Identity Theft

Identity Theft


Identity theft has become a serious, pervasive and increasingly sophisticated crime in North America, one that has a range of negative impacts for individuals, consumers, the corporate sector and governments. All these stakeholders have a role to play in preventing and combatting identity theft.
This webpage provides background information and advice on identity theft. It aims to provide a range of tools and resources to assist individual citizens and private organizations to minimize their exposure and deal with the problems that result from identity theft.
The webpage is one component of CIPPIC's research project on the legal and policy dimensions of identity theft. This project is funded by the Ontario Research Network for Electronic Commerce ("ORNEC"). ORNEC is a partnership between the Universities of Ottawa, McMaster, Carleton and Queen's and the corporate sector, which serves as a driving force and focal point for electronic commerce research.



What is Identity Theft?

"Identity theft" is a term commonly used to mean the unauthorized collection and fraudulent use of someone else's personal information. The personal information collected by "identity thieves" may be used in a variety of improper ways, including gaining illegal access to bank accounts, obtaining credit and taking out loans, obtaining accommodation, and in other transactions, all carried out by masquerading as the victim.
It is the fraudulent use of someone else's personal information that lies at the heart of the phenomenon known as identity theft. To be truly accurate, the term "identity fraud" should be used, and sometimes it is. As it happens, the terms tend to be used interchangeably and may mean different things to different people. This can and does lead to confusion and lack of consistency in terminology.
The collection of personal information by ID thieves may in itself not be illegal. However, sometimes the collection is done by using a scam, such as fake contests. Even then, until the information is used in an illegal way, no crime has been committed under Canadian law. This means that an individual who has a copy of your personal information such as your social insurance number, date of birth, etc. does not commit a crime merely by possessing that information.
Identity theft becomes a criminal activity when the information is used for an illegal or improper purpose, such as obtaining and using a credit card in another's name. This is why identity theft is perhaps more accurately described as "identity fraud".

What personal information do ID thieves collect?

Identity thieves will collect whatever information they can about an individual they wish to impersonate. Types of personal information useful for this purpose include name, address, social insurance number, date of birth, mother's maiden name, driver's licence number, employment history, vehicle registration and plate numbers, and financial information such as bank account and credit card numbers. The more details identity thieves know about a person, the more able they are to successfully impersonate that person.

How do ID thieves collect personal information?

Identity thieves collect personal information from various sources and through various means including unshredded garbage, discarded hard drives that have not been properly cleaned of data, lost or stolen wallets, mailbox theft, computer hacking, internet- based frauds (viruses, spyware, and phishing), "social engineering", underground networks, and through the actions of dishonest employees who have access to the personal information of clients in the course of their duties.
In order to commit fraud, identity thieves usually need different pieces of personal information which are not always available from the same source. However, identity thieves can use the personal information they already possess in order to obtain further information on a victim. This process is called "identity consolidation or identity breeding". For example, a thief who has a victim's name, address, driver's licence number and health care number could apply to get a replacement social insurance number card or number in the victim's name, and thus perpetuate the fraud.
Some identity thieves specialize in the collection of personal information which they then sell for profit in underground networks. For example, "carder networks" usually take the form of E-bay style auction sites where individuals buy and sell credit card information.

Is identity theft more likely to occur on the internet?

In fact, as of 2006, it is estimated that only a small percentage of identity theft is committed via the internet. The main identity theft risks still come from the "paper world". Lost or stolen identification, friends and family, insider abuse and mail theft pose the greatest risks. The increasing trade in personal information for commercial purposes, and the increase in commercial databanks of personal information, has also exposed our personal information to a much greater risk of theft and fraud.

What is social engineering?

"Social engineering" is a method of obtaining personal information that relies on "smooth talking". Social engineers trick the victim or third parties with whom the victim deals into revealing the victim's personal information. The key to their success is to win the trust of the victim or third party individuals and convince them to go against their instincts or better judgment.
Social engineering can be used to collect personally identifiable information directly or it can be a component of a more complex collection process. Social engineering can be exercised directly against the victim or on a third party with whom the victim has dealings, in order to acquire information about the victim.

What is phishing?

