DEFINITIONS
A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.
A breach may be the result of:
-
Internal error
-
Email, mail and faxes sent to the wrong individual(s)
-
Emailing unauthorized information
-
Faxes sent to an unsecure fax
-
Mail or couriers sent to the wrong person
-
Documents lost or gone missing on public transport
-
Documents disposed of in the trash, or intended for shredding
and disposed of improperly -
Loss of files or devices, including laptops, phones, and hard drives
-
Verbal disclosure
-
-
Theft
-
Information taken by a current/former employee
-
Office and car break‐ins resulting in the loss of files and devices, including laptops, phones, and hard drives
-
-
System Compromise
-
Targeted attacks by external actors
-
Examples of a data breach would be the publishing of or loss of any of the following information:
-
Names, email addresses, telephone numbers, passwords of Cybera members or cloud users
-
Names, addresses, telephone numbers, passwords, salary information of Cybera employees
PROCEDURE
In the event that a Cybera employee becomes aware of a potential breach, the following procedure is triggered, with reference to the Personal Information Protection Act Breach Reporting Guide.

Immediately upon recognizing breach: |
The employee must immediately inform their manager and Cybera’s Privacy Officer of the date, location, and circumstances of the breach. |
Within 72 hours of recognizing breach: |
Under the leadership of Cybera’s Privacy Officer, staff will perform an analysis and determine:
The CEO, in consultation with the Privacy Officer and the Board of Directors will determine whether to activate the Crisis Communications Plan. |
Within 48 hours of completing the breach analysis: |
If a real risk of harm to individuals is identified, staff will provide notice to the Office of the Information and Privacy Commissioner of Alberta without unreasonable delay. The Office of the Privacy Commissioner provides a breach report form on its website. Fill out the most up to date breach report form document. Notice to the OIPC will contain the following:
If a real risk of harm to individuals is identified, staff will notify the affected individuals of the breach and their compromised personal information by email or mailed letter. The notice will include the circumstances, date of the breach (or at least an estimate), a description of the personal information, steps taken to control the harm, measures those affected can take, and the contact information of Cybera’s Privacy Officer. |
COMPLAINTS
Please direct comments, questions, and complaints of violations related to this procedure to policy@cybera.ca.
PDF version of the Privacy Breach – Notification Procedure.