It's specified in the law as “as soon as feasible”. For us that means once you've closed the breach, you're not at risk by informing folks. If the breach is ongoing, by going around informing people it could be further exasperated, so once you've clearly identified the breach and you're able to contain it and move forward with it.
It's meant to be as soon as feasible, so without any undue delay. The exact time's not specified because each breach is different. There could be quite a few different elements.
In terms of determining that risk assessment, we haven't prescribed, and in general PIPEDA doesn't prescribe. It isn't very prescriptive in terms of providing these kinds of things. It provides a general sense.