Federal (Canada)
Ontario
British Columbia
Alberta
Saskatchewan
Manitoba
Quebec
Nova Scotia
New Brunswick
Prince Edward Island
Newfoundland and LabradorFederal (Canada)Personal Information Protection and Electronic Documents ActWell-founded & conditionally resolved
May 19, 2022PIPEDA Findings #2022-004· Indexed Apr 12, 2026
PIPEDA Findings #2022-004: Investigation into MGM breach highlights how to assess risk, and need for timely assessment
MGM Resorts International
This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.
