On April 18, 2017, the Organization learned that two binders of materials relating to a law suit fell out of the trunk of an employee?s vehicle while in transport. The Organization believes the materials fell out of the trunk on or about April 16, 2017. The Organization was not aware this had occurred until contacted by the opposing legal counsel who reported that hard copy records of his client (the affected individual) had been located on the street by a third party. The third party returned the records to the affected individual?s lawyer. The Organization was not advised by the affected individual?s counsel which records were located and returned to him. The Organization understands that records returned to him constituted all records that were initially lost, and stated it has no reason to believe otherwise; however, the Organization stated there is no way of knowing for certain that all the material lost was returned to the affected individual?s counsel. As far as the Organization is aware, the information was retrieved by a single third party. The Organization?s assessment of the breach at the time was that the incident did not rise to the level of a reportable breach under section 34.1 of the Personal Information Protection Act (PIPA) given the brief period of time between the loss of the records and the recovery, and the fact that the affected individual had full knowledge of the incident and legal counsel providing the affected individual with advice. The Organization understands that the records were recovered without loss to the affected individual. On or about November 21, 2017, the affected individual contacted the Organization?s employee who was involved in this matter threatened to report the employee to her professional body unless payment was received. The affected individual did not claim any harm. The Organization reassessed the breach, and their assessment remains substantially the same: the risk of harm to the affected individual is very low, but out of an abundance of caution, the organization decided to report the breach to the Office of the Information and Privacy Commissioner.