Phishing is a method of luring individuals into providing their personal information by masquerading as a trustworthy person or organization, via an apparently official electronic communication such as an email. This communication will be used for two purposes: 1) to lure the unsuspecting user to a spoofed website which resembles the site of the real organization, usually containing copied logos and other identifying information. The domain name of the fraudulent sites often contains spelling mistakes or they use an alternate but similar name, but these differences can be hard to spot. 2) to get the user to provide personal information or account information by entering it using the fake web site or by replying to the fake message. By responding, the victims are providing their personal information directly to the identity thieves.
The message usually contains an alert that something is wrong with the victim's account, such as a security breach, or asks that personal information and passwords be updated, corrected or verified. Some messages even come in the form of a fraud alert. The message is written in a language similar to that used by the organization; it will also use the same colors and logos - this is known as "spoofing". There is a sense of urgency to the message. The urgent nature of the message may dupe even those who are not clients of the organization being impersonated to respond.
These sites also count on the lack of awareness by the average user of details which distinguish legitimate web sites from unlawful duplicates. For example, a closed padlock symbol indicates that a site was issued a secure certificate. A user must look at the details of the certificate to ensure the site actually belongs to the organization. The domain name of spoofed sites will be slight variations of the real site's domain name; for example, instead of Any site accessed via a numeric internet protocol (IP) address, such as, instead of textual domain name should be considered suspicious.
By responding directly to the email or via the spoofed website, the victim inadvertently sends personal information directly to the criminal. This may include ATM card numbers, PIN codes, credit card numbers and expiry information, passwords, account information, and so forth. Worms and viruses may spread the phishing email further, via victims' address books.
Other phishing schemes involved fake charitable organizations. For example, in the summer of 2005, after hurricanes Katrina and Rita, many fake websites were set up to solicit donations. The websites were advertised by phishing emails.

How do ID thieves use personal information?

Identity thieves use personal information in a number of unlawful ways. The most frequent uses are to take over existing bank or credit card accounts (account hijacking); open new accounts (credit, hydro, phone, cable, cell, etc); obtain benefits; acquire goods, obtain health services or medication or avoid arrest.
Once accounts have been opened or control taken over them, the identity thieves will systematically use up all the available funds. They may leave victims with little or nothing in their bank accounts, immense debt in their existing credit card accounts, or debt in the new credit card accounts opened in the course of the fraud. The frauds can go as far as obtaining rental accommodation, a mortgage or employment in another's name.
There are even cases where an individual served prison terms in the name of another, leaving the victim with a criminal record. Other examples involve identity thieves getting prescriptions or medical services in the name of their victims.

Who does ID theft affect?

Individuals who fall victim to ID theft suffer a financial loss, at the very least in terms of time lost to restore their identity and reputation. The consequence of identity theft for these persons is often a poor credit rating, which may result in more financial losses by way of higher interest rates or the inability to refinance debts at better interest rates. Finally, the individuals who were impersonated will also suffer from mental anguish, since it is quite disconcerting to know someone else used your identity to steal from others.
The consequences for the persons being impersonated can be extremely dangerous when identity theft is committed to get medicine or medical services. These unlawful uses leave traces in the victims' medical records which could eventually be relied upon by health care professionals to make health decisions for the victim.
In addition to the immediate personal victims of ID theft are businesses such as credit card companies and banks, which absorb losses due to fraud and which must take costly security measures to guard against it. Consumers, to whom such losses are passed on in the form of higher prices and/or interest rates, are also secondary victims.

Who commits identity theft crimes?

There are two types of individuals who commit identity theft: those who carefully plot their schemes (dedicated thieves), and those who commit the crime only if given the chance (opportunistic thieves).
Dedicated thieves will generally rely on more sophisticated techniques such as phishing and hacking computer systems. Dedicated thieves may work in organized groups and commit fraud on a large scale. Each individual in the group may have a task, such as collecting debit card information, creating duplicate debit cards or using the duplicate cards to empty victims' bank accounts.
Opportunistic individuals will usually steal mail or account statements, or will use information to which they have ready access, in order to pose as someone else.
Disturbingly, a good number of identity theft crimes are committed by family members, colleagues and others with whom the victim has regular contacts. There are even cases of parents fraudulently using their childrens' identities in order to gain some advantage.

Can individuals prevent identity theft?

Individuals can play a role in reducing the risk posed by identity theft, but they cannot completely prevent it. As clients we provide our personal information to a vast number of organizations. Once we have provided this information we lose control over how it is used. For example, consumers cannot protect themselves against corrupt employees or security breaches in these businesses. We must trust that organizations with which we do business will take appropriate care to safeguard our personal information.

What Canadian laws currently exist to combat and reduce the risk of identity theft?


