What Is RROSH? The Breach Reporting Threshold

What is RROSH?

RROSH — Real Risk of Significant Harm — is the threshold that triggers mandatory breach reporting under PIPEDA, Alberta PIPA, and BC PIPA. Only breaches that meet RROSH require reporting to the regulator and notifying individuals. Every breach must be recorded internally regardless of RROSH. ClearBreach runs your RROSH assessment under all three frameworks simultaneously and generates your OPC breach report, OIPC Alberta submission, and individual notification letters automatically.

The answer to the RROSH question determines whether the breach must be:

• Reported to the Office of the Privacy Commissioner of Canada (OPC) under PIPEDA
• Reported to the OIPC Alberta under Alberta PIPA
• Voluntarily reported to the OIPC BC (recommended) under BC PIPA
• Affected individuals notified directly

For jurisdiction-specific reporting requirements: PIPEDA Breach Reporting Requirements · Alberta PIPA Breach Notification Requirements · BC PIPA Privacy Breach Reporting Requirements

RROSH is not a high bar that protects organizations from reporting minor incidents. For most breaches involving sensitive personal information — health records, financial data, social insurance numbers, passwords, or contact information combined with other sensitive data — RROSH will be present.

On this page:

• What does RROSH mean and why does it matter?
• What is the legal definition of significant harm?
• What are the four factors for assessing RROSH?
• How does RROSH apply to common breach scenarios?
• How does ClearBreach evaluate RROSH?

---

What is the legal definition of significant harm?

Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or professional opportunities, financial loss, identity theft, negative effects on credit records, and damage to property. The harm need not have occurred — a real risk it could occur is sufficient.

The Breach of Security Safeguards Regulations (PIPEDA) define significant harm to include:

• Bodily harm — physical injury resulting from the breach or its consequences
• Humiliation — public embarrassment or personal shame resulting from disclosure of sensitive information
• Damage to reputation or relationships — loss of standing in the community, damaged personal or professional relationships
• Loss of employment, business, or professional opportunities — job loss, contract termination, or professional licensing issues
• Financial loss — direct financial theft, fraudulent transactions, or costs incurred by the individual as a result of the breach
• Identity theft — misuse of personal information to impersonate the individual
• Negative effects on credit records — fraudulent credit applications, unpaid accounts in the individual's name
• Damage to or loss of property — physical property damage caused by information disclosure

Alberta PIPA and BC PIPA use the same definition of significant harm.

---

What are the four factors for assessing RROSH?

The four RROSH factors are: sensitivity of the personal information, probability that it has been or will be misused, number of individuals affected, and whether the information has been recovered. No single factor is determinative — they are weighed together to produce a finding.

How can organizations determine if a real risk of significant harm exists?

Assess all four factors together: the sensitivity of the personal information exposed, the probability it has been or will be misused, the number of individuals affected, and whether the data has been recovered. If the combination produces a genuine — not speculative — possibility of harm, RROSH is present and reporting is mandatory.

Factor 1: Sensitivity of the personal information

Not all personal information carries equal risk. The more sensitive the information involved in a breach, the higher the probability that harm could result from its disclosure.

High sensitivity — information that almost always elevates RROSH probability when compromised:

• Social Insurance Numbers (SINs)
• Financial account numbers, PINs, passwords, and credit card data
• Health and medical information
• Biometric data
• Government-issued identification numbers
• Information about minors

Moderate sensitivity — information that elevates RROSH probability depending on context:

• Full name combined with date of birth
• Home address combined with other identifying information
• Employment information
• User credentials (email/password combinations)

Lower sensitivity — information less likely on its own to create significant harm risk:

• Name and employer alone (publicly available)
• General demographic information
• Non-sensitive business contact information

Important: sensitivity is not assessed in isolation. A combination of lower-sensitivity fields can still produce RROSH if the combination enables identity theft, targeted fraud, or other harm. Assess the full picture of what was exposed.

Factor 2: Probability that the information has been or will be misused

This factor examines the likelihood that the personal information will actually be used to harm an individual.

Higher probability of misuse:

• Intentional attack by a threat actor (ransomware, targeted intrusion, insider theft)
• Confirmed exfiltration of data from the environment
• Information sold or posted on dark web marketplaces
• Breach by a known bad actor or organized criminal group

Lower probability of misuse:

• Accidental send to wrong recipient within the same organization
• Paper records lost in transit, no indication of interception
• System vulnerability accessed but no evidence of data extraction
• Prompt recovery of lost device with evidence it was not accessed

The key question is: given who had access and what their apparent intent was, how likely is it that the personal information will be used to harm someone?

