Lost or Stolen Device — Quick Reference Guide

First 30 minutes

• Trigger a remote wipe or remote lock through your MDM platform (Intune, Jamf, etc.) — record the timestamp and MDM confirmation
• Revoke VPN access, corporate email, and SSO sessions associated with the device
• Remove the device from your MDM enrollment or revoke its management certificate
• Designate one person as incident lead — all communications and decisions route through them
• If the device was stolen: file a police report promptly — document the report number
• If the device was lost in a public place: notify the location (hotel, transit authority, etc.) and request it be held — document this

---

Within 24 hours

• Confirm encryption status: was full-disk encryption (BitLocker, FileVault) active on the device at the time of loss? Can your MDM confirm compliance?
• Confirm whether a remote wipe completed — check MDM logs for confirmation the wipe executed before the device connected to any network
• Identify what personal information was on the device:
  • Employee records, contact details
  • Client or customer information
  • Financial or banking data
  • Health or medical information
  • SINs or government-issued ID numbers
  • Passwords, credentials, or authentication tokens
  • Locally cached email (which may contain any of the above)
• Identify which provinces the affected individuals are in — this determines whether AB PIPA and/or BC PIPA apply in addition to PIPEDA
• Confirm whether any credentials cached on the device remain valid — revoke any that do
• Run your ClearBreach assessment — do not wait for the device to be found

---

Within 72 hours

• Complete your RROSH assessment in ClearBreach and review your verdict
• If PIPEDA RROSH threshold is met: file OPC Breach Report as soon as feasible — do not delay for device recovery or further investigation
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies and RROSH is met: notify the OIPC BC through their official breach notification process and notify affected individuals
• Send individual notifications directly to affected individuals — do not substitute a website notice for direct notification
• Begin populating your Internal Incident Record with all actions taken, timestamps, and decisions made

---

Ongoing — until resolution

• If the device is recovered: obtain forensic verification or MDM log confirmation that data was not accessed — document the finding
• If forensic review confirms no access: reassess RROSH and update your regulator submission if the verdict changes materially
• Monitor connected accounts (email, cloud storage, VPN) for unauthorized access in the days and weeks following the incident
• Update your Internal Incident Record as new information becomes available
• Retain all records for 24 months minimum from the date the breach was discovered
• Review your device encryption and MDM enforcement policy — document any gaps identified and remediation steps taken

---

Alberta PIPA — specific steps

• Notify OIPC Alberta and affected individuals simultaneously — simultaneous filing triggers the streamlined review process and a private closing letter
• Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

BC PIPA — specific steps

• BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
• Notify the OIPC BC through their official breach notification process (oipc.bc.ca)
• Notify affected BC residents directly — do not substitute a general public notice for direct notification
• File with the OIPC BC and notify affected individuals as soon as feasible after your RROSH determination

---

MSPs — if managing this for a client

• Execute the MDM remote wipe immediately — document timestamp and MDM confirmation
• Revoke device credentials from any systems you manage that the device had access to
• Confirm with the client in writing who leads regulatory notification before acting on their behalf
• Run a ClearBreach assessment under your MSP account for the affected client organization
• Document all client communications with timestamps