The Criminal Code
The Criminal Code contains a number of offences that relate to identity theft. Relevant provisions address personation, forgery and fraud, covering conduct such as theft of government issued identification documents, making or uttering a forged document, assuming identities for financial gain and assisting someone else in obtaining false information.
There is no statutory definition for identity theft, however, and many activities of identity thieves are not unlawful at present, especially those relating to the collection and transfer of personal identity information prior to the commission of an offence. The federal Department of Justice is currently reviewing Canadian criminal law relating to identity theft, with the aim of proposing new offences.
Privacy laws
Canada has data protection laws at both the federal and provincial levels, applicable to commercial activities across the country as well as to public sector activities. These laws apply to the collection, use, disclosure and destruction of the personal information collected by organizations, both public and private.
Private sector laws help reduce the risk of identity theft by requiring that organizations collect only the personal information that is required for a given transaction. They also help by requiring organizations take appropriate security measures to protect the personal information they collect. Finally, these laws also require that information which is no longer required be destroyed in a secure way.
Public sector laws establish similar but not identical constraints on government collection, use and disclosure of personal information.
Consumer reporting and protection laws
Some laws apply to consumer reporting agencies (credit bureaus). They define the circumstances in which credit reports can be obtained on individuals. These limits are intended to make sure the personal information held in credit reports does not end up in the wrong hands. Consumer reporting laws also set out the obligations consumer reporting agencies have towards individuals about whom they keep information. For example, if a victim of identity theft contests information contained in his or her credit report, the consumer reporting agency is required to investigate the issue and correct any errors in the individual's credit report.
Other laws are aimed at consumer protection. These laws do not reduce the risk of identity theft, but they may reduce the financial liability of victims when an identity thief has accumulated debts in their name by using fraudulent credit cards. In most provinces, in order to be protected by these provisions, credit card holders must promptly notify the credit card issuer of any fraudulent activity.

How can I reduce my risk of becoming a victim of identity theft?

Although it is not possible to completely eliminate the risk, you can take steps which will lessen the risk posed by identity theft. Below are some steps you can take to reduce the risk.
Have an inventory of your identification documents
You should keep a photocopy of all the identification documents (both sides of the cards) you carry in your wallet or purse. This will not help you to prevent being a victim, but it will be valuable information in case you loose your wallet and purse. These photocopies should be stored in a secure location.
Always check the identity of a person requesting personal information
When someone asks for personal information, always verify their identity, especially if you did not initiate the contact. When receiving phone calls purporting to be from an organization with which you do business, ask them for a number to call them back and do not provide information. You can then look in the phone book or on the organization's web site to make sure the number provided matches their contact number. If it does not, you should call back using the organization's official number.
Carefully destroy personal information
As mentioned above, personal information can be obtained from many sources, including your garbage. You should always carefully destroy documents, account statements, old identification cards and pre-approved credit card or loan applications, ideally using a crosscut shredder.
Do not carry unnecessary identification
You should never carry unnecessary identification. For example, you should never carry your Social Insurance Card or birth certificate in your wallet or purse. This identification is seldom required in daily operations. Carrying these identification documents increases the risk of identity theft in case your wallet or purse is lost or stolen. It also increases your amount of time and effort and your out-of-pocket costs to get new identification issued following the loss or theft.
Limit the personal information you give online
Many corporate websites seek personal information about their clients. Yet there is widespread non-compliance by these websites with federal privacy laws; in fact many organizations will actually sell their customers' personal information to data brokers, who use it build up huge profiles on individuals. Even if the data is not sold to third parties, the reality is that it has been collected and stored in a database. The database is more likely than not to be susceptible to abuse, either by insiders or outside "crackers". In a recent report, CIPPIC has found widespread lack of compliance by retailers and data brokers with privacy legislation.
You should avoid providing personal information in emails. Emails are as secure as a postcard written in pencil rather than a pen. An email will usually have to be sent through at least two email servers before it reaches its destination. At any step in the transmission, the owners of the different email servers can watch the messages and possibly alter them before retransmitting them. The only way emails can be made secure is through strong encryption. Faxes are also not recommended as a means of transmitting personal information. Standard phone lines are a much more secure way of transmitting personal information.
Immediately report lost or theft of debit and credit cards or other identification
You should immediately report the loss or theft of debit and credit cards. This helps reduce the risk of someone else using your cards or identification for fraudulent purposes.
Limit personal information on Cheques
Have only your initials instead of your first and last name printed on your cheques. When paying accounts by cheque, never write the complete account number on the cheque.
Shield your pin numbers and beware of "skimmers"
When using a debit card, always make sure to shield the keypad when you enter your personal identification number (PIN).
When using your debit or credit cards, always watch what the user does with the card. Never let the card go out of your sight. Some identity thieves use special devices to clone the cards and use a camera to spy while you enter your PIN. These devices are known as "skimmers" and the thieves will usually hide them under the counter. All it takes is a swipe of the card in the skimmer to obtain a copy of the information stored on the magnetic strip of the card.
Request passwords on your accounts
Certain organizations offer password protected accounts. If possible you should take advantage of the security afforded by passwords.
Never reply to emails or instant messages that request personal information
Never reply to emails or other electronic communications requesting personal information. Legitimate organizations never ask for personal information using these means and they will never ask for personal information if you have not solicited their services.
Create Online Profiles with care
Never create online profiles containing highly sensitive personal information, such as your birth date or SIN number. This information can be used to impersonate you. Never give out your personal information in chat rooms, bulleting boards, etc.
Use hard to guess passwords
As much as possible you should use hard to guess passwords on your accounts. This is especially the case for accounts used for financial transactions such as online banking or for the reception of electronic account statements.
Always sign-out of online accounts
When using online systems to conduct transactions, always use the system's "sign out", "close session", or "log out" feature before leaving the web page or the application.
Protect your computer
Protect your computer by using up-to-date anti-virus software, anti-spyware software and a firewall. It is not sufficient to simply install these protections; they must be kept up-to-date by using the services offered by the manufacturers of the applications.
Safely discard computer equipment
You should always destroy any floppy disks, CDs and DVDs on which you put personal information. When discarding an old computer, remove all the information on the hard drive and use a "white space wiper" application.
When you delete a file on a computer, the information contained in the file is not destroyed until another file is stored in the same physical location as the deleted file. This means that some "deleted" files can still be accessible many months after they were "deleted". A "white space wiper" application will write 0s over all the deleted files rendering them completely inaccessible.
How do I know if I'm a victim of identity theft?
Identity theft is generally detected either directly by victims or by a financial institution which monitors its clients' accounts for suspicious activity.
You can detect identity theft primarily in five ways: 1) by monitoring your account statements; 2) by monitoring your credit report; 3) when you are refused credit for inexplicable reasons; 4) when you are contacted by a debt collector for a debt you did not incur; and 5) when you are arrested for a crime you did not commit. Unfortunately, in some instances of identity theft, even the victim cannot detect it until a great deal of damage has been done. This can happen when the identity thief did not access any of the victim's existing accounts, but limited his or her fraud to opening new accounts. Identity theft to avoid arrest or to obtain health services can also be very hard to detect.

