Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Fortra: When a Mis-Sent Email Becomes a Privacy Breach

Fortra
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Personal experience that I've had with it When my wife and I were looking into mortgage applications we were talking to a bank I won't say which bank and They ended up when they went to email me files Emailed me somebody else's mortgage application with all of their details all of their like sin Salary employer everything was included in there and I emailed them back and said hey this was not intended for me I deleted it, but you may want to inform the person that you you and they're like, oh, it doesn't really matter It's not a big deal And so we're not talking about a major enterprise breach there But I'm curious for Brent like when these little instances happen to organizations and you have data loss happening like that What are the risks to the organization if the employee doesn't take the right steps Well, so so the example you just gave that is an actual it's not just an incident That's a privacy breach when social insurance numbers are involved We pretty much default to you have to give notice to everyone affected and you have to notify the Privacy Commissioner and in our jurisdiction It doesn't matter if only one person was affected. You still have to do all that So like we don't have a sort of them Unlike some jurisdictions. We don't have a sort of a meat chart for if it's this kind of data It's reportable if it's this kind it's not It's a more of a holistic approach where if the data points put together help you identify a specific person It's reportable and social insurance numbers do that Pretty much out of the out of the gate. So you were right. They were wrong in that instance

TL;DR

  • A mis-sent email containing a social insurance number, salary, and employer details qualifies as a reportable privacy breach under Canadian law, not just an internal incident.
  • Organizations must notify both the affected individual and the Privacy Commissioner even when only a single person's data is exposed.
  • The applicable privacy framework uses a holistic test — if combined data points identify a specific person, the breach is reportable, with no minimum-harm threshold.

Summary

This short clip from The Art of Security podcast illustrates how a routine email mistake can carry serious legal and regulatory consequences. Co-host Tyler Reguly shares a personal account of receiving a mis-sent mortgage application from a bank — one that contained another customer's social insurance number, salary, and employer information. When he notified the bank, they dismissed the incident as inconsequential. Legal expert Brent Arnold of INQ Law sets the record straight: under Canadian privacy law, the moment a social insurance number is exposed, the incident is classified as a reportable privacy breach — regardless of how many individuals were affected. Organizations are required to notify both the affected individual and the Privacy Commissioner. Unlike some jurisdictions that apply tiered thresholds based on data type or volume, the applicable framework here takes a holistic approach: if the combination of exposed data points is sufficient to identify a specific person, it is reportable. This clip is a concise but important reminder that even small, accidental disclosures of personally identifiable information carry mandatory reporting obligations, and dismissing them as minor mistakes can itself constitute a compliance failure.

Chapters

0:00 - The Mis-Sent Mortgage Email
0:44 - Asking the Legal Question
1:01 - Why It's a Reportable Breach
1:21 - The Holistic Identifiability Test

Key Quotes

1:01 "The example you just gave — that is an actual — it's not just an incident. That's a privacy breach when social insurance numbers are involved."
1:10 "We pretty much default to you have to give notice to everyone affected and you have to notify the Privacy Commissioner and in our jurisdiction it doesn't matter if only one person was affected. You still have to do all that."
1:29 "It's a more of a holistic approach where if the data points put together help you identify a specific person, it's reportable and social insurance numbers do that pretty much out of the gate."

FAQ

Does a privacy breach need to affect many people before it must be reported?

No. As Brent Arnold explains, in the jurisdiction discussed, even a single affected individual triggers the obligation to notify both that person and the Privacy Commissioner. There is no minimum headcount threshold.

What types of data make an accidental email a reportable breach?

Data points that, in combination, allow identification of a specific individual — such as a social insurance number, salary, and employer details — are sufficient. Social insurance numbers in particular are treated as automatically triggering reportability.


Categories:
  • » Cybersecurity » Data Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Data Privacy
  • Compliance & Governance
  • Email Security
  • Getting Started
  • short_form
  • Privacy breach reporting
  • Social insurance numbers
  • Accidental data disclosure
  • Canadian privacy law
  • Regulatory compliance
  • Email security
  • Personally identifiable information
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Fortra: When a Mis-Sent Email Becomes a Privacy Breach

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version