The alert from the head of IT is alarming: There’s been a breach of security controls.
The incident recovery (IR) plan kicks in – you do have one, right? – and the IR team will ponder a number of questions, including whether the police be called, and if so, which force?
To help managers of Canadian organizations, IT World Canada has created a list of phone numbers of the bigger police forces across the country.
If the community your organization is in isn’t on this list, call the general police number (not the number for emergencies), which will put you in touch with the right person. They will take details.
If the force doesn’t have the skills to handle the incident, they will pass it on to the RCMP or provincial police. Remember, in certain communities the local police is the RCMP.
You don’t necessarily have to call the police as soon as there’s been a suspected criminal incident. As one lawyer told us, the organization’s first responsibility is to stay alive and protect personal information. Ultimately, however, police should be called.
However, certain organizations should call the police as soon as possible: Companies in the critical infrastructure sector (including hospitals, utilities, transportation firms, telecoms, banks and food distributors), and any company if a breach of security controls could result in imminent harm to employees, customers or the public.
Be prepared when you do call. Police want to know more than, ‘We’ve been hit.’ A police force with cyber experts may want answers to lots of IT-related questions to help their investigation (for example, information about your network, infrastructure, suspicious URLs recently seen, firewall logs, a list of the company’s public-facing IP addresses …). If you want to prosecute, police will want original logs and data, not copies.
One force told us it has an eight-page questionnaire for victims of ransomware attacks to help its investigation.
Don’t, however, expect the police to help your IT department rebuild systems.
Eventually there may be one nationwide number and secure online reporting site for the RCMP’s fledgling National Cybercrime Co-ordination unit (NC3). However, the NC3’s national cybercrime and fraud reporting system won’t start until 2023 at the earliest.
Until then, the current RCMP advice is to call your local police department.
If you don’t have phone numbers handy, here’s a short list of police forces who answered our request for contact numbers. Unless otherwise noted, these are general numbers:
–Ontario Provincial Police 1-888-310-1122
–Edmonton Police 780-423-4567
–Calgary Police 403-266-1234
–Regina Police 306-777-6500
–Winnipeg Police – 204-986-6222
–Peel Regional Police – 905-453-3311
–Toronto Police 416-808-2222.
–Halifax Police – 902-490-5020 or 902-490-5016
Fraud-related crime (cyber or not) can be also reported to the Canadian Anti-Fraud Centre by phone at 1-888-495-8501, or using a secure Online Reporting System tool. To do that, you have to already be subscribed to the federal government’s GC Key (user ID/password) or Sign-In by Verified.Me service.
(Note: This article doesn’t deal with notifying a territorial, provincial or federal Privacy Commissioner, financial, energy or other regulator of a breach of security controls. Reporting to regulators will be mandatory under applicable provincial or federal legislation.)
Why call police
There are good reasons to call police even if the attackers are outside the country: Law enforcement agencies need to know the extent and types of cybercrime victim firms are facing. This not only helps chiefs of police decide what staffing and tools they need — if they have cyber squads — it also helps them work with police and prosecutors in other countries.
And it helps politicians – who fund police departments – understand the extent of cybercrime.
It works the other way, too: Using their sources, police and federal government agencies will sometimes warn organizations that their computer systems have been compromised by a threat actor.
Statistics Canada issues an annual cybercrime report based on reported incidents to selected police forces. Here’s a link to the latest report
“I can’t think of any incident where a client of mine has said, ‘We will not inform the police,'” said Bradley Freeman, Vancouver-based cybersecurity and privacy law partner at the Borden Ladner Gervais law firm.
“Our general recommendation is to always let law enforcement know what’s going on – municipal, provincial federal, whatever level it might be depending on where the client is based.” says Imran Ahmad, Toronto-based co-chair of the data protection, privacy and cybersecurity practice at the Norton Rose Fulbright Canada law firm.
“However, we try to manage expectations. Often clients will think law enforcement will come in and scan the computers, get them back up and running and all of a sudden they’re off to the races, back to work. That’s not the case. That’s not the [police] mandate.”
What police departments with a cybercrime staff can do, Ahmad said, is collect indicators or compromise which are fed into a national database and likely shared more broadly with other law enforcement agencies. That could lead to the arrest of perpetrators if they are in Canada, or lead to the dismantling of an international gang’s IT infrastructure with the help of police in other countries.
Police don’t have to be called immediately, Ahmad added. Legally an organization’s first obligation is restoring business operations.