Data Breach Investigation
Data breach forensic investigation aligned to Canadian privacy law.
PIPEDA and BC PIPA require defensible answers about scope, exfiltration, and risk of significant harm. We provide them.
When this service is needed
Typical scenarios where counsel and corporate clients retain us.
- Suspected unauthorized access to personal information
- Ransomware events with data-staging indicators
- Vendor or supply-chain compromise
- Lost or stolen unencrypted devices holding PI
- Misconfigured cloud storage exposing customer data
- Regulator interface and breach-record-keeping support
How we approach it
A defensible, repeatable process.
Initial scoping
We agree on the suspected breach event, the affected systems and data types, the timeline, and the deliverable. Engagements taken through counsel are structured to support a litigation-privilege claim.
Evidence preservation
We preserve all relevant endpoints, servers, cloud audit logs, email archives, and network logs immediately. M365 unified audit log retention is 90 to 180 days by default; we begin preservation within hours.
Exfiltration analysis
We determine what data was actually accessed and what was actually exfiltrated. Access is not always exfiltration. The analysis pairs endpoint forensics with cloud audit logs, network logs, and where available, threat-actor leak-site monitoring.
Threat actor attribution
Where attribution is relevant, we document indicators of compromise, tradecraft signatures, and infrastructure overlaps that support attribution to a known group or campaign.
Regulator-ready report
The deliverable is a written report structured for the OPC notification process. For BC organizations subject to BC PIPA, we structure parallel content for the OIPC BC. For federally regulated industries (banking, telecommunications, transportation), we structure content for the relevant sector regulator.
OPC and OIPC interface support
We work with counsel on the notification, the response to follow-up regulator questions, and any subsequent compliance review. Where the matter triggers a class action, the same forensic record supports the litigation defence.
Tools we apply
Named, current, and listed in every report.
- Magnet AXIOM Cyber
- X-Ways Forensics
- KAPE
- Cloud-native log analysis (M365, GWS, AWS)
Standards we follow
Aligned to Canadian and international guidance.
- PIPEDA s. 10.1 and breach record-keeping requirements
- BC PIPA notification threshold guidance
- OPC and OIPC reporting templates
What you receive
Deliverables built for counsel, the regulator, and the court.
- A preserved evidence set covering all in-scope systems and logs.
- A written examiner report covering scope, timeline, exfiltration assessment, and attribution where supportable.
- A regulator-ready summary suitable for OPC notification and provincial filings, with counsel review.
- A "real risk of significant harm" analysis that counsel can rely on to support the notification decision.
- Affidavit and expert-report support if the matter moves to enforcement or class action.
Common questions
Data Breach Investigation questions from Canadian counsel and corporate clients.
When is breach notification mandatory under PIPEDA?
When the breach involves personal information and creates a "real risk of significant harm" to one or more affected individuals. The notification must go to the Office of the Privacy Commissioner of Canada, to affected individuals, and to other organizations that can help mitigate harm.
What is "real risk of significant harm" under PIPEDA?
A risk that, if realized, would cause significant harm to an affected individual. Significant harm includes humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on credit record, or damage to or loss of property. The standard is fact-specific and depends on the sensitivity of the information and the probability that it will be misused.
How do you determine if data was actually exfiltrated?
Through endpoint forensics (file access logs, browser uploads, USB writes, cloud sync), network log analysis, cloud audit log analysis (M365 unified audit log, Google Workspace audit data), and where available, threat-actor leak-site monitoring. Access without exfiltration is a different determination from exfiltration, and the report must distinguish them clearly.
What goes into a regulator-ready breach report?
A description of the breach, the date and circumstances, the personal information involved, the number of individuals affected, the steps taken to reduce or mitigate the risk of harm, the steps taken to notify affected individuals, and any other information required by the regulator. We structure the forensic findings to map to the OPC reporting form by default.
Can the same forensic team support privilege and counsel?
Yes. Engagements taken through counsel are structured to support a litigation-privilege claim, with retention agreements, communication channels, and work-product handling designed for that purpose. The same forensic record can support the regulator notification and any subsequent litigation defence, as long as the privilege framing is set up correctly at the start.
Related services
Often retained alongside data breach investigation.
Data Breach Investigation
Defensible breach investigation built for PIPEDA, BC PIPA, and OPC or OIPC interface.
Explore serviceCloud Forensics
Defensible collection and analysis of Microsoft 365, Google Workspace, AWS, Slack, Teams, and Salesforce evidence under legal hold.
Explore serviceExpert Witness
Court-qualified expert witnesses delivering affidavits, expert reports, and trial testimony in Canadian civil and criminal matters.
Explore serviceHave a breach matter that needs a defensible forensic record?
Speed matters. Audit-log retention windows are short. Our team will reach out as soon as possible.