Skip first menu (access key: 1) Skip all menus (access key: 2) Menu (access key: M)
Français Contact Us Help Search Canada Site
Home Site Map What's New Partnerships AIT Web Site

Consumer Measures Committee Working Groups
About the CMC
Working Groups
Communiqués
Notes to stakeholders
AIT Annual Reports
Links
Contact Us

Consumer Measures Committee/Comité des mesures en matière de consommation

Business Identity Theft Kit

Business Identity Theft Checklist

Menu | Next

This Kit is provided for general information only, and is intended to emphasize the need for effective personal information policies and practices. Nothing in this Kit should be construed as legal advice. For your legal rights and obligations, you should consult the relevant legislation, regulations and your solicitor.

Identity Theft: A Consumer Issue For Business

Law enforcement agencies describe identity theft as the fastest growing crime that business, consumers, and governments face. "Inside jobs" are on the rise, as thieves increasingly steal clients' personal information from within organizations. Businesses can safeguard their reputation and avoid financial damages by planning and implementing polices to protect customers' personal information.

Most companies collect and retain personal information, but how many have implemented a plan for collecting and keeping it safe? Does your business? Consider that:

  • A single computer can hold records for thousands of clients.
  • An unlocked filing cabinet may contain the access codes, account or license numbers that a company shares with its partners, suppliers or vendors.
  • Outside contractors hired to build and manage databases can view and copy information about a company's clients, including credit card and sometimes driver's licence numbers.

Privacy legislation requires that all businesses put systems in place to ensure that customer information is secure, accurate, gathered with consent and not used beyond a stated purpose.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to businesses operating in provinces and territories that do not have substantially similar legislation. Quebec, British Columbia and Alberta have similar legislation. This guide will help you create a plan to avoid the theft of information, and it provides advice on what to do if your information is stolen.

What is Personal Information?

Any factual or subjective information, recorded or not, about an identifiable individual is personal information. This might include such things as the individual's name, address, age, gender, identification numbers, credit card numbers, income, employment, assets, liabilities, payment records, personal references and health records.

Personal information does not generally include employees' contact information at their place of work but may include the employees' e-mail address. In general, data you collect from customers or employees must be used only for the purpose for which it was collected, or for an additional purpose to which the person has consented.

What is Identity Theft (Fraud)?

Obtaining another's personal information and using it without his/her knowledge or consent to commit fraud for financial gain or for another criminal purpose.

A thief does not need much information to steal and seriously disrupt someone's life: often a name, address, and date of birth are enough to get started.

Why Do Businesses Have To Protect Personal Information?

Increased Risks.
Identity theft is growing rapidly. Each year thousands of victims have their personal information used by criminals to commit financial fraud such as creating false accounts in another's name.
These crimes are growing because more personal information is collected and retained than ever before, and the risks of theft multiply every time that information is transmitted or retained or disposed of in an unsafe manner. A disturbing number of cases are inside jobs conducted by individuals who have access to an organization's sensitive data.

Managing Against Inside Jobs*

Hundreds of unsuspecting customers of a local gas station on Vancouver Island who used their debit cards to pay for gas were shocked to learn that their PIN and card number were recorded twice: once for the transaction, once for a thief.

When the police caught him, a former employee was charged with 178 charges of fraud using card data for over $200,000. He had been copying debit card information as he swiped customers' cards.

In accordance with the Canadian Code of Practice for Consumer Debit Card Services, victims were reimbursed by their financial institution. The gas bar was warned that if they did not apply appropriate security measures their access to the online payment service would be discontinued.

To guard against future thefts, the owner implemented new procedures: he tightened screening and background checks when hiring employees, and he began checking his equipment to ensure no one tampered with it.

Customer Trust and Loyalty.
Consumers are becoming wary of giving out information, and are learning more about their right to privacy every day. Increasingly, they are holding organizations responsible for protection of their personnel information — not just through the law — but also through the marketplace. If businesses lose consumer confidence and goodwill, it is their bottom lines that will suffer.

* Sidebar stories in this document are based on actual breaches, but all names, places and other details depicted are fictitious.

Identity Theft

  • Recognize it.
  • Report it.
  • Stop it.

Menu | Next
Created: 2005-05-30
Updated: 2006-05-05
 Top of Page Important Notices
Privacy Statement