Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

The big news this week is that PowerSchool and the Office of the Privacy Commissioner of Canada came to a novel understanding to avoid a long and protracted inquiry.

I am biased, because, full disclosure, I represented PowerSchool. As such, I’m not going to say much.

But I am curious about what the industry thinks. Was the agreement to implement, or prove that they have implemented, solutions to prevent the incident from occurring again a practical, faster and more direct way to address the issue without a prolonged inquiry?

ADVERTISEMENT

Radarfirst Ad - Don't let the first warning come from a regulator: Audit-proof your AI

In my experience, when organizations experience a breach, they are usually quick to do their best to contain it, figure out how it happened and then implement solutions to mitigate against it happening again. I've rarely been involved in breach cases where the organization that suffered the breach was woefully negligent by ignoring altogether their obligation to safeguard personal information.

Most of the organizations I work with are constantly working at improving their security posture. Most recognize that if they don't, the results can be catastrophic. Of course, we are human, and the implementation of our best plans sometimes miss the mark, but from my experience, organizations are trying to comply with this legal and ethical obligation.

Now, when you hear of the story where the breach was caused by significant negligence, I think lessons can and should be learned through an in-depth investigation. But it's 2025, and I think most people are aware that they can't simply ignore their obligations.

With the soon to be releases of new and smarter technology, such as quantum computing and smarter artificial intelligence agents, I wonder if our good intentions will be enough. There will always be bad actors willing to exploit new tools to cause nefarious harms. Will we be able to stay ahead of them?

Over the past several years, I've had the pleasure of working with many good folks that try to stay on top of these technological developments. Not only do they know what the criminals are doing, or trying to do, but they are even willing to negotiate with them to protect the victims.

I've said this before, but I think our regulators need to come to terms with this side of our industry by learning from and engaging with the firms that monitor, prevent and minimize damage done by these criminals. It's a unique and interesting side of our industry that I think we need to come to terms with.

Kris Klein, CIPP/C, CIPM, FIP, is the managing director, Canada, for the IAPP.

This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.