Identity theft Detection Techniques

Monitor the volume of your mail
Any sudden drop in the level of mail you receive should be watched carefully. Many victims of identity theft realize something is wrong when mail goes missing or mail orders never arrive.
If you receive bills or account statements for services that you did not request, it is a good indicator of fraudulent activity, which should promptly be followed up.
Check your credit reports
In Canada, free credit reports are available by mail from the two major consumer reporting agencies (credit bureaus). By ordering these reports at least once annually, you can reduce the risk of being a repeat victim of an identity thief. Examining your credit report will enable you to identify:
  • fraudulent accounts that have been opened in your name;
  • unauthorized changes that have been made to existing accounts;
  • unauthorized enquiries for your credit file.
Any suspect activity should be followed up. It is up to you to contact all creditors directly. The credit bureaus do not do this. If an enquiry for your credit file cannot be confirmed by you, then the credit bureau will investigate further.
Placing a fraud alert on your credit report might be appropriate if you detect any suspect activity. A fraud alert will let you attach a short statement to your credit file. This statement can say something like "My identity might have been stolen. Before granting any new credit, contact me directly at number (XXX) XXX-XXX".
To place a fraud alert on your credit file, contact the credit bureaus. Note that you should contact all credit bureaus. See Contact Information below.
Check your credit card, bank account and utility account statements
You should verify your credit card, bank account and utility account statements for any unauthorized or suspicious activity. Preferably, you should use electronic statements for two reasons: 1) electronic transmission eliminates the risk of the statement being stolen in the mail, and 2) electronic statements can be monitored daily or weekly, compared to monthly for mail delivered paper statements.
Check medical, insurance and tax files
You should check your medical files, through your physician, at least once annually for fraudulent activity. The consequences of medical identity theft can potentially be disastrous for the victim of identity theft.
Your insurance statements should be checked for any unauthorized claims. This should be done at least once a year when a policy is renewed. Income tax statements should be verified to detect any suspicious activity.
Check your criminal record
Ideally, at least once a year, you should obtain a certified criminal record check, to make sure your identity was not used by an identity thief to avoid arrest. Certain fees are applicable and a full set of fingerprints must be provided. Verifications to determine if a warrant was issued in your name should also be conducted.

Where can I get Help if I'm a Victim?

