1. About Zurich
  2. Media and news
  3. News
  4. 2019
  5. Mandatory breach reporting requirements

Mandatory breach reporting requirements

Toronto, Ontario, Canada, March 12, 2019

Broker announcement: Your obligations for mandatory breach reporting

The Breach of Security Safeguards Regulations (Regulations) under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) set out prescribed requirements for mandatory breach reporting, which came into force on November 1, 2018.

What does this mean for our brokers?

You play a critical part in ensuring compliance with the new law.


If you suspect that a potential breach of security safeguards has occurred within your operation involving a Zurich Canada customer’s personal information, we ask that you please immediately notify our Zurich Canada Privacy Office at privacy.zurich.canada@zurich.com.

PIPEDA now requires an organization to notify affected individuals and applicable Canadian governmental bodies when it experiences a breach of security safeguards involving personal information under the organization’s control where it is reasonable in the circumstances to believe that the breach poses a “real risk of significant harm” to affected individuals.

A breach of security safeguards can occur when a customer’s personal information is lost, stolen, accessed, disclosed, copied, used or modified without authorization.

Personal information, whether or not publicly available, is broadly defined as “information about an identifiable individual” and includes any factual or subjective information, recorded or not. This includes information in any forms, such as:

  • Age, name, ID numbers, income, ethnic origin or blood type
  • Opinions, evaluations, comments, social status or disciplinary actions
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, or intentions (for example, to acquire goods or services, or change jobs)