Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
It used to be a bit more difficult during the summer months to come up with something to write about in this space on a weekly basis because it seemed like the whole world was on vacation. The summer of 2025 is decidedly different. There are always stories, updates, new guidance and regulatory and court decisions to learn about.
This past week, the Office of the Privacy Commissioner of Canada announced it is investigating the cyberattack suffered by the airline WestJet. Since 2018, breach reporting under the Personal Information Protection and Electronic Documents Act has been mandatory if the failure of the safeguards results in a real risk of serious harm. When personal information is stolen by a cybercriminal, it is almost certain regulators would conclude the standard for reporting was met and that they would expect notification.
From my experience dealing with regulators on breaches, I think they are increasingly looking for — and maybe also needing — innovative ways to effectively deal with these cases. My impression is that there is an overwhelming number of them, and they simply can't keep up. Case-in-point, I worked with a client back in the winter of 2024 — yes, not 2025, but 2024 — and reported a breach caused by a cyberattack to one of our provincial regulators. Yesterday — yes, one and half years later — we received an email indicating the file has now been assigned to a staff member for "resolution."
Quite frankly, while I'm trying to contact my client about this, I'm thinking there's a decent chance the people with institutional knowledge of this incident have moved on. I'm not sure what will be required to get the matter to "resolution," but if it involves getting first-hand knowledge from people who were involved, only starting the process of gathering information now feels a little late, don't you think?
Contrast this with the situation I wrote about a few weeks ago, where I explained that our firm helped PowerSchool deal with Canadian regulators after they reported a breach in January of this year. The OPC's approach on this file was much more creative, forward-looking and practical. Essentially, they just wanted to ensure everything is being done to make sure Canadians' personal information is properly safeguarded and that everything necessary is being done to make it so.
That approach seems sensible. Waiting one and half years to assign someone to investigate a breach and, to make it worse, a cyber incident, doesn't seem practical at all.
I'm quite curious to see what comes of the WestJet investigation. I may not be working on that one, but I'm still rooting for the parties involved to not waste time and money on protracted delays that don't result in practical outcomes.
These cybercriminals are a growing menace, and the best thing is for everyone — regulators and organizations — to work at doing their best to make it difficult for them to exploit us. Hacked companies tend not to waste taking any time to fix things — there's a lot at stake.
I’m not suggesting scrutiny is fun, but these kinds of files deserve swift and focused attention from the regulators as well — so the matter can be dealt with and everyone can move on. Imagine if an organization took 1.5-plus years to respond to queries from a regulator about a breach that occurred. I wonder what would happen.
Don't worry. I'm not about to test that theory out.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
