← All glossary terms Glossary

What is Data breach?

An incident where personal or sensitive information is accessed, stolen, or exposed without authorization.

A data breach is any incident where information is accessed, copied, stolen, or exposed without authorization — whether by an external attacker, a malicious insider, or a simple misconfiguration. Under Canadian laws like PIPEDA and Quebec's Law 25, a breach involving real risk of significant harm triggers mandatory reporting to regulators and notification of affected individuals, often on tight timelines. The cost of a breach is rarely the initial intrusion; it is the data theft, downtime, notification, and reputational damage that follow. Fast detection and a tested incident-response plan are what separate a contained event from a reportable, headline-making one.

  • Covers unauthorized access, theft, or exposure — by attackers, insiders, or misconfiguration.
  • In Canada, breaches with a real risk of significant harm trigger mandatory reporting.
  • The lasting cost is the aftermath: theft, downtime, notification, and reputation.

En français

Atteinte à la protection des données

Un incident où des renseignements personnels ou sensibles sont consultés, volés ou exposés sans autorisation.

Une atteinte à la protection des données (aussi appelée violation de données) est tout incident où des renseignements sont consultés, copiés, volés ou exposés sans autorisation — que ce soit par un attaquant externe, un initié malveillant ou une simple erreur de configuration. En vertu de lois canadiennes comme la LPRPDE et la Loi 25 du Québec, une atteinte présentant un risque réel de préjudice grave déclenche l'obligation de déclarer aux autorités et d'aviser les personnes touchées, souvent dans des délais serrés. Le coût d'une atteinte tient rarement à l'intrusion initiale, mais au vol de données, à l'interruption et à l'atteinte à la réputation qui suivent.

Data breach: frequently asked questions

What should a business do after a data breach?

Contain it, investigate the scope, and determine whether it poses a real risk of significant harm. If it does, Canadian law requires notifying the regulator and affected individuals — usually on tight timelines. A tested incident-response plan makes this manageable.

Do I have to report every data breach in Canada?

Not every one — but any breach of security safeguards posing a real risk of significant harm must be reported under PIPEDA (and Quebec's Law 25). You also have to keep records of all breaches, regardless of severity.

Want to talk through how this fits your environment?

Book a no-obligation consultation and we'll explain how this plays out for an organization like yours.

Talk to our team