Security Incident Management Under Law 25: Obligations and Best Practices
Since September 2023, all Quebec organizations must notify privacy incidents. Here is a complete guide to structuring your incident response process and meeting your legal obligations.
A ransomware attack hits your organization at 3 AM. Customer data has been exfiltrated. You now have a few hours to decide whether to notify the Commission d’accès à l’information du Québec (CAI) and affected individuals. Without a pre-established plan, this decision becomes a legal and operational nightmare. Law 25 leaves no room for improvisation.
Penalties for non-compliance
Failure to comply with incident notification obligations can result in administrative fines of up to 25 million dollars or 4% of worldwide turnover. The CAI may also publish decisions, creating a major reputational risk.
What is a privacy incident under Law 25?
Law 25 defines a privacy incident as any unauthorized access, use or disclosure of personal information, or loss of control over it. This includes cyberattacks, internal leaks, accidental disclosures and loss of physical media.
Types of incidents covered
- Cyberattacks (ransomware, data exfiltration, phishing)
- Unauthorized access by an employee or third party
- Accidental data disclosure to the wrong person
- Loss or theft of a device containing personal information
- Accidental or unauthorized destruction of data
- Compromise of a third-party vendor with access to your data
The 6-step incident response process
Detection and internal reporting
- The employee who discovers the incident immediately reports it to their manager
- The manager notifies the PRPI (Person Responsible for Personal Information Protection)
- The incident is recorded in the incident register with a timestamp
- A response team is activated if the incident is significant
Containment and initial assessment
- Isolate compromised systems to limit propagation
- Preserve digital evidence (logs, memory captures)
- Conduct a preliminary assessment of the nature and scope of the incident
- Determine whether personal information is involved
Risk of harm assessment
- Identify the categories and number of individuals affected
- Assess the sensitivity of exposed data (health, finances, biometrics, etc.)
- Determine whether a serious risk of harm is present
- Document the analysis with the criteria evaluated
Notification to the CAI
- Complete the CAI incident declaration form
- Submit the form via the CAI online portal
- Include: nature of the incident, data involved, measures taken
- Keep a copy of the declaration with a timestamp
Notification to affected individuals
- Identify the contact information of individuals whose data was compromised
- Draft a clear notice: nature of the incident, data involved, measures taken and recommendations
- Send the notice by the means most likely to reach the individuals
- Retain proof of notifications sent
Remediation and recording
- Implement corrective measures to prevent recurrence
- Document the complete incident in the incident register
- Conduct a post-incident review (lessons learned)
- Update policies and procedures if necessary
The incident register: a legal obligation
Every organization must maintain a register of all privacy incidents, even those that do not present a serious risk of harm. This register must be kept for at least 5 years and made available to the CAI upon request.
- Date and time the incident was discovered
- Nature of the incident and known causes
- Categories and approximate number of individuals affected
- Categories of personal information involved
- Measures taken to reduce the risk of harm
- Indication of whether the CAI and individuals were notified (with dates)
CapGRC automates your Law 25 incident management
Integrated incident register, guided risk-of-harm assessment and automatic generation of CAI declaration forms.