Vendor or Third-Party Breach — Quick Reference Guide

First 30 minutes

• Get the vendor's breach notification in writing — if you received only a verbal briefing, immediately send a written request for full details
• Pull your data-sharing inventory for this vendor: what categories of personal information did you transfer to them? Whose information — customers, employees, patients?
• Designate one person as incident lead — all communications with the vendor and all internal decisions route through them
• Record the exact date and time you received the vendor's notification — this starts your response clock

---

Within 24 hours

• Send the vendor a written request for: which systems were affected, what data categories were involved, whether your organization's data was confirmed accessed or only potentially at risk, and when the breach occurred
• Map the vendor's disclosed breach scope against what you know you shared with them — this is the foundation of your RROSH assessment
• Identify which individuals are affected (customers, employees, other) and which provinces they are in — this determines whether AB PIPA and BC PIPA apply in addition to PIPEDA
• Review your contract and DPA: does the vendor have a contractual obligation to notify you within a specific timeframe? Have they met it? If not, put them on notice in writing
• Begin your ClearBreach assessment — do not wait for vendor confirmation of access before starting

---

Within 72 hours

• Complete your RROSH assessment in ClearBreach and review your verdict
• If PIPEDA RROSH threshold is met: file OPC Breach Report as soon as feasible — do not wait for the vendor's investigation to close
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies and RROSH is met: notify the OIPC BC through their official breach notification process and notify affected BC residents directly
• Send individual notifications directly — describe what happened, what information was involved, what is being done, and what individuals can do to protect themselves
• Document all written communications with the vendor with timestamps

---

Ongoing — until resolution

• Update your Internal Incident Record as the vendor discloses new information — if material new facts emerge after you have already notified, send a follow-up to affected individuals and regulators
• If the vendor's forensics report ultimately contradicts your initial RROSH assessment, document the change and notify your incident lead immediately
• Monitor for signs that compromised data is being misused — credential stuffing, phishing using your customers' information, identity fraud reports
• Retain all records — vendor correspondence, internal assessment records, notifications sent — for 24 months minimum from the date of discovery
• Review your vendor data-sharing inventory and DPA status for all remaining vendors — this incident is the trigger to close any gaps

---

Alberta PIPA — specific steps

• Notify the OIPC Alberta and affected individuals simultaneously — simultaneous filing triggers the streamlined review process and a private closing letter rather than a public investigation
• Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

BC PIPA — specific steps

• BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
• OIPC BC voluntary reporting is available even if RROSH is not present — for borderline cases involving BC residents, voluntary reporting demonstrates good faith
• If RROSH is present: notify the OIPC BC through their official breach notification process at oipc.bc.ca and notify affected BC residents directly
• Do not substitute a general public notice for direct individual notification

---

MSPs — if managing this for a client

• Confirm in writing with the client who leads regulatory notification before acting on their behalf — the client organization is the accountable party under PIPEDA and PIPA
• If your own systems were the ones breached, you are the vendor in this scenario — your obligations run in two directions: your own regulatory notification as the breached party, and your contractual obligation to notify your clients promptly
• Run a ClearBreach assessment under your MSP account for the affected client organization
• Document all client communications with timestamps and keep the client's incident record separate from your own