ClearBreach

This guide is for use during an active breach.

Run your formal RROSH assessment and generate required documents in ClearBreach.

Start assessment →

Quick reference guides

PIPEDAAB PIPABC PIPAAll sectors

Phishing and Email Compromise — Quick Reference Guide

By Yong Du

Immediate steps for phishing and email compromise — containment, audit log review, and reporting under PIPEDA, Alberta PIPA, and BC PIPA.

Typical verdict

RROSH

Reporting deadline

As soon as feasible after RROSH is determined — regulators expect days, not weeks

Documents you will need

  • Internal Incident Record (always required)
  • OPC PIPEDA Breach Report (if PIPEDA RROSH triggered)
  • OIPC Alberta Notification Form (if AB PIPA applies)
  • OIPC BC Notification (if BC PIPA applies)
  • Individual Notification Letter
  • AB PIPA Individual Notice s.19.1 (if AB PIPA individual notification required)

Do not

  • Reset password and consider the incident closed — forwarding rules and OAuth apps persist
  • Skip the audit log review — pull logs immediately before they expire
  • Assume credential theft without confirmed login means no breach
  • Ignore connected systems — email is a gateway to SharePoint, OneDrive, and SaaS platforms
  • Wait for full forensic results before starting your RROSH assessment

Phishing and business email compromise (BEC) almost always trigger RROSH when the compromised account contained personal information. The scope challenge is not whether to report — it is defining what was exposed across a mailbox that may hold years of sensitive data. For detailed RROSH analysis and jurisdiction-specific guidance, see the full phishing and BEC playbook.

On this page:


First 30 minutes

  • Reset the compromised account password immediately
  • Revoke all active sessions — a password reset does not terminate sessions already in progress; use the admin console (Microsoft Entra ID or Google Workspace Admin)
  • Check for email forwarding rules in the mail admin console — attackers set these up before discovery; they persist after password reset; check admin console, not account settings
  • Check for inbox rules — rules that delete, move, or hide emails from view
  • Revoke all OAuth third-party application authorizations on the compromised account
  • Pull audit logs now — Microsoft 365 and Google Workspace audit logs expire on rolling retention windows; pull immediately and preserve unrecognized login events, IP addresses, and timestamps
  • Notify your cyber insurer before beginning extended remediation

Within 24 hours

  • Identify all systems connected to the compromised account: Teams, SharePoint, OneDrive, cloud CRM, cloud storage, any SaaS platform accessible via the same credentials or SSO
  • Assess what personal information was in the inbox and connected systems:
    • Client correspondence (names, contact details, financial or transaction information)
    • HR or employee records (salaries, performance, personal details)
    • Invoices, contracts, and financial documents
    • Documents shared by email — attachments accumulate over years
  • Identify which provinces the affected individuals are in — this determines whether Alberta PIPA and/or BC PIPA apply alongside PIPEDA
  • Establish the access timeline: when credentials were obtained, earliest evidence of login, when the account was fully secured including forwarding rules and OAuth revocations
  • Check sent mail for phishing emails sent to your contacts using the compromised account
  • Enable MFA on the compromised account and all accounts that did not have it in place
  • Run your ClearBreach RROSH assessment — do not wait for forensic results

Within 72 hours

  • Complete your RROSH assessment and review your verdict
  • If PIPEDA RROSH is met: file OPC Breach Report as soon as feasible — do not delay
  • If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
  • If BC PIPA applies (BC residents' personal information was in the inbox) and RROSH is met: notify OIPC BC and affected BC residents directly
  • Send individual notifications directly — do not substitute a website notice for direct notification
  • If BEC resulted in financial fraud: report to your financial institution and insurer on their required timelines — parallel to, not instead of, privacy reporting
  • Begin populating your Internal Incident Record with all actions taken and timestamps

Ongoing — until resolution

  • Monitor for signs of continued access — forwarding rules and OAuth apps can be re-created or re-authorized
  • Update your Internal Incident Record as scope assessment develops
  • Reassess RROSH if new facts materially expand the confirmed breach scope
  • Retain all records for 24 months minimum from breach start date

Reporting obligations by jurisdiction

Framework Applies when Report to Timing
PIPEDA Your organization engages in interprovincial commercial activity OPC (priv.gc.ca) As soon as feasible after RROSH
Alberta PIPA Compromised mailbox held personal information about Alberta individuals OIPC Alberta (breachnotice@oipc.ab.ca) Without unreasonable delay
BC PIPA Compromised mailbox held personal information about BC individuals OIPC BC (oipc.bc.ca) Voluntary to regulator — no fixed deadline

Individual notification to affected individuals is mandatory under all three frameworks when RROSH is present.


Alberta PIPA — specific steps

  • Notify OIPC Alberta and affected individuals simultaneously — this triggers the streamlined review process and a private closing letter rather than a public investigation
  • Complete the official OIPC Alberta Notification Form — do not submit an informal letter
  • Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
  • Submit by email to breachnotice@oipc.ab.ca

BC PIPA — specific steps

  • BC PIPA applies if the compromised mailbox contained personal information about BC residents — applies regardless of where your organization is based
  • Notify the OIPC BC through their official breach notification process (oipc.bc.ca)
  • Notify affected BC residents directly — do not substitute a general public notice for direct notification
  • Reporting to the OIPC BC is voluntary but strongly recommended; individual notification is mandatory when RROSH is present

MSPs — if managing this for a client

  • Execute email containment steps immediately if you have admin access: session revocation, forwarding rule audit, OAuth review, audit log pull — do not wait for client direction on these time-sensitive steps
  • If the phishing attack targeted your MSP credentials and used your access to reach the client environment, you are a direct party to the breach — document this determination clearly
  • Confirm your service agreement before acting on the client's behalf for regulatory notification
  • Run a ClearBreach assessment under your MSP account for the affected client organization before advising them on obligations

Frequently asked questions

Does a phishing attack trigger PIPEDA breach reporting?

Yes, in most cases. When an attacker accesses a mailbox containing personal information — client records, HR data, financial information — RROSH is typically present under PIPEDA. The key questions are what was in the mailbox and whether access is confirmed. A business email compromise almost always produces a reportable breach.

What is the first step after a business email compromise?

Reset the compromised account password immediately, then revoke all active sessions using your admin console — a password reset does not terminate sessions already in progress. Next, check for forwarding rules and inbox rules set by the attacker. Pull audit logs before they expire on their rolling retention window.

How long do I have to report a phishing breach under PIPEDA?

As soon as feasible after you determine RROSH is present — the OPC expects days, not weeks. Do not wait for a full forensic investigation. Run your RROSH assessment on available information as soon as you have confirmed the scope of what personal information was in the mailbox.

Does Alberta PIPA or BC PIPA apply to a phishing breach?

Alberta PIPA applies if the compromised mailbox contained personal information about Alberta individuals. BC PIPA applies if it contained personal information about BC individuals. These apply regardless of where your organization is based. When both PIPEDA and a provincial PIPA are triggered, file separate reports with each applicable regulator.

What personal information is typically at risk in a business email compromise?

Any personal information accumulated in the mailbox over its lifetime — client correspondence with names, contacts, and financial details; HR records including salaries and personal details; invoices and contracts; and document attachments. Email accounts accumulate years of sensitive data. Assess the full mailbox history, not just recent messages.

This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.

Want the full background?

Read the educational playbook for this scenario.

Read playbook →

Run your formal assessment now

ClearBreach generates your verdict and all required documents automatically — in under 15 minutes.

Get early access

See a sample verdict →