Effective cyber risk management requires that an organization have a comprehensive incident response plan, so that the organization can rapidly respond to a data incident. An organization’s data incident response plan should include the organization’s data incident notification obligations under statute, contract and generally applicable common law and civil law, so that the organization can promptly comply with those obligations when an incident occurs.

Data incident notification obligations may be imposed by statute (e.g. the Alberta Personal Information Protection Act and soon the federal Personal Information Protection and Electronic Documents Act), contract or generally applicable common law or civil law, and may specify when, how and to whom notice of a data incident must be given. Failure to give timely notice of a data incident may result in serious adverse consequences, including statutory sanctions, liability for breach of contract or breach of a duty to warn and loss of insurance coverage.

Read more here.