Persons who are registered with the Controlled Goods Directorate must notify the Minister of Public Services and Procurement of any actual or potential data breach within 3 days of discovery of the breach.  Since the requirement includes potential data breaches, Controlled Goods Registrants should report any hacking incidents, potential data breaches, employees taking company data,

Canadian companies whose business operations involve Controlled Goods must report changes to their Controlled Goods Directorate registration before an acquisition. This means that companies and their in-house and outside lawyers must ensure that the closing checklist includes the Controlled Goods Directorate reporting requirement. The due diligence checklist should also include questions about Controlled Goods registrations