The prevailing legislative standard in Canada for a duty to report a breach of data security (loss of data, compromise, etc) seems to be that there is a real risk of serious harm as a result of the breach.
Have Canadian courts or regulators given useful guidance on when that happens, and what kind of harm is serious and likely? I am especially interested in court rulings, since the threat of litigation can focus the data holder’s mind as much as or even more than a regulator’s order. (Have privacy regulators cracked down on reporting requirements or other useful follow-up . . . [more]