If you detect suspicious activities or fraudulent transactions conducted in your name, you can and should report them to the organizations listed below.
You should note all the steps and actions you take in reporting the issue. This information should be kept in a safe place for future reference. Errors can reappear on your credit reports or your information can be re-circulated. If this happens, you'll be glad you kept your files.
You should fill out an Identity Theft Statement. The Identity Theft Statement is a form that you can use to notify financial institutions, credit card issuers and other companies that you have been a victim of identity theft, and give them the information they need to begin an investigation of the incident.
For more information on the Identity Theft Statement, please see the Consumers Measures Committee web site. The Consumers Measures Committee web site also offers additional advice to identity theft victims.
The Canadian Identiy Theft Support Centre
The Canadian Identity Theft Support Centre (CITSC) is Canada's first comprehensive support centre for victims of identity theft. It provides much needed support services for victims of identity theft who undertake the often long and difficult road to recovering their identities. This identy recovery process is typically lengthy and time-consuming. Modelled on the successful U.S. based Identity Theft Resource Center, the CITSC will operate as a source of guidance for Canadians in their attempts to navigate this process.
The CITSC is a source of educational materials aimed at educting Canadians on how to protect their identities and on steps that can be taken by Canadians to help spot early signs that their identity may have been stolen. 
Financial Institutions
You should start by contacting the financial institution with which you hold the account(s) affected. Tell them what happened, and ask them to investigate the occurrence, cancel and re-issue any cards that were affected, and close any fraudulent or affected accounts. If the financial institution accepts the Identity Theft Statement, provide them with a copy. If they do not accept it, ask them what information they require and provide it to them.
It is also a good idea to contact the other financial institutions with which you do business to notify them of the issue. This will ensure they are aware of the situation and you can instruct them to take extra precautions when dealing with your accounts.
Credit Bureaus
Next you should contact the two consumer reporting agencies (credit bureaus). For the contact information of the consumer reporting agencies, see "How can I obtain my credit report?" below.
When contacting consumer reporting agencies you should request that a Fraud Alert be placed on your credit file (see "What is a Fraud Alert" for more information), though not all bank systems will receive such statements. It would also be useful to make use of credit monitoring services provided by the credit bureaus, which will alert you whenever an inquiry is made on your credit report.
Law Enforcement
You should report the activity to your local police department and ask them to provide a police report. The local police department will either investigate the situation or forward your complaint to the appropriate law enforcement agency. To help investigators you can provide a copy of the Identity Theft Statement described above. This will give investigators the information they need to open an investigation.
Obtaining a police report will help you deal with the fallout of any fraudulent activity committed in your name. A police report will help you remove fraudulent transactions from your credit file held by consumer reporting agencies (credit bureaus). It can help you clear up other fraudulent information in any criminal record stemming from the identity theft, medical records, etc. If you obtain a police report, include a copy of it in all correspondence you send to other institutions.
Government Agencies
If you suffered the loss or theft of identification documents issued by government agencies, contact the responsible ministry or department as soon as possible.
PhoneBusters National Call Centre
Phonebusters has a mandate to gather information and intelligence about identity theft, and will provide advice and assistance to identify theft victims. You can call Phonebusters toll free at 1-888-495-8501.
Reporting Economic Crime Online (RECOL)
RECOL is an initiative that involves an integrated partnership between International, Federal and Provincial Law Enforcement agencies, as well as with regulators and private commercial organizations that have a legitimate investigative interest in receiving a copy of complaints of economic crime.
RECOL will recommend the appropriate law enforcement or regulatory agency and/or private commercial organization for potential investigation.
You can visit RECOL's web site to find out what information requires when you want to file a complaint.
Other steps you can take
  • Check your real property registration to ensure that no one has put a mortgage on your property.
  • Check your criminal record.
  • Contact Canada Post if you suspect someone has changed your address or is diverting your mail.
  • Advise your local phone company, cable provider, and utility companies that an impostor may try to open new accounts fraudulently.

How can I obtain my credit report?

You can obtain a free copy of your credit report by contacting the two major consumer reporting agencies (credit bureaus).

What is a Fraud Alert?

Fraud alerts are sometimes referred to as "Security Alerts". A Fraud Alert is placed in your credit file by consumer reporting agencies (credit bureaus). The goal of a Fraud Alert is to notify creditors (credit grantors) that you may be a victim of identity theft. Creditors who are notified of the Fraud Alert will usually take extra precautions before issuing new credit in your name.
A fraud alert will let you attach a short statement to your credit file. This statement can say something like "My identity might have been stolen, before granting any new credit, contact me directly at number (XXX) XXX-XXX".
However, nothing in Canadian law obliges the creditors to take additional measures when a Fraud Alert is present in a credit file. It should also be noted that not all credit grantors will obtain a credit report before issuing new credit or opening accounts in your name. Thus a Fraud Alert is not a fail-proof protection.

What can organizations do to reduce identity theft?

