Canadian organizations must contend with 5 pieces of privacy legislation governing different sectors and industries and the expectations of personal information management. Preliminary results indicate that certain industries have a higher occurrence of different types of privacy incidents. Types of privacy breaches, in particular, tend to be clustered into unauthorized collection, use and / or disclosure depending on the industry in questions. This new qualitative and quantitative research, framed with established risk management practices, can provide meaningful methods for the application of scarce resources within organizations. It can also be utilized to support decision-making for security and privacy practices.