Data Breach Response Checklist for Canadian Organizations

How to use this checklist

This checklist covers the full data breach response lifecycle for Canadian organizations subject to PIPEDA, Alberta PIPA, or BC PIPA. Work through each phase in order. Time is a critical factor — delay in containment increases harm, and delay in RROSH assessment delays notification.

For a scenario-specific quick reference during an active incident, see the relevant ClearBreach quick reference guide for your breach type.

---

Phase 1 — Immediate containment (first 24 hours)

The first priority is stopping the ongoing breach. Do not prioritize remediation over containment — they are different.

• [ ] Isolate affected systems from the network immediately. Do not shut down systems unless instructed by your incident response firm — live memory forensics may be needed first.
• [ ] Revoke compromised credentials. Disable affected user accounts, revoke active sessions, invalidate API keys or tokens that may have been exposed.
• [ ] Preserve evidence. Do not wipe, reimage, or restore affected systems before forensic review is complete. Evidence destruction undermines your breach report and may create legal exposure.
• [ ] Notify your cyber insurer. Most policies require notification before remediation steps are taken. Contact your insurer immediately — they typically have an incident response panel with pre-approved vendors.
• [ ] Engage an incident response firm if the breach involves confirmed unauthorized access, ransomware, or confirmed exfiltration. Your insurer may provide this.
• [ ] Identify the breach type — ransomware, phishing, lost device, insider, third-party, accidental disclosure, or other.
• [ ] Identify affected systems — which servers, devices, or accounts were involved?
• [ ] Identify personal information at risk — what categories of personal information were on affected systems? SINs? Financial data? Health records? Passwords? Contact information?
• [ ] Establish a breach timeline — when did unauthorized access first occur (not just when you discovered it)? Use available logs.
• [ ] Document everything — date and time of discovery, who discovered it, initial containment steps taken, systems affected. Start your internal breach record immediately.

---

Phase 2 — Assessment and investigation (days 1–5)

Once containment is underway, begin your formal RROSH assessment. Do not wait for full forensic completion — assess on available information and revise as more is learned.

• [ ] Determine which organizations' data was affected — your own customers/employees, or client data you hold on behalf of a third party?
• [ ] Assess sensitivity of compromised personal information. Document each category: SINs, health data, financial account numbers, passwords, contact information, employment data.
• [ ] Assess probability of misuse — was access confirmed? Was the attacker a known threat actor? Is there evidence of exfiltration? Has stolen data appeared for sale?
• [ ] Count affected individuals — or estimate if exact count is not yet available.
• [ ] Assess recovery status — has the data been recovered? Is there evidence it was not accessed?
• [ ] Determine which privacy frameworks apply — PIPEDA? Alberta PIPA? BC PIPA? All three?
• [ ] Run your formal RROSH assessment — use ClearBreach or complete the assessment manually using the four RROSH factors.
• [ ] Document your RROSH determination — record the reasoning, not just the conclusion. This is part of your mandatory internal breach record.
• [ ] Retain privacy counsel for HIGH or CRITICAL severity breaches, or whenever you are uncertain about RROSH.

---

Phase 3 — Regulator reporting

If RROSH is present, report to the applicable regulators promptly.

Under PIPEDA (OPC — mandatory):

• [ ] Complete the OPC breach report. Include: breach description, date, personal information involved, number of individuals affected, steps taken to reduce harm, notification plan, contact details.
• [ ] Submit through the OPC's online breach portal at priv.gc.ca.
• [ ] File as soon as feasible after RROSH determination — do not wait for full forensic completion.
• [ ] Calendar a follow-up supplement once forensic investigation is complete if the initial report was based on incomplete information.

Under Alberta PIPA (OIPC Alberta — mandatory when RROSH present):

• [ ] Complete the OIPC Alberta breach notification form (available at oipc.ab.ca).
• [ ] File without unreasonable delay after RROSH determination.
• [ ] File separately from the OPC report — the OIPC Alberta requires its own notification.

Under BC PIPA (OIPC BC — voluntary but recommended):

• [ ] Contact OIPC BC at oipc.bc.ca to obtain their current voluntary breach notification form.
• [ ] File the voluntary report. This demonstrates accountability and opens a guidance channel.

---

Phase 4 — Individual notification

If RROSH is present, notify every affected individual directly.

• [ ] Draft your notification letter. It must include: breach description, personal information involved, steps your organization has taken, steps the individual can take to protect themselves, your contact information for follow-up questions.
• [ ] Use direct notification — mail, email, or phone call to each affected individual. A website notice or public announcement alone does not satisfy the obligation unless direct notification is not reasonably possible.
• [ ] Notify concurrently with or immediately after regulator reporting. Do not delay individual notification pending regulator response.
• [ ] Retain records of notification — who was notified, by what method, and when.
• [ ] Set up a dedicated intake channel — a dedicated email address or phone number for affected individuals to ask questions. Staff it appropriately for the scale of the breach.

---

Phase 5 — Remediation and recovery

After reporting and notification are underway, focus on remediation and recovery.

• [ ] Restore affected systems from clean backups once forensics are complete and the entry point is closed.
• [ ] Change all credentials for affected accounts — not just the directly compromised ones. Rotate API keys, service account credentials, and admin passwords broadly.
• [ ] Patch the exploited vulnerability — identify the root cause and close it before systems are brought back online.
• [ ] Review access controls — implement least-privilege access if not already in place. Audit who has access to sensitive personal information.
• [ ] Implement MFA on all accounts with access to personal information if not already deployed.
• [ ] Review your data minimization practices — were you holding personal information you no longer needed? Reduce the footprint of personal information you retain.

---

Phase 6 — Internal record and post-breach review

• [ ] Complete your internal breach record. Document the full timeline, all personal information involved, RROSH reasoning, containment steps, remediation steps, regulator reports filed, and individuals notified. Retain for at least 24 months (PIPEDA minimum).
• [ ] Conduct a post-breach review. What controls failed? What would have prevented or reduced the breach? What response steps worked well or poorly?
• [ ] Update your incident response plan based on lessons learned.
• [ ] Report findings to leadership — breaches are a board-level matter for significant incidents.
• [ ] Notify your commercial general liability and professional liability insurers if not already done — coverage for third-party claims arising from the breach may apply.

---

Running your formal RROSH assessment with ClearBreach

ClearBreach replaces the manual RROSH assessment with a structured 18–23 question wizard that takes under 15 minutes. After completing the wizard, you receive:

• A scored Verdict Card — MINIMAL, LOW, MEDIUM, HIGH, or CRITICAL — with a clear RROSH determination
• An Internal Incident Record completing your Phase 6 documentation obligation
• An Individual Notification Letter ready to send
• Regulator report drafts for every applicable framework — OPC, OIPC Alberta, OIPC BC

All answers are processed in your browser. No breach details are sent to ClearBreach servers.