Individual Breach Response Playbook

A complete checklist for what to do when your personal information has been exposed in a data breach.

TL;DR

Within 24 hours, change passwords and enable MFA. Within a week, place fraud alerts with Equifax and TransUnion, and sign up for offered credit monitoring. Document everything. Consider joining a class action if one is certified.

Hour 0 to 24

Immediate actions:

Change passwords on affected and reused accounts.
Enable multi-factor authentication everywhere possible.
Check statements for unauthorized transactions.
Screenshot and save all breach notifications.

Day 1 to 7

Follow-up actions:

Place fraud alerts on your credit files at Equifax and TransUnion.
Sign up for any credit monitoring offered by the breached organization.
Report to the Canadian Anti-Fraud Centre if fraud has occurred.
File a police report if you are a victim of identity theft.

Ongoing monitoring

Check your credit report annually (free at Equifax and TransUnion).

Watch for unfamiliar mail (new accounts, change of address confirmations).

Continue multi-factor authentication and use unique passwords.

Legal options

You may have rights to complain to the OPC or provincial commissioner, sue for intrusion upon seclusion, or join a class action. Keep records of all time and costs incurred.