Incident Notification and Mitigation
Plain English Translation
Under Quebec Law 25, organizations must take immediate and reasonable measures upon discovering a confidentiality incident to minimize harm and prevent future occurrences. If an assessment determines the incident poses a risk of serious injury, the organization must promptly submit a breach notification to the Commission d'accès à l'information (CAI) and inform the affected individuals. Furthermore, all incidents, regardless of their severity or risk level, must be thoroughly documented in a centralized breach register.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Establish a basic incident response plan detailing immediate containment steps.
- Create an unauthorized disclosure log to act as the required breach register for any confidentiality incidents.
Required Actions (scaleup)
- Implement automated alerting and monitoring to detect potential confidentiality incidents rapidly.
- Integrate risk assessment matrices into the incident response workflow to consistently determine the risk of serious injury.
Required Actions (enterprise)
- Conduct regular tabletop exercises simulating high-risk breaches to test CAI notification procedures and individual outreach.
- Automate the logging of all incidents into a centralized, immutable register that feeds directly into compliance reporting dashboards.
Under Quebec Law 25, a confidentiality incident is defined as the unauthorized access to, use of, or communication of personal information, as well as the loss of personal information or any other breach of its protection.
Section 3.5 requires organizations to take immediate and reasonable measures to reduce the risk of injury and prevent new incidents of the same nature. If the incident is severe, it triggers a Loi 25 avis à la Commission d’accès à l’information (CAI) incident notification requirement.
Quebec Law 25 confidentiality incident mitigation measures include containing the breach, securing affected IT systems, recovering lost data, and notifying third-party services that can assist in reducing the impact on affected individuals.
To assess risk of serious injury Loi 25 requires evaluating the sensitivity of the information involved, the anticipated consequences of its use, and the likelihood that it will be used for injurious purposes such as identity theft or fraud.
A CAI confidentiality incident notification must be submitted promptly if the internal risk assessment concludes that the incident presents a risk of serious injury to the individuals whose personal information is concerned.
Organizations must promptly notify affected individuals under Loi 25 if there is a risk of serious injury, allowing them to take protective measures, unless doing so would hamper a formal investigation conducted by a law enforcement body.
A proper Quebec Law 25 breach notification should describe the incident, detail the personal information involved, outline the risk mitigation steps taken, and provide contact information for the organization's privacy officer.
Yes, organizations are required to maintain a Quebec Law 25 breach register (registre des incidents de confidentialité) that logs every confidentiality incident, regardless of whether it meets the threshold for serious injury or external reporting.
Effective Quebec Law 25 incident response and prevention of recurrence involves conducting a root cause analysis, patching software vulnerabilities, updating access controls, and refining the post-incident remediation plan. Tools like WatchDog Security's Vulnerability Management can help track findings, assign remediation owners, and monitor closure metrics to reduce repeat incidents.
CISOs should implement a workflow that immediately isolates threats, triggers an assessment for the risk of serious injury, logs the event in the breach register, and escalates to legal counsel to meet the Loi 25 incident de confidentialité délai d’avis CAI.
Loi 25 expects organizations to consistently record confidentiality incidents and preserve details needed for follow-up and reporting. Tools like WatchDog Security's Compliance Center can centralize incident records, attach supporting evidence (tickets, communications, reports), and surface gaps so teams can demonstrate that every incident was logged and handled using a repeatable process.
Preventing recurrence typically requires documenting root cause, assigning corrective actions, and verifying completion over time. Tools like WatchDog Security's Risk Register can link an incident to risk treatments, owners, and due dates, helping teams track mitigation progress and produce board-ready status views without relying on ad hoc spreadsheets.
"Any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. If the incident presents a risk of serious injury, the person carrying on an enterprise must promptly notify the Commission d’accès à l’information established by section 103 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1). He must also notify any person whose personal information is concerned by the incident, failing which the Commission may order him to do so."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
