Archived — What to Do When a Thief Strikes

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Business Identity Theft Checklist

Previous | Menu | Next

What To Do When A Thief Strikes

Steps to Take When Information is Compromised

If thieves strike, or if information goes missing, have an action plan to respond to the breach.

Acting quickly can help reduce potential damage, and it may help your organization avoid liability in a civil action.

To respond to a breach, you need to follow two tracks at the same time:

  • investigate the problem internally, and
  • devise a plan for notifying people outside the organization that a breach has occurred.

Investigating the Incident

You need to know what happened, so determine:

  • What information was stolen?
  • When it was stolen?
  • How did the breach occur?
  • Which files were affected?
  • What action is needed to ensure no other data is taken or lost?
  • Is advice required from your lawyer and/or accountant?

Informing Customers and Outside Organizations

If a breach does occur, you need to act quickly to inform affected customers. If the situations are not handled well, the damage to your company can be staggering and permanent.

Timing is critical, as prompt notification might help prevent identity theft or mitigate the damage it causes. Tailor your letter to those who are affected. Ensure it is written on your company letterhead and signed by a key official, and place the company logo or name on the envelope.

If a small number of individuals are affected, inform them immediately. If a larger number are affected, i.e., more than 100, you may want to discuss the most efficient manner for advising potential victims by first consulting with:

  • Canada's credit reporting agencies:
  • Law enforcement agencies
  • Affected individuals or businesses
  • Privacy Commissioners
Credit reporting agencies (CRA)
Speak to fraud specialists at Equifax, TransUnion, and if appropriate Northern Credit Bureau to discuss the type of warning and assistance that is required to ensure that the breach is handled well.
The CRAs will help determine whether or not a fraud alert is necessary.
A fraud alert tells creditors to contact the person affected before approving a new account or changing existing accounts and can be an effective tool in protecting your customers from theft. In discussion with the CRAs, you should request a compromise number and inform affected customers to use this number in all communication with the CRAs.
Law enforcement agencies
You should call your local police to inform them of the breach and, if recommended, to file a report of the theft. You should also report the breach to the Canadian Anti-Fraud Centre (1-888-495-8501). for reporting economic crime.
Affected individuals and businesses
Decide what to say and how to report the breach to anyone affected. You need to convey the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from identity theft.
Provide contact information for your organization, CRAs and, if applicable, the police. Include current information about identity theft. This Web site has information to help individuals guard against and deal with identity theft.
Privacy Commissioners
The federal commissioner acts independently of government to help protect the privacy of personal information and ensure compliance with PIPEDA. Contact this office for advice on privacy issues related to the breach.
Note that Quebec, British Columbia, and Alberta have separate privacy laws that are substantially similar to PIPEDA, so if you operate in one of these provinces, please contact the corresponding provincial commissioner.
You can reach the federal Commissioner at 1-800-282-1376 or at, where you will also find links to provincial commissioners.

Dealing with the Media

Depending on the nature of the breach and the number of people affected, you may have to answer calls from the media. As you prepare letters for notification, it would be wise to prepare a media response. Be candid and emphasize the steps you are taking to fix the situation.

Disseminating information to the media can help to scare criminals away from using information they have stolen, because they will realize that CRAs and police are waiting for them to use the data.

You know who your customers are, why let an ID thief steal them from you?

Previous | Menu | Next