ClearBreach
Get early access

This guide is for use during an active breach.

Run your formal RROSH assessment and generate required documents in ClearBreach.

Start assessment →

Quick reference guides

PIPEDAAB PIPABC PIPAAll sectors

Lost or Stolen Device — Quick Reference Guide

Immediate steps, checklists, and reporting deadlines for Canadian organizations responding to a lost or stolen device under PIPEDA, Alberta PIPA, and BC PIPA.

Typical verdict

HIGH — unless confirmed encryption and verified no access

Reporting deadline

As soon as feasible after RROSH is determined — begin assessing immediately, do not wait for device recovery

Documents you will need

  • Internal Incident Record (always required)
  • OPC PIPEDA Breach Report (if PIPEDA RROSH triggered)
  • OIPC Alberta Notification Form (if AB PIPA applies)
  • OIPC BC Notification (if BC PIPA applies)
  • Individual Notification Letter
  • AB PIPA Individual Notice s.19.1 (if AB PIPA individual notification required)

Do not

  • Assume 'we require encryption' means this device was encrypted — confirm through MDM
  • Treat device recovery as resolution — verify data was not accessed
  • Wait for the device to turn up before beginning your RROSH assessment
  • Revoke the device from MDM without also revoking cached credentials (email, VPN, SSO)

First 30 minutes

  • Trigger a remote wipe or remote lock through your MDM platform (Intune, Jamf, etc.) — record the timestamp and MDM confirmation
  • Revoke VPN access, corporate email, and SSO sessions associated with the device
  • Remove the device from your MDM enrollment or revoke its management certificate
  • Designate one person as incident lead — all communications and decisions route through them
  • If the device was stolen: file a police report promptly — document the report number
  • If the device was lost in a public place: notify the location (hotel, transit authority, etc.) and request it be held — document this

Within 24 hours

  • Confirm encryption status: was full-disk encryption (BitLocker, FileVault) active on the device at the time of loss? Can your MDM confirm compliance?
  • Confirm whether a remote wipe completed — check MDM logs for confirmation the wipe executed before the device connected to any network
  • Identify what personal information was on the device:
    • Employee records, contact details
    • Client or customer information
    • Financial or banking data
    • Health or medical information
    • SINs or government-issued ID numbers
    • Passwords, credentials, or authentication tokens
    • Locally cached email (which may contain any of the above)
  • Identify which provinces the affected individuals are in — this determines whether AB PIPA and/or BC PIPA apply in addition to PIPEDA
  • Confirm whether any credentials cached on the device remain valid — revoke any that do
  • Run your ClearBreach assessment — do not wait for the device to be found

Within 72 hours

  • Complete your RROSH assessment in ClearBreach and review your verdict
  • If PIPEDA RROSH threshold is met: file OPC Breach Report as soon as feasible — do not delay for device recovery or further investigation
  • If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
  • If BC PIPA applies and RROSH is met: notify the OIPC BC through their official breach notification process and notify affected individuals
  • Send individual notifications directly to affected individuals — do not substitute a website notice for direct notification
  • Begin populating your Internal Incident Record with all actions taken, timestamps, and decisions made

Ongoing — until resolution

  • If the device is recovered: obtain forensic verification or MDM log confirmation that data was not accessed — document the finding
  • If forensic review confirms no access: reassess RROSH and update your regulator submission if the verdict changes materially
  • Monitor connected accounts (email, cloud storage, VPN) for unauthorized access in the days and weeks following the incident
  • Update your Internal Incident Record as new information becomes available
  • Retain all records for 24 months minimum from the date the breach was discovered
  • Review your device encryption and MDM enforcement policy — document any gaps identified and remediation steps taken

Alberta PIPA — specific steps

  • Notify OIPC Alberta and affected individuals simultaneously — simultaneous filing triggers the streamlined review process and a private closing letter
  • Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
  • Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
  • Submit by email to breachnotice@oipc.ab.ca

BC PIPA — specific steps

  • BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
  • Notify the OIPC BC through their official breach notification process (oipc.bc.ca)
  • Notify affected BC residents directly — do not substitute a general public notice for direct notification
  • File with the OIPC BC and notify affected individuals as soon as feasible after your RROSH determination

MSPs — if managing this for a client

  • Execute the MDM remote wipe immediately — document timestamp and MDM confirmation
  • Revoke device credentials from any systems you manage that the device had access to
  • Confirm with the client in writing who leads regulatory notification before acting on their behalf
  • Run a ClearBreach assessment under your MSP account for the affected client organization
  • Document all client communications with timestamps

This guide is not legal advice. It provides practical guidance on Canadian privacy breach obligations. Consult a qualified privacy lawyer before submitting reports to regulators.

Want the full background?

Read the educational playbook for this scenario.

Read playbook →

Run your formal assessment now

ClearBreach generates your verdict and all required documents automatically — in under 15 minutes.

Get early access