ClearBreach
Get early access

Sample document — fictional scenario

All organization names, incident details, individuals, and assessment results are invented for demonstration purposes only. This is not a real breach assessment.

← How ClearBreach works

ClearBreach Assessment Verdict

Meridian Accounting Group Ltd.

Version 2.0 · 2026-05-10

Incident reference

CB-MERI-20260510-4721

This verdict is generated by automated assessment rules. Review all obligations with qualified Canadian privacy counsel before acting on any determination.

What This Document Is

This document is your assessment verdict — an executive-level briefing generated from the answers you provided about this privacy incident. It tells you whether a real risk of significant harm (RROSH) was identified under each applicable privacy framework, what regulatory obligations that determination triggers, and the sequence in which to act. Read this document first. Use the remaining documents in your package to satisfy each obligation identified here. This verdict does not replace legal advice — its purpose is to ensure you understand what the law requires, why it requires it, and what happens if you do not comply.

Overall Verdict

This assessment identified a real risk of significant harm under PIPEDA (Federal) and Alberta PIPA. A real risk of significant harm is the legal threshold that triggers mandatory reporting obligations under Canadian privacy legislation. It is not a prediction of harm — it is a determination that the circumstances of this breach create a meaningful probability that individuals could suffer harm such as identity theft, financial loss, reputational damage, bodily harm, or significant humiliation. The obligations set out below are mandatory. Failure to comply exposes the organization to regulatory investigation, findings of non-compliance, and potential administrative penalties.

Uncertainty Notice — High Watermark Scoring Applied

One or more answers to the assessment were recorded as “possible / unsure.” Under the High Watermark principle applied by this engine, uncertain answers are scored at the confirmed-risk level — the worst plausible outcome — rather than discarded or averaged. This ensures the assessment does not understate obligations when facts are still unknown. The obligations identified in this assessment are therefore based on a worst-case interpretation of the available facts. Once you have more information — such as forensic confirmation of whether data was actually accessed, or the exact categories of personal information involved — you should reassess. The actual risk may be lower and some obligations may not apply. Until that determination is made, treat the obligations in this document as binding.

Your Obligations

Each obligation below is mandatory unless identified as voluntary. The “what this requires” field describes the legal content of the obligation — not just a label. The “timeline” field identifies its basis (statutory or regulatory guidance) and what acting on it requires. The documents in your package are pre-drafted to satisfy the prescribed content requirements for each obligation.

Report to the Office of the Privacy Commissioner of Canada (OPC)

PIPEDA requires that where a breach of security safeguards involving personal information creates a real risk of significant harm to individuals, the organization must report the breach to the Privacy Commissioner of Canada. The report must contain prescribed information about the nature of the breach, the personal information involved, the number of individuals at risk, and the steps taken or planned.

Statutory basis
PIPEDA s.10.1(1)
Timeline type
Regulatory guidance
Timeline
The statute requires reporting "as soon as feasible." The OPC has interpreted this in practice as prompt reporting and has stated that delay for the purpose of completing an internal investigation does not excuse late reporting. Report as soon as you have sufficient information to complete the prescribed fields. Do not wait for the investigation to conclude.
Consequence of failure
Failure to report a qualifying breach to the OPC is an offence under PIPEDA. Organisations found to have delayed without justification have been named in published OPC investigation reports. Knowingly concealing a reportable breach is an offence carrying fines up to $100,000.

Notify Affected Individuals (PIPEDA)

PIPEDA requires that where a breach creates a real risk of significant harm, the organization notify every individual whose personal information was involved in the breach and who is at risk of harm. The notification must contain prescribed information including a description of the breach, the personal information involved, steps the individual can take to protect themselves, and contact information for follow-up questions.

Statutory basis
PIPEDA s.10.1(3)
Timeline type
Regulatory guidance
Timeline
Notification should occur directly and as soon as the organization has sufficient information to notify meaningfully. The OPC expects notification to be sent simultaneously with or as soon as practicable after the OPC report. The OPC has stated that organizations should not delay notifying individuals while a prolonged internal investigation continues. The individual notification letter in your document package is pre-drafted to satisfy prescribed content requirements — complete all placeholders and have counsel review before sending.
Consequence of failure
Failure to notify individuals is an offence under PIPEDA. Late or inadequate notification is a basis for OPC investigation findings. Individuals who suffer harm as a result of failure to notify may have civil claims against the organization.

Report to the Office of the Information and Privacy Commissioner of Alberta (OIPC AB)

Alberta PIPA requires that where a breach of security safeguards creates a real risk of significant harm, the organization report the breach to the OIPC AB. The report is submitted by email to breachnotice@oipc.ab.ca using the OIPC AB prescribed form, which collects information about the organization, the breach, the RROSH determination, individual notification steps taken, and contacts at other regulators if applicable.

