPC after a ransomware event? A: As soon as feasible after the breach is identified. The OPC has not specified a number of hours or days, but the practical expectation is days, not weeks.

Q: What if we are not sure whether real risk of significant harm exists? A: Engage counsel and a forensic team to support the assessment. Where the determination is genuinely close, an interim notification with follow-up is often appropriate.

Q: Does notification require the forensic investigation to be complete? A: No. An initial notification can be filed with what is known, and updates can be provided as the investigation matures.

Q: What if our cyber insurer is handling the response? A: The insurer's panel firm typically handles detection and containment. The forensic backbone (defensible scope, exfiltration analysis, regulator-ready report) often requires additional retained expertise.

Q: What if the matter also involves BC PIPA or Quebec Law 25? A: The forensic record supports parallel notifications under each applicable framework. Counsel coordinates the multiple regulator interfaces.

Related posts

• Microsoft 365 forensic investigation: what survives, what to capture
• Departing employee data theft: 12 signs and the playbook
• Cloud-only employees: where the evidence actually lives

CTA strip

Headline: Need a forensic report after a ransomware event? Primary CTA: Book a confidential consultation Secondary text: Or call (604) 800-9060