Identity thieves rely on a vast array of techniques to acquire personal information about individuals and use this information in a multitude of illegal ways. As more and more personal information is collected, retained, transferred and disposed of by governments and by the corporate sector, the risks of identity theft have increased. Individuals expect organizations to protect their personal information, and organizations should be careful to do so at each stage of the information management process.
The following suggestions are not exhaustive and are not meant to replace a comprehensive risk analysis of threats and vulnerabilities which might be present in your organization.
Comply with the privacy legislation
The federal Personal Information Protection and Electronic Documents Act and other provincial legislation impose certain duties on organizations in regards to the collection, use, disclosure and destruction of personal information they hold on individuals. By adhering to the obligations imposed by these laws you reduce the risk of identity theft.
Limit the collection and use of personal information
Organizations should know what information they are collecting and why it is being collected. Collect only the information you need and no more. When possible, you should limit the use of highly sensitive personal information such as social insurance numbers, driver's licences, etc. Instead of using these identifiers as unique identifiers for clients, generic identifiers should be used.
Recognize the risks
The risk of identity theft which organizations face comes primarily from the unauthorized access to personal information held by the organization. Unauthorized access takes two forms: 1) access by outsiders who generally circumvent protection measures in place; and 2) access by insiders (employees) who are either not authorized to access the information or use the information for unauthorized purposes.
Unauthorized access can also lead to the theft, destruction or manipulation of corporate information, as well as theft of personal information of employees, customers or other individuals from databases or files that are under the responsibility of the organization.
Use adequate security and privacy protections for storing, transferring and disposing of personal information.
As indicated above, the risk is mainly from unauthorized access to personal information that is either in storage or being transmitted. Adhering to adequate security protections will help reduce this risk. The ISO 17799 Information Security Portal standard describes appropriate security measures and strategies for both the paper and electronic realms.
Notification of security breaches
When you discover that a security breach occurred, notifying the individuals whose personal information was compromised will give them the opportunity to take defensive measures to reduce the risk of identity theft. When clients are informed of such a breach, they can closely monitor their account statements, place a fraud alert on their credit reports and report any unauthorized activity that took place.
Security breaches should also be reported to the appropriate law enforcement agencies. Organizations affected by breaches should investigate incidents and take steps to prevent further occurrences.
Limit the amount of personal information sent by mail
Identity theft is facilitated by mail theft. By limiting the personal information sent by mail to clients, you can reduce the risk of that information being misappropriated by mail theft.
Use adequate authentication procedures
When individuals make inquiries for personal information, take appropriate precautions to identity the individual, to make sure they are who they claim to be.

Resources for businesses and organizations

Consumer Measures Committee
The Consumer Measures Committee provides a Business Identity Theft Checklist which you can follow to reduce the risk of identity theft being committed against your clients. A more exhaustive guide, also compiled by this committee, can be downloaded.
ISO 17799
Information on the ISO 17799 can be obtained on the internet.
Information and Privacy Commission of Ontario (IPC)
Public Safety and Emergency Preparedness Canada
Public Safety and Emergency Preparedness Canada published a Public Advisory: Special Report for Retail Businesses on Identity Theft.


