This article is part of our 2025 Privacy Breach Insights series, designed to help companies navigate the evolving privacy breach landscape. As privacy threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To stay ahead of these challenges, each part of this series provides actionable insights on privacy breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.
This is the first part of our 2025 Privacy Breach Insights blog series. It presents an overview of the current threat landscape pertaining to privacy breaches ("breaches"), offering insight into the potential challenges that companies may encounter as the year, and possibly a breach, unfolds. Much of the data referenced in this Part extends beyond breaches implicating personal information; however, all of it remains pertinent to understanding the current privacy breach landscape.
Breaches were a significant and costly issue for companies in 2024 and are expected to persist in 2025. According to an IBM report published in July 2024 – the Cost of a Data Breach 2024 ("IBM Report") – the average cost of a breach in Canada was USD$4.66 million1 (which is about CAD$6.64 million).2 Costs from breaches arise from operational disruptions, incident response (e.g. forensics and e-discovery), and compliance with applicable (and often overlapping) privacy laws, including breach notifications and record-keeping requirements. In Quebec, the Act respecting the protection of personal information ("Quebec Act") permits severe fines related to breaches and breach response, potentially reaching 2% of global turnover or $10 million for administrative monetary fines, and up to 4% or $25 million for penal fines. In light of the high costs resulting from breaches, which show no sign of coming down, companies should be diligently monitoring the threat landscape to enhance preparedness and risk mitigation strategies.
The External Threat Horizon
(A) External Threat Outlook
In recent years, many companies have accepted the harsh reality that it's less about "if" and more about "when," "how severe," and "how ready we'll be" when external threat actors successfully penetrate their defenses. This sentiment is shared by the Canadien Centre for Cyber Security ("CCCS"). In its National Cyber Threat Assessment 2025-2026 ("NCTA 25/26"), the CCCS writes that "Canada has entered a new era of cyber vulnerability where cyber threats are ever-present, and Canadians will increasingly feel the impact of cyber incidents that have cascading and disruptive effects on their daily lives."3
(i) Increase in the Number of Threat Actors
As Google Cloud Security explains in its Cybersecurity Forecast 2025 ("Google Report"), there is a "democratizing of cyber capabilities" brought about by less sophisticated actors getting their hands on advanced "as-a-service" tools.4 Such tools are accessible to malicious actors of all calibers and types through what is being termed as "Cybercrime-as-a-service" or "CaaS" by the CCCS.5 With CaaS, specialized threat actors distribute malicious tools or stolen data to other, often less technically sophisticated, criminals through criminal online marketplaces.6 The net effect of CaaS is the lowering (and even outright removal) of barriers to entry for would cyber criminals, and therefore, increasing the number of external threat actors.
(ii) Increased Sophistication
AI powered-tools. A major factor that is expected to continue shaping the risk landscape is the rise in the use of high-quality tools powered by AI by threat actors. In the NCTA 25/56, the CCCS writes that "AI technologies are almost certainly [...] enhancing the quality, scale, and precision of malicious cyber threat activity".7
CaaS. In addition to lowering the barriers to entry for threat actors, CaaS is also useful for established criminal enterprises. CaaS provides established criminal enterprises with access to specialized tools and data which allow them to enhance and augment their existing cyber crime activities.8
(iii) Key External Threats
The following external threats are expected to pose significant risks to companies throughout 2025.
A. Ransomware
Most data-driven reports indicate that ransomware is still an ever present risk for companies. The NCTA 25/56 reports that ransomware "will almost certainly continue to grow in the next two years",9 noting that ransomware actors have likely recovered from (and adapted to) heightened law enforcement pressure and other disruptions to the ransomware ecosystem in recent years.10
Companies should take note of the following trends in ransomware when developing their prevention and response strategies.
- An affiliate-centric model: A version of CaaS has also reshaped the ransomware ecosystem with a "ransomware-as-a-service" or "RaaS" model. In the RaaS model, parent threat actor organizations tend to sell or lease their ransomware variant to affiliates.11 One notable result of this 'white-labelled' outsourcing to affiliates is an increased volatility in threat actor behavior. For instance, victim company A might have a very different experience than Victim Company B when dealing with the same general threat actor organization. It is entirely possible that upon payment, one victim might get a functional decryption key and assurances that is compromised data will be deleted, while the other victim might get a dysfunctional key and have their data published on the dark web.
