Confidentiality Incident: What to Do in the First 72 Hours

An employee sends an investment statement to the wrong client by email. A laptop containing financial files is stolen from a car. A former employee accesses the CRM three weeks after their departure. Each of these situations is a confidentiality incident under Law 25, and each triggers specific obligations.

Here, step by step, is what your firm must do when an incident occurs.

What Is a Confidentiality Incident

Law 25 defines four types of events that constitute a confidentiality incident:

Unauthorized access. Someone who shouldn't have seen the information accessed it. For example, an employee who views a client's file without a professional reason, or a hacker who accesses your system. Unauthorized use. Information is used for a purpose that wasn't planned or authorized. For example, an employee who uses the firm's client list to solicit personal business. Unauthorized communication. Information is transmitted to a person or organization that shouldn't have received it. For example, sending a document containing SINs to the wrong recipient by email. Loss. Information is no longer accessible and its location is unknown. For example, a USB drive containing client files that's been misplaced, or a stolen laptop.

The key point: the incident doesn't have to be the result of a spectacular cyberattack. Ordinary human errors (wrong recipient, document left on a shared printer, lost device) are the most frequent incidents in financial services firms.

Step 1: Contain the Incident Immediately

Before even assessing the risk, take the necessary measures to limit the scope of the incident.

Email sent to the wrong recipient: Contact the recipient immediately to ask them to delete the message without reading or forwarding it. Document the exchange. Unauthorized access to a system: Revoke the access in question. Change compromised passwords. Check access logs to determine what information was viewed or copied. Lost or stolen device: Activate remote wiping if the feature is available. Check whether the device was encrypted (if so, the risk of harm is considerably reduced). Report the theft to police if applicable. Cyberattack or ransomware: Isolate affected systems from the network. Don't pay the ransom without consulting a cybersecurity expert. Contact your cyber insurer if you have one.

Every minute counts for containment. The longer the incident lasts, the more people are affected and the greater the risk of harm.

Step 2: Assess the Risk of Serious Harm

This is the step that determines whether you must notify the CAI and affected individuals, or simply record the incident in the register.

The law requires you to assess whether the incident presents a risk of serious harm to the individuals concerned. Three factors guide this assessment:

The sensitivity of the information affected. Financial information (bank statements, investments, income), social insurance numbers, health data, and biometric data are considered highly sensitive. An incident involving a SIN is almost always considered as presenting a serious risk. An incident involving only a name and postal address is generally less severe. The anticipated consequences of using the information. Identity theft, financial fraud, reputational damage, discrimination, job loss. In the financial sector, the data you hold directly enables fraud. The risk of serious consequences is therefore high by default. The likelihood that the information will be used for malicious purposes. An email accidentally sent to another client of your firm (who understands the situation and deletes the message) presents a lower risk than data exfiltration by a hacker. Context matters. Practical rule for financial firms: If the incident involves SINs, banking data, credit information, or health data for insurance, assume by default that the risk of serious harm is present. It's better to notify out of caution than to underestimate the risk and face penalties for failure to notify.

Step 3: Notify the CAI (If Serious Harm Risk)

If your assessment concludes there is a risk of serious harm, you must notify the CAI "with diligence." The law doesn't set a precise deadline in hours, but the term "with diligence" is interpreted as "as quickly as possible under the circumstances." In practice, aim for 72 hours following awareness of the incident. a timeline aligned with the European GDPR standard and considered reasonable by the legal community.

How to notify: The CAI has made an incident declaration form available on its website (cai.gouv.qc.ca). The form asks you to provide:

• A description of the incident (what, when, how)
• The categories of personal information affected
• The number of individuals concerned (or an estimate)
• The measures taken to limit consequences
• The contact information of the privacy officer in your organization

What not to do: Wait until you've completed your full internal investigation before notifying. If you know a serious-risk incident has occurred, notify first with available information. You can supplement your declaration later as your investigation progresses.

Step 4: Notify Affected Individuals (If Serious Harm Risk)

In parallel with the CAI notification, you must inform the individuals whose information is concerned. The notice must enable them to take protective measures.

Notice content:

• A clear description of the incident
• The types of information affected
• The measures you've taken to limit risks
• The measures the person can take to protect themselves (e.g., monitor bank statements, activate a credit alert, change passwords)
• The privacy officer's contact information for questions

How to notify: By direct communication (email, letter, phone call) to identified individuals. If the number of people is too high for individual communication, or if you don't have current contact information, a public notice (on your website, for example) can be used. Tone matters. Be transparent and factual. Describe what happened, what you're doing, and what the person can do. Clients of a financial firm already have a trust relationship with you. An honest and prompt notice protects that trust. Silence or a delayed notice destroys it.

Step 5: Document in the Register

All incidents must be recorded in the register, whether or not they present a risk of serious harm. This is a separate obligation from notification. Even a minor incident (an email to the wrong recipient that's quickly deleted) must appear in the register.

The register must contain at minimum:

• The date of the incident and the date it was discovered
• A description of the incident
• The categories of personal information affected
• The number of individuals concerned (or an estimate)
• The serious harm risk assessment (with your reasoning)
• The measures taken to limit consequences
• If the CAI and individuals were notified, the notification dates

The register must be kept for at least 5 years and be accessible to the CAI on request. In the event of an investigation, it's the first document the CAI will ask to see. A well-maintained register demonstrates your diligence. An absent or incomplete register is a violation in itself.

Common Mistakes to Avoid

Underestimating the risk to avoid notifying. This is the most dangerous. If the CAI discovers after the fact that an incident presented a serious risk and you didn't notify, you face penalties for two violations instead of one: the incident itself and the failure to notify. When in doubt, notify. Waiting for absolute certainty before acting. You may never know exactly how many people are affected or whether the data has been used maliciously. The law doesn't require absolute certainty. It requires you to assess the risk with available information and act "with diligence." Not documenting "minor" incidents. The email sent to the wrong client and deleted within a minute? That's an incident. The former intern who still has access to a shared folder for 48 hours? That's an incident. Record them. What seems minor today can become significant if a pattern emerges (e.g., several emails sent to wrong recipients over a few months, revealing a systemic problem). Improvising the response on the day of the incident. The worst time to write a response plan is when the incident has just occurred. Prepare your templates, contact lists, and procedures in advance. Run a fictional exercise at least once a year with your team. Forgetting to notify individuals after notifying the CAI. The two notifications are separate obligations. Notifying the CAI doesn't exempt you from informing affected individuals. And vice versa.

Prepare Before It Happens

Preparation makes all the difference between a well-managed incident that strengthens client trust and a poorly managed one that becomes a reputational crisis and lawsuit.

Create your response plan now. A 2-to-3-page document describing: who the privacy officer is, who is contacted first (IT, management, legal), containment steps, the CAI notification template, the individual notice template, and the register entry procedure. Train your team. Every employee must know what to do when they detect an incident: don't try to resolve it alone, report immediately to the privacy officer, don't delete evidence. An unreported incident is an undocumented incident, which worsens the situation. Test your plan. Once a year, simulate a fictional incident. An email to the wrong recipient, a stolen laptop, unauthorized access. Time your team's response. Identify gaps. Fix them.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[Law 25 Fines: Understanding Penalty Calculations for Your Firm](/blog/law-25-fines-penalty-calculations)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-checklist)*
• *[Law 25 Class Actions: The Financial Risk Small Firms Underestimate](/blog/law-25-class-action-risk-small-firms)*