Bill 25 in Quebec: CAI publishes list of organizations reporting privacy incidents since September 2022

As you know, the new Bill 25 on the protection of personal information came into force in Quebec on September 22, 2022.

As a reminder, this law requires all public, private and NPO organizations to take measures to protect the personal information of Quebecers.

Bill 25 requires all confidentiality incidents (security breaches involving personal information) to be reported to the Commission d'Accès à l'Information (CAI). Penalties of up to $25 million are foreseen as of September 2023.

Publication of the list of victim organizations by the CAI

On May 25, 2023, the CAI published the list of organizations that have reported privacy incidents. The list covers the period from September 2022 to May 2023, and will grow as victim organizations make notifications to the CAI.

The CAI has therefore opted for transparency, which is easy to understand, as the aim of the law is to strengthen the protection of personal information and give citizens more control over their information.

Citizens will be able to consult the list and contact organizations to demand accountability, should they happen to be in possession of their personal information.

Streamscan's advice following the CAI's publication of the list of victim organizations

• Comply with the requirements of the Act by implementing the 2022 and 2023 requirements. From a cybersecurity point of view, you should already have in place an incident response plan and a register of potential incidents.

• Be transparent: in the event of an incident, if it is proven that personal information has been affected, notify the CIA and all those concerned. Offer people options to minimize the risk of identity theft.

• For details on best security practices to minimize the risk of privacy incidents, please visit this link.

What to do if you're already on the CAI list

If your organization is on the list just published by the CAI, expect that a journalist or partners may try to contact you to find out more about the nature of the incident you experienced and how many people were affected. For this, be prepared by following our recommendations below:

• Designate a person responsible for communications and provide him or her with all the information needed to interact with journalists or partners. The basic rule is to remain transparent, while not giving unnecessary details. Be brief and concise.

• Inform all your employees that you have experienced an incident. Should a journalist or partner wish to know more about the incident, the only person authorized to communicate is the designated communications manager. By doing so, you maintain control over communication and ensure that there is only one version of the incident.

• Now that the list is public, the media will be sniffing around. Expect to appear in the media (if you unfortunately appear under a journalist's radar). This can happen regardless of your size (small, medium or large organization). Prepare yourself for the situation by reading our blog post Reacting to the security incident already in the news!

Need help?

Talk to one of our experts.