- Better obfuscation tactics: Threat actors are continuously developing new tactics and strategies to better hide themselves within a victim environment. The NCTA 25/56 reports that threat actors are using increasingly advanced encryption techniques to make it harder for victims to recover their data (e.g. hybrid, multi-layered encryption).12 Threat actors are also 'living off the land' – remaining in the victim network undetected – for longer periods of time to increase their lateral movement and attack effectiveness before dropping a ransom note.13
B. Social Engineering
Social engineering attack, such as phishing, pretexting and impersonation, are expected to persist as major external threats in 2025. Generative AI is expected to play a major role as threat actors leverage high-quality deepfakes and other hyper-realistic content to establish legitimacy with victims.14 The AI generated content tends to do a better job at avoiding the more traditional social engineering giveaways, such as grammatical and typographical errors and a lack of personalization.15
C. Supply Chain Attacks
As companies continue to embrace digital transformation and integrate sophisticated technology stacks, their dependence on specialized vendors that provide these advanced solutions also grows. Most companies rely on third-party vendors for key business functions such as enterprise-wide hosting (e.g., AWS and Azure) and enterprise resource planning solutions, which may include customer resource management (CRM) and human resource management (HRM). Most of these vendors will process sensitive data belonging to the company, including personal information of employees and customers.
The NCTA 25/56 reports that vendor concentration is increasing cyber vulnerabilities.16 As customers concentrate around the same large technology vendors, such vendors become centralized hubs of large amounts of data. This concentration makes them attractive targets for threat actors, who, by compromising a single vendor, can potentially gain access to the sensitive data of many companies at once. A good example dates to 2023 when CLOP – a ransomware strain – was used to attack the file transfer provider used by thousands of companies globally, MOVEit. The single breach impacted approximately 2,750 other companies, 94 million individuals, and resulted in approximately USD$100 million in ransom payments.17
Given the profitability of attacking these heavily concentrated vendors, the NCTA 25/56 expects this style of attack to persist in the next two years. The Google Report notes that while this style of attack has trended upward since 2018, "the number of targeted vendors reached an all-time-high in 2023".18 Google also expects the number of targeted vendors to increase.19
Under Canadian privacy laws, a company remains accountable for personal information that it shares with a third-party vendor for processing on its behalf. Consequently, if a company's vendor is breached and personal information belonging to the company is compromised, depending on the facts, the incident may also be considered to be a breach of the company. In such situations, the company must ensure that any response satisfies its own mandatory breach record-keeping and notification obligations under privacy laws. This underscores the critical need for companies to exercise stringent oversight and enforce robust data protection measures (including strong contractual controls) when engaging with third-party vendors.
(b) Mitigation Strategies
Companies should consider including the following in their strategies to mitigate the external threats identified above.
(i) Incident Response Plan
An incident response (IR) plan that evolves with the threat landscape is a incredibly useful tool to help keep the company organized when a breach occurs. Given the current threat landscape, it is imperative for companies to update their IR plans regularly to effectively address the persistent threat of attack. Responding to an attack tends to require the help of certain service providers, namely for ransom negotiation and forensics. Therefore, it's critical for the IR plan to delineate a clear strategy that enables the company to maintain legal privilege throughout the incident response process. This includes the engagement of legal counsel and ensuring that communications and activities during the response are appropriately protected.
The IR plan should incorporate lessons learned over time. Companies should conduct simulations – often referred to as tabletop exercises – to test the effectiveness of their IR plans. These simulations should incorporate elements that are characteristic of the current threat landscape, such as the erratic nature of a ransomware affiliate or the hyper realistic content in an AI-powered social engineering attack. Following such simulations or a real-life breach, a company should adjust its IR plan to reflect gaps in its response.
(ii) Data Hygiene
Companies must ensure that they only retain personal information for as long as reasonably necessary to fulfill the purposes for why such information was collected (or as otherwise legally required). Not only is hygienic retention a requirement under Canadian privacy laws, but it is a good strategy to mitigate the risk of an attack by giving threat actors less data to encrypt and exfiltrate. In practice, this means that companies should know what data they have (i.e., data mapping) and implement a data retention policy and process with clearly defined retention periods. Information governance is a challenge for most organizations—pragmatic approaches can include reducing exposure through archiving (i.e., offline storage) and de-identification.
Similarly, when it comes to sharing personal information with third-party vendors, companies must exercise diligence by restricting the data shared to only what is necessary for the vendor to perform their contracted services. This targeted approach to data sharing helps mitigate the heightened risk of breaches that may occur when threat actors target centralized vendors with access to large volumes of personal information.
(iii) Vendor Management
Mitigating privacy breach risks when a vendor is processing personal information on behalf of a company is crucial as threat actors increasingly target these vendors. Companies should consider the following in building their vendor management strategy:
- Vendor Diligence. Companies should have a standard process for assessing their vendors' security and privacy controls. Given the ever-present threat of ransomware, companies should pay extra attention to controls that mitigate this risk, such as looking into the encryption standards used by the vendor for data at rest and in transit, data segregation methodologies, subcontractor and subprocessor controls, and data backup requirements.
