On July 5, 2024, the Information and Privacy Commissioner of Ontario (IPC) released three decisions that address the issue of whether an obligation to notify affected individuals arises if personal health information (PHI) and personal information (PI) is encrypted by a threat actor during a cyber-incident, but is not otherwise accessed.[1]
Somewhat surprisingly, the IPC held that such an obligation does arise under the Personal Health Information and Protection Act (PHIPA) and the Child, Youth and Family Services Act (CYFSA). Although the institution in each case provided evidence that the PHI or PI at issue was not accessed or exfiltrated by the threat actor and had been fully restored from backups, and argued that notification of the individuals to whom the information related was therefore not required under the Acts, the IPC disagreed.
This is an important development in the IPC’s interpretation of privacy legislation. Previously institutions were clearly responding to cyber incidents on the basis that notification was not required where PHI or PI was encrypted only and not otherwise accessed or exfiltrated. Although in the recent decisions the IPC did not require the institutions to retroactively provide notification beyond what had already been done, going forward this change will result in notification being provided to, in some cases, thousands of affected individuals who previously would not have been and, for the institutions, will involve the cost of time, money and other resources of having to provide notification and respond to the inevitable fall out.
These decisions are also important for institutions that collect PI under the Freedom of Information and Privacy Protection Act (FIPPA) and the Municipal Freedom of Information and Privacy Protection Act (MFIPPA). Although neither of these Acts currently contain notification provisions in the event of a privacy breach, the IPC’s practice has been to expect such institutions to comply with “best practices”. It is as yet unknown whether the IPC will consider notification under FIPPA and MFIPPA in cases of encryption only to be a requirement based on best practices but institutions will need to consider this when responding to future breaches.
Of course, any institution collecting PI under FIPPA in particular may soon be subject to the amendments of Bill 194, which will include mandatory breach reporting in circumstances of a “real risk of significant harm” (RROSH). It remains to be seen whether PI that is encrypted only meets the RROSH test.
Background
In all three cases, ransomware was deployed against an organization resulting in the full encryption of several servers containing personal information. Encryption is the process by which data is encoded or scrambled, rendering it unreadable and inaccessible to authorized users in an organization.[2] The adjudicator accepted this definition and accepted that, in each case, the threat attacker did not access, view, open, or exfiltrate any personal information or personal health information (“PHI”).[3]
The Cyberattacks
The breach was discovered quickly in each organization. It was either immediate, as with the Children’s Aid Society (“CAS”), or within one week. After discovering the breach, each of the organizations took several steps pursuant to their response protocols. Each organization hired external counsel to investigate the breach and reported it to the IPC.[4] Kingston, Frontenac, Lennox & Addington Public Health (“KFL&A”) and the Hospital for Sick Children (“the Hospital”) also reported to law enforcement and posted public media releases about the event, resulting in local media coverage.[5]
The Issue
The issue in each case was limited. First, whether the encryption of servers triggered the duty to notify affected individuals. If the duty to notify was triggered, the second question was whether the steps taken by each organization complied with the notification requirement.
IPC Findings
In all cases, the adjudicator concluded that the encryption of the servers resulted in unauthorized use and a loss of PHI and/or PI within the scope of s. 308(2) and 12(2) of the CYFSA and PHIPA, respectively.[6] As a result, the duty to notify was triggered for each.
Only the CAS was ordered to notify affected individuals within 30 days via an indirect notice, such as through a website notice or public release.[7] No further notice was ordered for KFL&A or the Hospital, despite the finding that their actions had not complied with the notice requirements under s. 12(2) of PHIPA.[8]
The adjudicator noted that these findings did not mean that each organization failed to take reasonable steps to protect personal information.[9] The adequacy of the protection measures in place were not in dispute.
Analysis
To arrive at the findings noted above, the adjudicator looked at the requirements of the relevant provisions of PHIPA and CYFSA. Specifically, they examined whether the encryption constituted disclosure, use, or loss of personal information as those terms are defined (or not) under each Act.
A) Does encryption constitute “disclosure” of personal information?
The adjudicator found that encryption in these cases constituted a use and loss, and thus declined to make any findings on the issue of disclosure.[10]
B) Does encryption constitute a “use” of personal information?
In their explanation of the encryption attack, each organization provided the adjudicator with a helpful analogy to argue why the encryption did not constitute a “use” or “loss” within the meaning of the statutes. Since the encryption did not result in the attacker accessing individual files, the organizations argued it was like locking a filing cabinet with documents inside.[11] They argued that preventing authorized users from accessing the documents did not constitute “using” the information or altering it in any way.
Each organization argued that since the information was not being individually dealt with or exfiltrated, the duty to notify was not triggered. The CAS also urged the adjudicator to adopt an interpretation of the word “use” that would limit it to only the actions of authorized users, since the term is not defined in the CYFSA.
The adjudicator disagreed with the proposed definition and concluded that the term “use” can apply to the actions of unauthorized parties external to an organization.[12] Additionally, it was held that “use” does not require that the attacker access the information directly. Relying in particular on the definition of “use” including in PHIPA, the adjudicator held that making the personal information inaccessible to authorized users for any amount of time is a way of “dealing with” or using the information in a manner within the scope of the relevant provisions.[13]
C) Does encryption constitute a “loss” of personal information?
