Mandatory data breach reporting has been in place in Canada now for almost a year. During that time, over 400 breaches impacting almost two of every three Canadians have been reported to the Office of the Privacy Commissioner, with victims suffering a range of ills from financial crime to violence.

In light of this staggering failure of governments and companies to protect information entrusted to them, it’s now more important than ever that Canadians recognize the risks they face in sharing their personal identifying information (PII) with third parties and be deliberate when choosing with whom to share their PII.

Has your identity been breached?
All clear.
We didn't catch any suspicious activity under this email address.
Suspicious activity detected!
We've detected 5 instances of suspicious activity with this email address.

... analysing data ...

analysing data

1 in 3 Canadians have fallen victim to financial fraud.
Find out if your email address is putting you at risk.

There is an error with the email address provided. Please confirm your email address and try again.

A critical first step in exercising prudence over information sharing is to understand the risk/reward ratio at play. Put simply, each time we as consumers or citizens are asked to share our PII, we should understand the value we receive for doing so and we should be able to measure that value against the potential ills that could befall us should the information be “breached”, or shared with others without our consent.

In certain instances, the risk/reward ratio will clearly favour information sharing. For example, if I am undergoing medical care for a life threatening illness and am asked by my medical team to to share my Date of Birth and Social Insurance Number with my hospital so it may create a secure online account to which critical information concerning my ongoing care will be uploaded and shared with me in real time, I should feel confident that the opportunity to expedite and enhance my medical care far outweighs the potential risks involved should the hospital’s information systems be breached (and there are real risks, such as loss of privacy, damage to reputation, and even financial loss via identity theft).

On the other hand, if a commercial company requests I share with them several pieces of my PII, particularly when only one piece will do, I should immediately question both the necessity and potential ulterior motives of the request. For example, I decide to join a new gym and am asked by the gym fill out a form asking for my Date of Birth, Driver’s License, two Email Addresses, Home Address, Health Card Number, etc.  Rather than obediently fill out the form, I should ask myself why the gym would need all that information and whether they’re being able to easily find me to let me know I forgot my sneakers is worth the risk that all of that data might be compromised in a breach and made available for all to see online. Clearly, the risk/reward ratio in this instance doesn’t favour sharing the requested information.

Over 400 breaches in less than a year is a stark reminder that there’s a market for our personal information, and the onus is on us to be vigilant in protecting it. At Identity First, we don’t store your personal data, but we help keep Canadians safe online by monitoring the deep/dark web for instances of their compromised personal data, and informing them know in real time when it appears.