- Contractual Safeguards. Appropriate contractual controls are another necessary component of a vendor management strategy. Certain privacy laws require that a written agreement be entered into with service providers. For instance, Article 18.3 of the Quebec Act provides that personal information can only be shared with a service provider without obtaining consent if a written agreement containing certain baseline security controls is entered into.
In light of the heighted risk of central vendors being targeted, companies should consider the following controls:
- Breach Notification – The contract should provide a clear definition of breaches along with a set of vendor obligations that would permit the company to comply with its obligations under privacy laws. These obligations should include (i) reporting the breach to the company promptly and in all cases, within a maximum time period, (ii) sharing information about the breach with the company as is reasonably required for the company to comply with its record-keeping and notification obligations and (iii) taking prompt containment and remediation steps.
- Clarity on Notification Obligations – There is a history of confusion on which party has the notification obligation in Canada. While we don't formally have 'controller' or 'processor' roles under Canadian private sector privacy laws as there are under the GDPR, we do have a principle that a company remains accountable for personal information under its control. However, it is almost always better to clearly delineate which party is responsible for breach notification, particularly in when getting into gray areas such as where personal information is "disclosed" to the vendor for the vendor's own purposes (i.e., the vendor is not processing the data on the company's behalf). In such scenarios, the breach notification obligations may not clearly fall on the vendor and or the company. It is important to have this discussion with a company's vendors and then make sure that the correct roles are assigned to each party in the contract.
- Allocation of Liability – When it comes to indemnities for breaches, the discussion frequently centers around the mere allocation of risk. However, companies should adopt a more nuanced approach, focusing on specifics such as who will manage the breach response and who will bear the financial burden associated with it. Negotiations over indemnities and limitations of liability should move beyond mere positional bargaining. Vendors and processors that engage with a sophisticated and well-considered strategy should offer more substantial provisions than just a 'stretch' liability cap. These provisions might include detailed response obligations, clear definitions of covered damages, and a thoughtful balance of risks and responsibilities that align with the actual potential impact of a breach.
Internal Threat Horizon
(A) Internal Threat Outlook
Companies often focus on external threats when considering breaches, but many incidents involve insiders both with and without malicious intent. Human errors were a significant factor in the occurrence of breaches throughout 2024. The IBM Report points to human error as the root cause of 22% of breaches,20 while Verizon's 2024 Data Breach Investigations Report ("Verizon Report"), which was released earlier in 2024, puts this figure at 28%.21
The most common action that drives these incidents is 'misdelivery' – which is when data is sent to a wrong recipient.22 Common examples include an employee accidentally emailing a customer's data to the wrong recipient or misconfiguring the access permissions for a cloud-based document. These incidents typically satisfy legal definitions related to breaches, as they involve unauthorized disclosure of personal information. Consequently, they must be documented in the company's breach register when Canada's Personal Information Protection and Electronic Documents Act or the Quebec Act apply. Additionally, these incidents must be evaluated to determine if they meet the threshold for risk of "significant harm" or "serious injury" in relation to breach notification requirements under those laws as well as Alberta's Personal Information Protection Act.23
Breaches caused by employee error may be attributed to negligence, insufficient skills, or a blend of the two. Although human fallibility means that individuals may occasionally exhibit negligence, companies can proactively reduce this risk by ensuring their workforce is appropriate skilled and trained. However, the skills gap in cybersecurity continues to be a major challenge according to the World Economic Forum's Global Cybersecurity Outlook 2025 report ("WEF Report").24
The cybersecurity skills gap will likely contribute to the occurrence of breaches in 2025 as companies adopt complex technologies that employees may not be sufficiently skilled or trained to handle securely. The implementation of sophisticated tools powered by artificial intelligence (AI) is at the core of this issue. AI tools can certainly offer tremendous value and an innovative edge to companies, even bolstering breach detection and response capabilities. However, it is also true that these AI tools introduce new layers of risk. A primary concern is that employees may lack the necessary understanding and expertise to effectively manage these sophisticated AI tools, potentially leading to security vulnerabilities and unauthorized processing of personal information. AI tools may also involve employee monitoring, including by analyzing large volumes of employee metadata or correspondence for potential breaches in a way that would previously require a prohibitively high amount of human effort. The act of protecting employee personal information from malicious actors though an increase in employee monitoring requires a contentious compliance effort.