Statutory basis
Alberta PIPA s.34.1
Timeline type
Statutory
Timeline
Alberta PIPA s.34.1 requires reporting "as soon as reasonably practicable" after the organization determines that a breach has occurred. This is a statutory obligation — not guidance. Submitting the OIPC AB report simultaneously with individual notification, as described in the April 2024 OIPC AB streamlined review process, is strongly recommended — it results in a private closing letter rather than a formal public investigation. See your OIPC AB report for the complete simultaneous notification procedure.
Consequence of failure
Failure to report may result in a complaint, formal OIPC AB investigation, a compliance order, and a published investigation report. Simultaneous notification maximizes the likelihood of a private, expedient resolution.

Notify Affected Individuals (Alberta PIPA)

Alberta PIPA requires that where a breach of security safeguards creates a real risk of significant harm, the organization notify the affected individuals as soon as reasonably practicable. The statute prescribes five specific elements that must appear in the notice: description of the breach; personal information involved; steps taken to reduce risk; contact information for questions; and further steps the individual may take. All five elements are mandatory — a notice missing any element does not satisfy the obligation.

Statutory basis
Alberta PIPA s.19.1
Timeline type
Statutory
Timeline
Alberta PIPA s.19.1 requires notification "as soon as reasonably practicable" after determining that the breach has occurred. This is a statutory standard — not guidance. The AB PIPA Individual Notice in your document package is pre-drafted to satisfy all five prescribed elements. Complete all placeholders and send simultaneously with the OIPC AB report to qualify for the April 2024 streamlined review process.
Consequence of failure
Failure to provide notice as required may result in a complaint to the OIPC AB, a formal investigation, and an order to comply. The OIPC AB has authority to order corrective action and may publish investigation reports.

Immediate Action Plan

The steps below are sequenced by priority. Complete containment and documentation before filing any regulatory report. Timeline types are identified for each step: Statutory means a legal obligation; Regulatory guidance means the regulator’s stated expectation; Contractual means your own policy or agreement governs the window; Strategic means a timing choice that materially affects how the matter is resolved.

Step 1Contain the breach

Stop ongoing exposure immediately: revoke access, reset credentials, isolate affected systems, and preserve evidence. Document every containment action with timestamps. Do not overwrite or delete any logs or system state that may be needed for investigation.

Timeline type
Strategic
Timeline
Immediately — before all other steps

Step 2Activate the Internal Incident Record

Open the Internal Incident Record included in this package and begin logging every action taken. This record is your regulatory defence — gaps in documentation are treated by regulators as gaps in response. Assign a single accountable owner for the record.

Timeline type
Strategic
Timeline
Immediately — concurrent with containment

Step 3Notify your cyber liability insurer

Check your cyber liability policy for the notification window and required content. Late notification can void coverage. Preserve all incident documentation for the insurer. Your insurer may have preferred vendors for breach coaching, forensic investigation, and legal counsel.

Timeline type
Contractual
Timeline
Per your policy — review it now

Step 4File the OPC PIPEDA Breach Report and notify affected individuals (PIPEDA)

Complete all placeholder fields in the OPC report draft and the individual notification letter. Have qualified privacy counsel review both before filing. Send the individual notification letter simultaneously with or as soon as practicable after the OPC report.

Timeline type
Regulatory guidance
Timeline
As soon as feasible — the OPC discourages delay pending internal investigation completion

Step 5File the OIPC AB PIPA Report and send the AB PIPA Individual Notice simultaneously

Submit the OIPC AB report by email to breachnotice@oipc.ab.ca using the official form. Send the AB PIPA Individual Notice to affected individuals simultaneously or as close to simultaneously as possible. Simultaneous submission qualifies the matter for the April 2024 OIPC AB streamlined review process, which closes with a private letter rather than a published investigation report. See your OIPC AB report for the exact simultaneous notification procedure.

Timeline type
Statutory
Timeline
As soon as reasonably practicable — Alberta PIPA s.34.1 and s.19.1

Step 6Conduct a post-incident review

After all obligations are satisfied, document what caused the breach, what controls failed, and what changes are being made to prevent recurrence. Retain this review as part of your incident record for a minimum of 24 months.

Timeline type
Strategic
Timeline
After all obligations are satisfied — document before institutional memory fades

Advisories

📋 Insurance advisory: Review your cyber liability or errors & omissions policy immediately. Many policies require notification of a potential claim within 24–72 hours of discovery. Failure to notify your insurer promptly may void coverage. Contact your broker before making public statements or incurring significant remediation costs that could affect a claim.

📋 Senior management advisory: Breaches with a real risk of significant harm should be escalated to senior management or the board before any external disclosure. Document the date and time management was informed, who was present, and any decisions made regarding response strategy, notification timing, and regulatory reporting.

ℹ Scope advisory: The full scope of this breach may not yet be known. Reassess if additional information becomes available — more data types identified, access confirmed, or a larger affected population discovered. A material change in scope may change your reporting obligations and timelines.

