Michael Ogbu

Introduction
A privacy breach remains one of the most significant threats to organizational stability. It is a concern that cuts across industries and organizational sizes, more so in today’s digital age, where data moves faster and further than ever before.

Not only that, the risks are not limited to legal consequences. The real damage often lies in the socio-economic fallout – loss of reputation, erosion of public trust, and in some cases, long-term business impact. This is precisely why privacy by design has become such a central principle in modern governance: to prevent breaches before they occur.

But here’s the reality, no system is completely immune. Despite the best safeguards, breaches and privacy incidents will still happen. And when they do, what separates resilient organizations from the rest is not the absence of breaches, but the level of preparedness.

And preparedness is reflected in how quickly a breach is identified, how effectively it is contained, and how professionally it is investigated and resolved to prevent recurrence.

In that sense, investigation is not peripheral to privacy work – it is foundational.

Understanding Privacy Breaches: Definition, Types, and Causes
According to the Treasury Board of Canada Secretariat, a privacy breach is the improper or unauthorized access to, creation, collection, use, disclosure, retention, or disposal of personal information. Simply put, it is any exposure or loss of personal data held by an organization – an event that can be harmful to either, or both the organization and the individuals affected.

That said, privacy breaches generally arise from two broad sources: Internal causes and external causes.

Internal Causes
These often stem from human error, negligence, or flawed operational practices. Common examples include:
1. Lost or stolen devices containing personal data
2. Misdirected emails with sensitive information
3. Improper handling or storage of records

External Causes
These originate outside the organization’s immediate control and include:
1. Cyberattacks
2. Unauthorized access by malicious actors
3. Vendor or third-party breaches

But beyond causes, breaches are also assessed based on risk level. Under Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must determine whether a breach poses a real risk of significant harm. This may include financial loss, reputational damage, identity theft, or even physical harm.

Where such risk exists, the breach must be reported to both the regulator and affected individuals.

Regulatory Expectations: Where Investigation Comes In
Privacy laws in Canada impose clear obligations on organizations when a breach occurs. While specifics vary across jurisdictions, the core response framework typically follows four stages:
1. Identify and contain the breach
2. Assess the breach (investigation)
3. Mitigate risks and communicate internally
4. Report and prevent recurrence

Apparently, investigation sits right at the center. And yet, it is often underemphasized. There’s a common misconception that investigations are the domain of external specialists. But, while external support may be necessary in complex cases, the responsibility for initiating and driving the investigation rests internally – often with the privacy/compliance team.

In other words, incident investigation often represent a significant portion of a privacy professional’s role and, depending on the organization, it may even constitute a central component of their day-to-day responsibilities.

What Does Investigation Really Mean?
At its core, an investigation is a structured fact-finding process. It’s an objective method of inquiry, which in the case of privacy incidents, is deployed to determine:
1. Whether a breach actually occurred
2. The scope and severity of the incident
3. Who was affected
4. What caused it

But beyond process, investigation is also a skill. It requires objectivity, attention to detail, and the ability to engage with people – employees, vendors, and sometimes clients – often in sensitive or high-pressure situations. And this is where technical knowledge meets human judgment.

The Investigation Process: Asking the Right Questions
Every effective investigation begins with the “what,” “who,” “when,” and “why.” These interrogatives, as we know them, carry significant technical weight in investigative processes. They represent four fundamental questions:
What happened?
Who was involved?
When did it occur?
Why did it happen?

These questions form the foundation of the identification stage, from which the following process typically unfolds:
1. Conducting interviews with relevant parties
2. Documenting findings accurately and promptly
3. Analyzing root causes systematically
4. Containing the breach to prevent further exposure
5. Recommending practical remediation actions

This structured approach ensures that the investigation is not just reactive, but instructive.

Why Investigation Matters More Than We Think
A well-executed investigation does more than resolve an incident. It strengthens the entire privacy program. It helps organizations: understand vulnerabilities within their systems, improve internal processes and controls, build a culture of accountability and enhance trust with stakeholders.

Ultimately, investigation is where privacy moves from theory to practice. It is where policies are tested, systems are challenged, and organizational values are revealed.

Conclusion
Privacy breaches may be inevitable. But poor responses are not. In essence, the strength of a privacy program is not measured by the absence of incidents, but by how well an organization responds when they occur. And at the heart of that response lies one critical function: Investigation.