{"id":1330,"slug":"pipeda-breach-reporting-rrosh-24-month-records","title":"PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months","kind":"reference","scope":"business","status":"current","audiences":["kevin","smb-owner","candid-team"],"topics":["regulatory-compliance","data-pipeline-maintenance","privacy-pipeda"],"reference_body":"**Claim:** **PIPEDA mandatory breach reporting** (in force since **November 1, 2018**):\n\n- **Report** breaches posing a \"**real risk of significant harm**\" (RROSH) to the Office of the Privacy Commissioner (OPC).\n- **Notify** affected individuals.\n- **Keep records of ALL breaches** (RROSH or not) for **24 months**.\n\n**Source:** https://www.priv.gc.ca/.../gd_pb_201810 ; iapp.org ; lexisnexis.com\n\n**Confidence:** Verified.\n\n**Why this matters for Candid:** The 24-month record-keeping requirement applies to *every* breach, even ones that don't hit the RROSH threshold. This is a recurring operational obligation, not a one-time task — see [[rule-treat-data-custody-as-line-item]]. Same maintenance-discipline argument as the data brief's [[rule-budget-for-pipeline-maintenance-from-day-one]].","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"rule-label-every-published-data-figure-with-vintage","title":"R6 — Every published number gets a label (what it is) and a vintage (how fresh); the Zestimate defence depends on it","kind":"rule","scope":"business","link_type":"relates-to"},{"slug":"pipeda-core-duties-consent-safeguarding-access","title":"PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights","kind":"reference","scope":"business","link_type":"depends-on"}],"incoming":[{"slug":"research-brief-client-portals-smb-june-2026","title":"Research brief: client portals for SMBs — the honest case (June 2026)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"pipeda-100k-per-violation-penalty","title":"PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"ibm-ponemon-canadian-breach-cost-2024","title":"IBM/Ponemon Cost of a Data Breach (Jul 30, 2024; 604 orgs; Mar 2023-Feb 2024): Canadian average CA$6.32M (down from CA$6.94M in 2023); 2025 figure ~CA$6.98M per separate edition","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"rule-treat-data-custody-as-line-item","title":"R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch","kind":"rule","scope":"business","link_type":"depends-on"}]},"created_at":"2026-06-20T17:57:32.185Z","updated_at":"2026-06-20T17:57:32.185Z"}