Contact Information for reporting and detecting ID theft
The Canadian Identiy Theft Support Centre
The Canadian Identity Theft Support Centre (CITSC) is Canada's first comprehensive support centre for victims of identity theft.
Hours of Operation:
  • Monday – Friday
  • 10:30am – 7:30pm (EST)
Phone (Toll-free): 1.866.436.5461
PhoneBusters National Call Centre (PNCC)
Ontario Provincial Police Anti-Rackets
Fax: 1-888-654-9426
Reporting Economic Crime Online (RECOL)
Equifax Canada Inc. (credit reports; fraud alerts)
Consumer Relations Department
Box 190 Jean Talon Station
Montreal PQ H1S 2Z2
TransUnion Canada (credit reports; fraud alerts)
Sales and Marketing Division
325 Milner Avenue, Suite 1501
Toronto ON M1B 5N1
Non-profit Organizations
Privacy Rights Clearinghouse
The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization with a two-part mission -- consumer information and consumer advocacy. The PRC offers an Identity Theft Victims Guide and Identity Theft Resources.
Identity Theft Resource Center
The Identity Theft Resource Center is an American nonprofit organization that focuses exclusively on identity theft. ITRC was founded in December 1999 by Linda and Jay Foley. While its national office is based in San Diego, CA, ITRC has representatives working with its program throughout the United States.
The website is dedicated to Identity Theft Prevention and Survival. It covers numerous identity theft subjects.
The Society of Internet Professionals (SIP)
The Society of Internet Professionals offers numerous Identity Theft & Fraud Resources from books to useful links.
The BBBOnline offers an Identity Theft guide that covers what identity theft is, how it happens, how to protect ones identity, etc.
Canadian Council of Better Business Bureaus
The Canadian Council of Better Business Bureaus offers general information on identity theft and links towards more information.
Better Business Bureau - Manitoba
The BBB published a guide entitled Preventing, Detecting and Correcting Identity Theft.
Credit Union National Association
The Credit Union National Association offers Identity Theft Resources such as brochures such as "How to Prevent & Get Over It", videos and other useful links.
University of Illinois
The University of Illinois offers a short guide titled "Identity Theft: Resources and Strategies".
University of Southern Indiana
The University of Southern Indiana offers Identity Theft Resources that covers how to protect yourself and what steps to take if your personal information is compromised.
Dartmouth College
The Dartmouth College offers Identity Theft Resources which provide links to other identity theft resources.
McMaster University - Identity Theft
McMaster University offers general information on identity theft which covers how to protect yourself what to do if you become a victim.
Canadian Federal and Provincial Government
Consumer Measures Committee
The Consumer Measures Committee has a representative from the federal government as well as every province and territory. The CMC provides a federal-provincial-territorial forum for national cooperation to improve the marketplace for Canadian consumers, through harmonization of laws, regulations and practices and through actions to raise public awareness. The Consumer Measures Committee has Working Group on Identity Theft.
Saskatchewan Justice
The Consumer Protection Branch offers two guides. The first guide is "Tips for Reducing the Risk of Identity Theft" and the second guide is "What to do if it happens to you".
Information and Privacy Commission of Ontario
The Information and Privacy Commission of Ontario offers these two short brochures "Identity theft and your credit report: What you can do to protect yourself" and "Identity Theft: How to Protect Yourself".
Ministry of Government Services of Ontario
The Ministry of Government Services of Ontario offers an Identity Theft guide which describes what identity theft is, how to reduce the risk and how to detect if you have been victimized.
Department of Government Services of Newfoundland & Labrador
The Department of Government Services of Newfoundland & Labrador offers Tips for Reducing the Risk of Identity Theft. The page also contains links to these three related documents "What To Do If Identity Theft Happens To You", "Identity Theft Statement", "Identity Theft Statement Instructions".
Royal Canadian Mounted Police (RCMP)
The RCMP offers two publications on identity theft: a short guide on Identity Theft, with tips for individuals, and another guide specifically designed for students entitled "Personal Information and Scams Protection - A Student Practical Guide". The RCMP also operates a website with information on identity fraud and related crimes, at .
Ontario Provincial Police
The Ontario Provincial Police offers a short Tip Sheet on identity theft.
Calgary Police Service
The Calgary Police Service Crime Prevention Unit provides a guide entitled "Steps to Avoid Becoming a Victim".
Public Safety and Emergency Preparedness Canada (PSEPC)
PSEPC offers a number of Identity Theft resources, including a guide on "Best Practices for Preventing Online Identity Theft", a guide on "Advice for Consumers". PSEPC also published the following public advisory "Public Advisory: Special Report for Consumers on IDENTITY THEFT".
Office of the Information and Privacy Commission of British Columbia
The Identity Theft Resources of the Office of the Information and Privacy Commission of British Columbia are links towards other organizations involved in identity theft.
Privacy Commissioner of Canada
The Privacy Commissioner of Canada offers various identity theft publications such as "Privacy Commissioner's Message - Five Key Steps to Reduce the Risk of Identity Theft" and "Fact Sheet: Identity Theft".
The's "Identity Theft - Questions and Answers" page provides links to different identity theft resources.
Service Nova Scotia and Municipal Relations
The Service Nova Scotia and Municipal Relations department offers a tip sheet entitled "Tips for Reducing the Risk of Identity Theft".
PhoneBusters is a national anti-fraud call centre jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police. PhoneBusters provides identity theft information and statistics.
Consumers' Bureau of Manitoba
The Consumers' Bureau of Manitoba offers a tip sheet entitled "Tips for Reducing the Risk of Identity Theft".
Canada 's Office of Consumer Affairs
Canada's Office of Consumer Affairs offers consumer tips on Identity Theft via their Canadian Consumer Handbook 2006.
Non-Canadian Government Resources
U.S. Federal Trade Commission
This Federal Trade Commission website is the main United States government website on identity theft.
Office of Privacy Protection of California - Identity Theft
Through the Identity Theft section of its website, the Office of Privacy Protection of California offers a vast amount of information such as "Tips for Identity Theft Protection" and "Identity Theft Victim Check List".
Government of South Australia - Office of Consumer and Business Affaires
The Office of Consumer and Business Affaires offers a variety of identity theft related links via their website.
U.K. Home Office Identity Fraud Steering Committee
This website has been produced by the Home Office Identity Fraud Steering Committee, collaboration between UK financial bodies, government and the police to combat the threat of identity theft.
Better Business Bureau
Equifax is Canada's largest consumer reporting agencies (credit bureaus). You can obtain your credit report from Equifax free of charge. They also offer information on Identity Theft.
TransUnion is Canada's second largest consumer reporting agency (credit bureau). You can obtain your credit report free of charge from TransUnion. They also offer information for Fraud Victims.
Visa offers an identity theft guide entitled "Protect Your Personal Information".
MasterCard offers general information on identity theft including how it occurs, popular scams and victim assistance.
Canadian Credit Report
This website offers information on "Canada Identity Theft and Credit Fraud". You can also order your credit report online using the site, for a fee.
National Bank of Canada
The National Bank of Canada offers tips on how you can protect yourself against Identity Theft.
TD Canada Trust
Canada Trust offers general information on Internet Security and identity theft and tips on how to protect yourself.
Citizens Bank of Canada
The Citizens Bank of Canada offers a few tips to protect yourself.
Scotiabank offers tips to minimize the risk and information on what to do if you are a victim.
Identity Theft Resources
This website offers tips on protecting yourself. It also offers reviews of Identity Theft prevention products.
Identity Theft Security
This website offers general information, news, discussions boards, etc. on identity theft.
On this web page, eBay offers safety tips to prevent identity theft.
Canadian Bankers Association
The Canadian Bankers Association provides tips on minimizing the risk posed by identity theft.
Canada Post
Canada Post offers general information on how identity theft occurs and how to protect yourself.
Merrill Lynch
Merrill Lynch offers an identity theft guide for its clients. The guide is entitled Protecting Yourself Against Fraud and Identity Theft.
Reports on Identity Theft
BC Freedom of Information and Privacy Association
On April 30, 2005, the BC Freedom of Information and Privacy Association published a reported entitled "PIPEDA and Identity Theft".
The Public Interest Advocacy Center (PIAC)
PIAC offers some identity theft publications. They include reports, submissions to public consultations and policy positions.
Heenan Blaikie
The law firm Heenan Blaikie published the following article "Identity Theft - The Sin Of "Sin" Theft (And Other ID Thefts)".
French Resources - Ressources Francophones
Option consommateurs
Office de la protection du consommateur du Québec
This page last updated: June 2, 2007


