PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG

Claim: Under PIPEDA, knowingly failing to report a breach, notify affected individuals, or maintain breach records is an offence carrying fines up to CAD $100,000 per violation (potentially applied per individual not notified). The OPC can refer matters to the Attorney General of Canada.

Source: gdprlocal.com ; cybersecuritycanada.ca ; priv.gc.ca

Confidence: Verified.

Why this matters for Candid: Real dollar exposure that lives in the operations column, not the legal-letter column. For most SMBs, single recurring violations are far more likely than a single catastrophic breach — making the 24-month records discipline (PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months) the practical priority.