Because of the language in the bill, there is not really a threshold established. It just says, “any breach of security safeguards involving personal information”. That could be something as minor as a list of addresses being left out, something very, very minor in the historical context of personal information under PIPEDA. The law appears to indicate that those pieces of information will then have to be logged, recorded, and kept for an unspecified period of time.
On February 17th, 2015. See this statement in context.