Law Reform

The Canadian Identity Theft Support Centre (CITSC) is scheduled for its official launch on June 28, 2012. The CITSC will be Canada's first comprehensive support centre for victims of identity theft. It will provide much needed support services for victims of identity theft who undertake the often long and difficult road to recovering their identities. This identy recovery process is typically lengthy and time-consuming. Modelled on the successful U.S. based Identity Theft Resource Center, the CITSC will operate as a source of guidance for Canadians in their attempts to navigate this process.

The CITSC will also act as a source of educational materials aimed at educting Canadians on how to protect their identities and on steps that can be taken by Canadians to help spot early signs their identity may have been stolen. In addition, the CITSC will act as a source of research and knowledge dissemination regarding the parameters and nature of identity theft harms in Canada. 

CIPPIC is highly supportive of the CITSC's initiatives, and will be participating in the public launch of the Centre. Join us in person at the Ottawa launch, which will be held from 1:30 pm - 4:30 pm EST in the Newfoundland Room of the Westin (11 Colonel By Drive) in Ottawa. The Centre will be simultaneously launched in Vancouver, B.C., at Library Square.

As part of its intention to help Canada regain its leadership position in the global digital economy, the government recently concluded a public consultation process which sought submissions from all sectors of the public on who to achieve this objective.

CIPPIC provided two input streams into the Government's consultaiton process. First, we helped develop and endorsed a consensus subimssion convened by Andrew Clement and Karen Louise Smith of the University of Toronto's Faculty of Information. In addition, CIPPIC's 2010 summer interns put together a comprehensive submission that set out 36 recommendations. In this submission, CIPPIC calls on the government to encourage the creation of a digital environment that will be better for all Canadians and will serve as a model for other jurisdictions. CIPPIC offers recommendations on issues such as privacy, online file-sharing, and on quality and access to communications that will help the government achieve this objective.

For more info see:

Identity theft has become a serious, pervasive and increasingly sophisticated crime in North America, one that has a range of negative impacts for individuals, consumers, the corporate sector and governments. All these stakeholders have a role to play in preventing and combatting identity theft.

IDT Paper No.1: Introduction & Background (2007)

IDT Paper No. 2: Techniques of Identity Theft (2007)

IDT Paper No. 3: Legislative Approaches to Identity Theft (2007)

IDT Paper No. 3A: Canadian Legislation Relevant to Identity Theft: An Annotated Review (March 2007)

IDT Paper No. 3B: United States Legislation Relevant to Identity Theft: An Annotated Review (March 2007)

IDT Paper No. 3C: Australian, French, and U.K. Legislation Relevant to Identity Theft: An Annotated Review (March 2007)

The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.

Canada's 2010 Digital Economy Consultation