Courts have increasingly expanded the doctrine of vicarious liability, holding companies responsible for employee misconduct that results in a breach. In Ari v. Insurance Corporation of British Columbia,25 the Supreme Court of British Columbia found the Insurance Corporation of British Columbia (ICBC) vicariously liable for its employee's unauthorized access and sale of customer information, which was later used by third parties to carry out attacks. The Court emphasized that ICBC created the risk by placing the employee in a position where she could improperly access personal information and that her misconduct was closely connected to her employment. ICBC argued that the criminal acts of third parties were unforeseeable intervening events, but the court rejected this, finding that once the employee disclosed the information, ICBC lost control over how it would be used, which made the subsequent harm sufficiently connected to the breach. This case highlights the increased legal exposure for employers when insiders misuse personal data and reinforces the need for strong internal safeguards, access controls, and proactive monitoring to prevent and detect privacy violations.
(B) Mitigation Strategies
(i) Culture of Compliance
Getting ahead of the skills gap issue is of significant importance for companies to mitigate the risk of internal breaches. Central to their approach should be the establishment of a culture that prioritizes privacy and security compliance. Such a culture should encourage all employees – and not just the CISO or Privacy Officer – to be vigilant at all times and to escalate and ask questions whenever they are unsure about a potential risk.
(ii) Documented Policies and Procedures
Cultivating a culture of compliance starts with documenting the company's privacy and security principles and controls. It's essential for the entire workforce to grasp the fundamental principles outlined in these documents, as this understanding is key to instilling the correct reflexes and behaviors necessary for upholding the company's security standards.
Maintaining such documents is a large part of how companies comply with their obligations to maintain personal information safeguards under privacy laws. However, it is crucial that that such policies and procedures evolve with the risk landscape. Looking ahead, companies should prioritize the documentation of their strategies concerning the lawful and ethical use of AI. Even though there is no general AI regulation in Canada at present, companies must still operate within the bounds of the existing legal frameworks. Canadian privacy commissioners have made it clear that they will use privacy legislation to regulate the use of AI insofar as personal information is involved. As such, company policies should clearly delineate the specific risks associated with AI and establish a robust governance framework that outlines how employees can responsibly utilize these technologies.
(iii) Role-Based Training
Closing the skills gap also requires training. Mandatory privacy and security training for all employees is essential and should be conducted regularly. Such training should build upon the company's policies and procedures – bringing them to life – and should account for role-specific risks.
Conclusion
Privacy breaches are becoming more common and are expected to remain a significant threat to Canadian businesses through 2025. This trend is driven by an anticipated rise in ransomware attacks, sophisticated social engineering tactics, and disruptions in supply chains, along with enduring insider threats often resulting from human error. While the rapid development and adoption of AI technologies offer numerous advantages – including for bolstering cyber security capabilities, they also introduce new risks to the privacy breach landscape. The intricate nature of AI tools may exacerbate the likelihood of breaches due to human mistakes, while simultaneously providing cybercriminals with more advanced methods for executing their attacks. Addressing these risks is important to mitigate the potentially costly consequences of a breach. Stay tuned for the upcoming entry in our blog series, where we delve into the evolving legal framework surrounding breaches.
To view the original article click here
Footnotes
1. IBM Report, p. 9.
2. USD $4.66 million is CAD$6.64 million using the average USD-CAD conversion rate over the last 12 months. Note IBM excludes "very small and very large" breaches, meaning the figures reference breaches involving 2,100 to 113,000 records. This excludes "mega breaches", but would also necessarily exclude small-scale breaches. While the majority of the losses are 'out of pocket', approximately 30% of this amount represents the cost of lost business / lost revenue, lost customers, and reputational damage.
3. NCTA 25/26, p. 8.
4. Google Report, p. 10.
5. NCTA 25/26, p. 20,
6. Ibid.
7. NCTA 25/26, p. 32.
8. NCTA 25/26, p. 20.
9. NCTA 25/26, p. 22.
10. NCTA 25/26, p. 23
11. NCTA 25/26, p. 24 and 28.
12. NCTA 25/26, p. 29.
13. Ibid.
14. NCTA 25/26, p. 32.
15. Ibid.
16. NCTA 25/26, p. 36.
17. NCTA 25/26, p. 23.
18. Google Report, p. 12.
19. Ibid.
20. IBM Report, p. 14.
21. Verizon Report, p. 8.
22. Verizon Report, p. 47.
23. In addition to the federal and provincial private sector privacy laws mentioned, mandatory breach notification requirements exist under various other legal and regulatory frameworks. These include health privacy laws, public sector privacy laws, as well as industry-specific regulations, including those enforced by the Office of the Superintendent of Financial Institutions (OSFI).
24. WEF Report, p.36.
25. 2022 BCSC 1475.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