Factor 3: Number of individuals affected

Scale matters, but it is not the only consideration. A breach affecting thousands of individuals with low-sensitivity information may not reach RROSH. A breach affecting one individual with highly sensitive information (a health record, a SIN) may clearly meet the threshold.

As scale increases — particularly for sensitive data — the aggregate risk of harm escalates rapidly. A breach exposing the SINs and financial data of 500 employees carries a near-certain RROSH determination.

Factor 4: Whether the information has been recovered

Recovery of compromised information reduces — but does not eliminate — the probability of harm.

Strong recovery (reduces RROSH probability):

• Device recovered promptly with verified evidence it was not accessed
• Misdirected email recalled immediately with confirmation of deletion by recipient
• Database access revoked before exfiltration is confirmed

Weak or no recovery (increases RROSH probability):

• Ransomware attack — data is presumed exfiltrated in most cases
• Stolen device not recovered
• Credentials compromised in a third-party breach — still circulating
• No technical confirmation of whether data was accessed

---

Run your RROSH assessment automatically. ClearBreach evaluates all four factors under PIPEDA, Alberta PIPA, and BC PIPA simultaneously and generates your RROSH Verdict Card, OPC breach report, OIPC Alberta submission, and individual notification letters in under 15 minutes — entirely in your browser.

How does RROSH apply to common breach scenarios?

RROSH application differs by scenario. Ransomware attacks and confirmed exfiltrations almost always trigger RROSH when personal information was present. Lost or stolen unencrypted devices typically trigger RROSH. Accidental internal disclosures with prompt recovery of low-sensitivity information are less likely to meet the threshold.

Scenario	Typical RROSH Outcome	Key Driver
Ransomware (personal data on affected systems)	RROSH — almost always	Malicious intent, confirmed access, probable exfiltration
Business email compromise — sensitive inbox	RROSH — likely	High-sensitivity data exposed to external threat actor
Business email compromise — operational inbox only	Assessment required	Depends entirely on what was in the mailbox
Lost device — unencrypted, sensitive data	RROSH — likely	Cannot confirm non-access; unrecovered
Lost device — full-disk encrypted	Below RROSH — likely	Encryption eliminates realistic access probability
Accidental send, low-sensitivity data, recovered	Below RROSH — likely	Low probability of misuse, contained, recovered
Third-party vendor breach	Assessment required	Treated as your own breach; data sensitivity determines RROSH

Ransomware attacks

Ransomware almost always triggers RROSH when personal information was present on affected systems. Access is confirmed (the attacker was inside the environment), intent is malicious, and exfiltration is common. RROSH will almost certainly be triggered.

Business email compromise and phishing

Depends on what was in the compromised mailbox. A mailbox containing health records, financial data, or SINs — high probability of RROSH. A mailbox containing only internal operational communications — lower probability. Always review the full contents of the compromised account before concluding RROSH is absent.

Lost or stolen devices

An unencrypted device containing sensitive personal information — RROSH almost certainly present. An encrypted device with strong credential management — much lower probability. Full-disk encryption is the key mitigating factor.

Third-party vendor breaches

A vendor breach triggers RROSH assessment as if it were a direct breach of your organization. The sensitivity of the data you provided to the vendor and the nature of their breach determine RROSH. You are responsible for the personal information regardless of who holds it.

Accidental disclosure (wrong recipient)

Probability of RROSH depends on: how sensitive the information was, whether it was recovered, who received it, and whether there is evidence it was reviewed or forwarded. A misdirected email containing a single name and address — lower probability. A misdirected file containing hundreds of customers' health records — RROSH almost certainly present.

---

How does ClearBreach evaluate RROSH?

Run your RROSH assessment automatically — results and documents in under 15 minutes. ClearBreach's rules engine evaluates your breach under PIPEDA, Alberta PIPA, and BC PIPA simultaneously. The 18–23 question assessment gathers the facts that drive each RROSH factor and produces a binary verdict — BELOW_RROSH or RROSH — with specific obligations identified under each applicable framework.

ClearBreach's rules engine was designed specifically around the RROSH assessment framework. The wizard gathers the breach facts that drive each of the four RROSH factors: the type and sensitivity of personal information involved, evidence of access and probable intent, scale of the breach, and recovery status.

The engine evaluates your answers against 24 rules covering PIPEDA, Alberta PIPA, and BC PIPA simultaneously. The result is a binary verdict — BELOW_RROSH (no reporting obligations triggered) or RROSH (reporting obligations apply) — with the specific obligations identified under each applicable framework.

The entire assessment runs in your browser. No breach details are transmitted to ClearBreach servers.