Common menu bar links

Home > Resources > Fact Sheets

Institutional links

Fact Sheets

Businesses and Identity Theft

It is the responsibility of businesses to protect customer information and reduce the risk of identity theft.

Sensational headlines about massive data breaches and the risk of identity theft have alarmed Canadians. The concern is clearly justified. This kind of fraud has claimed millions of victims across North America.

Businesses and other organizations which collect personal information can play a critically important role in reversing this trend – and at the same time protect their own reputations and profits.

Businesses create mountains of data that are irresistible to identity thieves.

Those growing mountains create the risk for ever-bigger data breaches. New technologies are providing organizations with the means to collect, use, analyze and store far more personal information than ever before.

A single hard drive can hold the records of hundreds of thousands of people. It costs just pennies to store a Gigabyte worth of documents – the equivalent of 1,000 thick paperback books.

This is why it is essential for businesses and other organizations – small and large – to develop comprehensive plans to protect the personal information they are entrusted with.

Protecting personal information is the law in Canada.

But taking due care with personal data will also reduce the likelihood that the name of your business will appear in the next splashy headline about a big data breach.

Data protection is also good for the bottom line. Securing personal information up front is far less expensive than mopping up after a data breach. The cost of responding to a data breach is 15 times the cost of encrypting the data in the first place, according to an estimate by the U.S.-based research company, Gartner.

What can businesses do to guard against identity theft? In a nutshell, they need to start handling personal information as they would actual cash. After all, personal information is a goldmine for identity thieves and organized criminals.

Minimizing the identity theft risk means making the fundamental privacy principles enshrined under the Personal Information Protection and Electronic Documents Act (PIPEDA) part of an organization’s culture.

Some of the anti-fraud steps outlined below are from the OPC document, Your Privacy Responsibilities: A Guide for Businesses and Organizations, which details how to comply with the law.

Steps for reducing the risk of identity theft

  1. Limit the amount of information collected.
    • Do not collect personal information indiscriminately. Limit the amount and type of the information gathered to what is necessary for the identified purposes.
    • Collecting less information reduces the potential damage in case of a breach.
    • Reducing the amount of information gathered also lowers the cost of collecting, storing, retaining and archiving data.
  2. Limit how long you retain the information collected.
    • Keep personal information only as long as necessary to satisfy the purposes.
    • Put guidelines and procedures in place for retaining and destroying personal information. These should include maximum and minimum retention periods that take into account any legal requirements or restrictions, as well as redress mechanisms.
    • Conduct regular reviews to help determine whether information is still required. Establish a retention schedule to make this easier.
    • Destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.
    • Ensure personal information is disposed of in a way that prevents improper access. Destroying paper files with a cross-cut shredder or securely deleting electronic records are ideal.
  3. Safeguard personal information against loss or theft.
    • Safeguard personal information from unauthorized access, disclosure, copying, use or modification.
    • Develop and implement a security policy to protect personal information.
    • Paper files and computers need to be protected with physical security measures such as locks, restricted-access areas and alarm systems.
    • Encrypt all computerized records, including on networks, laptops and remote access devices such as Blackberries, which contain personal information. Further safeguard the information with other technological tools such as passwords and firewalls.
    • Use organizational controls to prevent "inside jobs." These include employee and contractor security clearances, limiting access on a "need-to-know" basis, and staff training.
    • Educate employees about the importance of maintaining the security and confidentiality of personal information.
    • Hold regular staff training on security safeguards – everything from not leaving laptops unattended in cars to more complex information about technological safeguards.
    • A number of factors should be considered in selecting appropriate safeguards: sensitivity of the information; amount of information; extent of distribution; format of the information (electronic, paper, etc.); and type of storage.
    • Review and update security measures regularly.
    • Make sure personal information that has no relevance to the transaction is either removed or blocked out when providing copies of information to others.
    • Keep sensitive information files in a secure area or computer system and limit access to individuals on a "need-to-know" basis only.
  4. Safety at the check-out counter
    • Ensure customers can enter their debit card PINs in a secure way. Add shields to key pads. Regularly check point-of-sale equipment to verify it has not been tampered with. Ensure security cameras cannot record customers entering their PINs.
    • Ensure cashiers verify signatures on credit cards and ask for photo ID when signatures do not match or when the signature on the back of a credit card is smudged.
    • Use equipment that does not print the entire debit or credit card number on a receipt.
    • When selling online, protect against fraud with encryption software and other security technologies. Regularly update.
  5. Avoid collecting and using Social Insurance Numbers.
    • The Social Insurance Number – a key identity document used by identity thieves – should not be used as a general identifier and organizations should restrict their collection, use and disclosure of SINs to legislated purposes.
    • Some private-sector organizations are required by law to request customers’ or employees’ SINs, however, SIN numbers should not be requested for general purposes of identification.
    • More detailed information about the use of SINs, see the OPC’s Best Practices for the Use of Social Insurance Numbers in the private sector.
  6. Adopt good authentication processes.
    • When someone presents herself and claims to be Customer X, a business typically needs to authenticate that claim. This is especially critical if the person wants to conduct a transaction on an account, or obtain records relating to an account.
    • The right kinds of authentication processes can help protect privacy by reducing the risk of unauthorized disclosures of personal information.
    • Authentication processes need to be appropriately designed given the sensitivity of the information and the risks associated with the information.
    • Overly rigorous authentication processes, or requiring individuals to authenticate themselves unnecessarily, can also be privacy intrusive.
    • Detailed information on authentication is provided in the OPC’s Guidelines for Identification and Authentication.

What to do when there is a breach

Sometimes data breaches occur because of negligence. Sometimes they occur despite an organization’s very best efforts. Laptops are lost. Faxes or letters are misdirected. Hackers get into computer databases.

Tell those affected

When a data breach happens, individuals should be told as soon as possible that their personal information has been compromised, particularly when there is a risk of identity theft or some other harm. When identity thieves strike, they often use the stolen personal information almost immediately.

Here is a list of the kind of information worth including in a breach notification letter:

  • A list of the type of personal information disclosed;
  • An assessment of the risk of identity theft as a result of the breach;
  • A description of the measures taken or that will be taken to prevent further unauthorized access to personal information;
  • Contact information for affected individuals to obtain more information and assistance; and
  • Information and advice on what individuals can do to protect themselves against identity theft and fraud.

An organization responsible for a data breach should provide assistance, such as paying for credit monitoring, to the people whose information has been compromised.

Contact police and credit bureaus

In some cases – where theft is suspected, for example – it is appropriate to immediately contact police.

Credit reporting agencies should be contacted when there is a risk of identity fraud.

Notify the OPC

The Office of the Privacy Commissioner of Canada should be notified when there is a breach involving personal information.
Organizations covered by provincial or territorial privacy legislation should contact the appropriate provincial or territorial privacy commissioner.

Take internal measures

Take immediate steps to contain a breach and conduct an internal investigation to find out what went wrong. Establish new policies or procedures to ensure there are no further breaches.

March 2007



Date Modified: 2007-03-01

Top of Page
Important Notices