So you’re the victim of a data breach. What now?

Data breaches are becoming all too common.

Canadians entrust companies with all sorts of personal information. This data can be immensely profitable to fraudsters. And high-profile breaches -- from Yahoo!'s in 2013 to Equifax's in 2017 to Capital One's this year -- seem to be on the rise. Millions of Canadians have had their personal information compromised, exposing them to identity theft and other mischief.

What to do if your personal information has been compromised

If your information has been hacked, there are ways to prevent (further) harm. In general, you should determine whether your personal information was compromised, what type of data is at issue, and whether the breach has been reported to authorities.

Contact the company or financial institution that was affected to find out more information. Find out what personal data was compromised and what you can do to protect yourself.

Assess the seriousness of the breach, and take steps accordingly. Some breaches are more serious than others. For example, if hackers obtained your email address from a blog you follow, this is less serious than if hackers obtained your social insurance number and credit card details from a bank. Take steps accordingly:

If your login information was stolen, change your password immediately. Make sure to change your password on other sites where you used the same username and password.
If your financial information has been compromised, contact Equifax (1-800-465-7166) or TransUnion (online, or at 1-800-663-9980) to place a fraud alert on your credit report. This lets lenders know that they should take extra care before lending money to someone who may be posing as you. Note: You can contact Equifax and TransUnion even if you've never spoken with them before. Credit bureaus in the US allow people to freeze their credit, but as the CBC reports, this is not a service available in Canada.
If you have been individually victimized, file a complaint with your local police service and report fraudulent activity to Canadian Anti-Fraud Centre's Fraud Reporting System (online, or at 1-888-495-8501).

Some privacy breaches may be covered by your insurance. Banks and credit companies offer insurance products specifically to protect against identity theft. Your home or life insurance police may also cover losses related to privacy breaches. Review your insurance policy to determine whether you are covered. And report your breach to the insurer as soon as you become aware of it.

Any data breach is a hassle. It's not fun to change your passwords across the internet. But some breaches are especially harmful because they expose intimate details of your private life or put you at risk of costly frauds. If you are the victim of a mass data breach, you may have a legal claim against the company that failed to keep your information secure. For more information, contact classactions@sotos.ca.

How to know if your data has been hacked

Companies that have been compromised may be slow to notice the breach, or may delay in advising their customers. As of 2018, the Government of Canada requires companies to report major data breaches to their victims and to the Privacy Commissioner. A company that fails to do so may face fines.

Still, it's in your best interests to do your part to keep your accounts as secure as possible and remain vigilant with your personal information.

Keep an eye on the news to learn about breaches that may affect you.
Review bills and account statements regularly to identify any unauthorized activity. If you see any suspicious transactions, contact the company or financial institution immediately to get to the bottom of it.
Order and review your credit report to determine if someone has applied for a loan with your personal information. Credit bureaus or your bank may offer free reports. Alternatively, you can sign up for periodic credit reports from Borrowell (a service that is free to use, but recommends financial products to you based on your financial information).
You can check the website Have I Been Pwned? (HIBP) to see if accounts linked to your email address(es) have been exposed. You can also sign up your email address with HIBP for notifications of breaches that it discovers.

How to protect yourself before a breach

The unfortunate reality is that everyone is a target. The key is to remain vigilant. Here are some tips to protecting yourself prior to a data breach:

Keep your passwords secure. Change your passwords regularly, and make sure they're not easy to guess. Keep different passwords for different websites. Never share login information with others. A password management app can help you keep track of all your login details and generate safe passwords, but make sure you pick a reputable password app.
Choose difficult security questions. Don't use security questions if the answers are apparent from your online activity. For example, a hacker might find out your mother's maiden name by looking through your Facebook friends, find the year you graduated high school from LinkedIn, or see from a Tweet that your first car was a Trabant.
Enable multi-factor authentication, whenever possible. Multi-factor authentication requires you to authenticate yourself more than one way in order to log in. For example, a website may send an authentication code to your phone or email, or may offer an authentication app that generates a new code for each login. This adds another layer of security.
Treat emails and text messages with suspicion. Fraudsters are endlessly clever, and are constantly testing new ways of fooling unsuspecting people. Be careful with emails that encourage you to click a link. If you do not recognize the sender, exercise extra caution. Even if the email looks like it comes from your bank or phone company, it could be a scam ("phishing") email trying to get your log in details. Legitimate emails will usually address you by name. If the email conveys a sense of urgency, google the company and call it from the phone number listed on its website to ask if the email is for real. Trusted websites will usually have a padlock icon in the web-address bar. There is no fail-safe way to root out fraudulent emails, but it is important to stay on guard at all times.