In each case, the organization also argued that encryption alone did not constitute a “loss” since nothing was altered or exfiltrated by the attacker. Each organization stated that due to adequate backup procedures in place, they were able to restore the servers and information with nothing lost.[14] Of note, unlike “use”, “loss” is not defined in either Act. Nonetheless, the adjudicator rejected this argument, finding that a purposive interpretation of “loss” is needed.[15] Since the personal information wasn’t accessible to authorized users temporarily, this constituted a loss of access under s. 12(2) of PHIPA and s. 308(2) of the CYFSA.[16]
In recognizing the potential breadth of the proposed definition, and the possibility of “notification fatigue”, the adjudicator was careful to circumscribe this purposive definition of “loss”, excluding any routine or non-routine disruptions.[17] Essentially, any loss of access resulting from a power outage or scheduled maintenance, for example, would not be caught under this purposive definition. Using this definition, loss of access to information for any period will only trigger the duty to notify where it relates to ransomware and cyberattacks.[18]
D) What notice is sufficient, and did the organizations comply?
Since the duty to notify was triggered in each case, the issue was whether the steps taken by the organizations were sufficient to satisfy ss. 308(2) and 12(2). For the CAS, the adjudicator found no notification had occurred and ordered that they notify individuals within 30 days of the decision.[19]
For KFL&A and the Hospital, updates were posted on public websites and local media coverage followed the investigations. However, the adjudicator found this didn’t comply with the notification requirement since neither informed the affected individuals of their right to file a complaint with the IPC.[20] Despite this finding, the adjudicator found that it wasn’t useful to make an order requiring further notification due to the amount of time passed.[21]
In determining what kind of notice is sufficient, the adjudicator pointed to other cases and concluded that a flexible approach should be taken.[22] Organizations can consider the number of affected individuals, publicity around the breach, the amount of time since the attack occurred, etc.[23] A direct approach may be reaching out to affected individuals personally, in contrast with an indirect approach ordered for the CAS, which could be a public release or website notice.
Important Takeaways
Based on these recent decisions, the requirement to notify affected individuals in the event of a cyber-attack is broader than was previously thought. Of note, none of the relevant privacy legislation mandates how notification must be provided. Nonetheless, going forward, institutions collecting PI and PHI under PHIPA, CYFSA, as well as FIPPA and MFIPPA, will need to carefully consider and seek legal advice to determine what steps they need to take to meet their notification obligations, based on legislation or best practices, even in circumstances of encryption only.
[1] Halton Children’s Aid Society (Re), 2024 CanLII 67087 [Halton CAS]; Hospital for Sick Children (Re), 2024 CanLII 67095 (ON IPC) [Hospital for Sick Children]; ]; Kingston, Frontenac and Lennox & Addington (KFL&A) Public Health (Re), 2024 CanLII 67096 (ON IPC) [KFL&A Public Health].
[2] Halton CAS, supra note 1 at para 45.
[3] Ibid at para 52; Hospital for Sick Children, supra note 1 at para 39; KFL&A Public Health, supra note 1 at para 28.
[4] Halton CAS, supra note 1 at para 5; Hospital for Sick Children, supra note 1 at para 4; KFL&A Public Health, supra note 1 at para 5.
[5] Hospital for Sick Children, supra note 1 at para 6; KFL&A Public Health, supra note 1 at para 3.
[6] Halton CAS, supra note 1 at para 3; Hospital for Sick Children, supra note 1 at para 17; KFL&A Public Health, supra note 1 at para 17.
[7] Halton CAS, supra note 1 at para 75.
[8] Hospital for Sick Children, supra note 1 at p 16; KFL&A Public Health, supra note 1 at p 12.
[9] Halton CAS, supra note 1 at para 65; Hospital for Sick Children, supra note 1 at para 54; KFL&A Public Health, supra note 1 at para 40.
[10] Halton CAS, supra note 1 at para 25; Hospital for Sick Children, supra note 1 at para 26; KFL&A Public Health, supra note 1 at para 24.
[11] Halton CAS, supra note 1 at para 49; Hospital for Sick Children, supra note 1 at para 32; KFL&A Public Health, supra note 1 at para 27 (similar analogy of a shed).
[12] Halton CAS, supra note 1 at para 41.
[13] Ibid at para 53; Hospital for Sick Children, supra note 1 at para 34; KFL&A Public Health, supra note 1 at para 29.
[14] Halton CAS, supra note 1 at para 59; Hospital for Sick Children, supra note 1 at para 47; KFL&A Public Health, supra note 1 at para 36.
[15] Halton CAS, supra note 1 at para 63.
[16] Ibid at para 61; Hospital for Sick Children, supra note 1 at para 49-50; KFL&A Public Health, supra note 1 at para 36.
[17] Halton CAS, supra note 1 at para 62; Hospital for Sick Children, supra note 1 at para 51; KFL&A Public Health, supra note 1 at para 37.
[18] Halton CAS, supra note 1 at para 63.
[19] Ibid at para 3.
[20] Hospital for Sick Children, supra note 1 at para 65; KFL&A Public Health, supra note 1 at para 48.
[21] Hospital for Sick Children, supra note 1 at para 65; KFL&A Public Health, supra note 1 at para 49.
[22] Halton CAS, supra note 1 at para 71; Hospital for Sick Children, supra note 1 at para 63; KFL&A Public Health, supra note 1 at para 45.
[23] Halton CAS, supra note 1 at para 71; Hospital for Sick Children, supra note 1 at para 60; KFL&A Public Health, supra note 1 at para 45.