⚠ Situation changes: If the facts change — containment fails, additional access is confirmed, the affected count increases significantly, or new data types are identified — you must reassess. Obligations that did not apply at the time of this assessment may arise as the situation develops. Document all material changes with dates and who made each determination.

Multi-Framework Assessment

🗺 Multi-framework advisory: This breach triggered obligations under PIPEDA (Federal) and Alberta PIPA. Each framework has different timelines, submission portals, and required content. Review each generated report separately before submitting. Do not submit a single document to multiple regulators — each requires its own submission through its own channel.

Framework Assessment Results

Each framework below was evaluated independently against the same incident facts. The score shown is the aggregated risk weight of all factors that fired. A verdict of RROSH means the score crossed the reporting threshold for that framework. A verdict of BELOW RROSH means it did not. Both determinations are legally significant — RROSH triggers obligations; BELOW RROSH is the documented basis for not reporting under that framework.

PIPEDA (Federal)

RROSH

71/100

normalized score

Obligations triggered: OPC_REPORT, INDIVIDUAL_NOTIFICATION

PIPEDA (Federal) assessment returned a verdict of RROSH — real risk of significant harm. Six risk factors were identified that collectively crossed the reporting threshold. The obligations triggered by this determination are set out in the Your Obligations section above. Note: High Watermark scoring was applied to one or more uncertain answers — the actual risk may be lower once facts are confirmed.

HWM uncertainty applied
Yes — worst-case scoring applied; reassess when facts are confirmed
Risk factors fired
Sensitivity of personal information, Probability of unauthorized access, Scale of breach, Identity theft potential, Financial harm potential, Malicious or deliberate act
Obligations triggered
OPC_REPORT, INDIVIDUAL_NOTIFICATION

Alberta PIPA

RROSH

68/100

normalized score

Obligations triggered: OIPC_AB_REPORT, INDIVIDUAL_NOTIFICATION

Alberta PIPA assessment returned a verdict of RROSH — real risk of significant harm. Six risk factors were identified that collectively crossed the reporting threshold. The obligations triggered by this determination are set out in the Your Obligations section above. Note: High Watermark scoring was applied to one or more uncertain answers — the actual risk may be lower once facts are confirmed.

HWM uncertainty applied
Yes — worst-case scoring applied; reassess when facts are confirmed
Risk factors fired
Sensitivity of personal information, Probability of unauthorized access, Scale of breach, Identity theft potential, Financial harm potential, Malicious or deliberate act
Obligations triggered
OIPC_AB_REPORT, INDIVIDUAL_NOTIFICATION

Your Document Package

This assessment generated 6 documents. The documents are pre-drafted to satisfy the prescribed content requirements for each obligation identified in this verdict. They are starting points — all placeholder fields must be completed with accurate, specific information before any document is filed or sent. Have qualified Canadian privacy counsel review all external-facing documents before submission.

1.

Assessment Verdict Card

Always

This document — your executive briefing. Read it first. It sets out all obligations, the immediate action plan, and an index of every document in this package.

2.

Internal Privacy Incident Record

Always

Privileged internal documentation. Complete it as the incident response progresses. Do not submit to any regulator or third party — it is your organizational record and regulatory defence. Retain for a minimum of 24 months.

3.

Individual Notification Letter

Always

Draft letter to affected individuals. Complete all placeholder fields, have qualified privacy counsel review it before sending, and retain proof of delivery.

4.

OPC PIPEDA Breach Report

Conditional

Draft report to the Office of the Privacy Commissioner of Canada. Transfer the completed content to the official OPC form before submission. Have counsel review before filing.

5.

OIPC AB PIPA Regulator Report

Conditional

Draft report to the OIPC AB. Submit by email to breachnotice@oipc.ab.ca. Transfer content to the official OIPC AB form before submission. Send simultaneously with the AB PIPA Individual Notice to qualify for the April 2024 streamlined review process.

6.

AB PIPA Individual Notice (s.19.1)

Conditional

Statutory notice to affected individuals under Alberta PIPA s.19.1. Send simultaneously with the OIPC AB report to qualify for the April 2024 OIPC AB streamlined review process. Attach a copy to Section D of the OIPC AB submission.

Assessment Reference

Incident reference
CB-MERI-20260510-4721
Assessment date
2026-05-10
Organization
Meridian Accounting Group Ltd.
Documents generated
6
Frameworks assessed
2

This sample is not legal advice. It demonstrates the format and content of a ClearBreach Assessment Verdict Card using a completely fictional scenario. No real organization, individual, or incident is represented. Consult a qualified Canadian privacy lawyer before submitting any regulatory report.

Ready to run your real assessment?

ClearBreach generates your verdict and all required documents automatically — in under 15 minutes. Breach details never leave your browser.

Get early access

Questions about the format? See how ClearBreach works →