Does an organization have a privacy reporting obligation when threat actors gain access to its IT systems, but don’t actually exfiltrate any data?
In July 2024, the Information and Privacy Commissioner of Ontario (IPC) considered this issue in a series of decisions concerning cyberattacks against organizations subject to Ontario’s Personal Health Information Protection Act (PHIPA), and Part X of the Child, Youth and Family Services Act (CYFSA). Three of the four decisions considered a similar set of circumstances wherein personal information[1] was encrypted by a threat actor but not exfiltrated from the organization, and where the organizations were able to subsequently recover the information through decryption or from backups.
The IPC considered whether unauthorized encryption of personal information was sufficient to constitute a breach under the applicable legislation and, if so, whether the organizations satisfied their duty to notify affected individuals.
It may come as a surprise to organizations to learn that the adjudicator found that encryption alone did amount to a breach for which individuals had to be notified under PHIPA and CYFSA.
Additionally, while the IPC’s decisions pertain specifically to obligations under PHIPA and CYFSA, the analysis of what constitutes a “loss” and “use” of personal information may be adopted by regulators with jurisdiction over Canada’s private sector privacy legislation, and may, therefore, influence what is considered a privacy breach under those statutes as well.
As a result of these findings, organizations may need to implement more robust notification procedures than what they currently have in place.
THE LEGISLATIVE CONTEXT
Canada has a patchwork of privacy legislation aimed at protecting individuals’ personal information.[2] At the federal level, there is the Personal Information Protection and Electronic Documents Act (PIPEDA),[3] which applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity, and the Privacy Act, which provides a similar function for federal institutions. At the provincial level, some provinces have enacted private sector and sector-specific laws which have been deemed “substantially similar” to PIPEDA, in which case the provincial law governs the processing of personal information, as opposed to PIPEDA.
There is no uniform approach to governing breaches of personal health information across Canada’s privacy laws. Each privacy statute addresses the concept of a breach of personal information in its own fashion, with some specifically defining the concept and others alluding to it in more general terms. Many, but not all, laws contain mandatory breach notification and reporting requirements, whereby affected individuals, relevant privacy commissioners, and/or organizations that may be able to mitigate the harms of the breach are to be advised of a breach. Some laws have risk-based thresholds for when these obligations are triggered,[4] and others require notice be provided simply because a breach occurred. There are also often prescribed elements to be included in any notification communication; however, the prescribed elements differ between statutes. Given these subtle differences, ascertaining when a breach has occurred and what notification obligations apply (if any) must be done on a case-by-case basis.
The IPC decisions that are the topic of this article arose under the jurisdiction of Ontario’s PHIPA and CYFSA. The concept of a “privacy breach” is not expressly defined in those statutes, but both require that affected individuals be notified “at the first reasonable opportunity” if their personal information is “stolen or lost or if it is used or disclosed without authority.” They must also be advised of their ability to make a complaint to the IPC.[5] Notably, as compared to PIPEDA,[6] there are no risk-based thresholds for triggering notification obligations, and there are fewer prescribed notice elements under PHIPA and CYFSA.
IPC DECISIONS
In CYFSA Decision 19, PHIPA Decision 253, and PHIPA Decision 254, the IPC adjudicator considered ransomware attacks against Halton Children’s Aid Society (CAS), the Hospital for Sick Children (Hospital), and Kingston, Frontenac and Lennox & Addington Public Health (KFL&A), respectively. In each case, a malicious threat actor was able to encrypt personal information at the organization’s “container” or server level, thereby making the data inaccessible to the organization’s authorized users. Each incident was discovered relatively quickly (within a week) and there was no evidence that the personal information had been viewed, accessed or exfiltrated by the unauthorized third party. The CAS and the Hospital were able to recover their affected information from backup systems, and KFL&A restored its information through decryption.
The issues before the adjudicator were whether the incidents gave rise to notification obligations under sections 12(2) and 308(2) of PHIPA and CYFSA, respectively, and, if so, whether appropriate notice had been provided.Accordingly, she first considered whether encryption of personal information alone amounted to the theft, loss, or unauthorized use or disclosure of the personal information, thereby triggering the statutory notice requirements.
Encryption as a “use”
In their respective submissions, the organizations maintained that encryption of servers/containers housing personal information was not a use of personal information for the purpose of the Acts, because the threat actors did not have access to or directly interact with the information in question.
The adjudicator rejected these arguments and concluded that transforming the containers by encryption also transforms the personal information housed within the containers by making that information inaccessible to the individuals who are authorized to use it. This, in the adjudicator’s view, amounts to “handling” or “otherwise dealing with” the personal information within the meaning of “use” for the purposes of PHIPA and CYFSA, regardless of whether the threat actor views, accesses or exfiltrates the specific files containing personal information. Accordingly, the adjudicator found that the mere act of encrypting containers/servers housing personal information was, in and of itself, a “use” of that information within the meaning of the two statutes. Further, given that the threat actors were not authorized to encrypt the organization’s servers, their doing so amounted to an “unauthorized use” thereby triggering notification obligations.
Encryption as a “loss”
The organizations also argued that because encryption did not alter the personal information, and because the organizations were able to recover it from backups or via decryption efforts, the incidents did not amount to a “loss.” Again, the adjudicator rejected this argument. Because personal information was made unavailable to the authorized users as a result of an unauthorized activity, she found that a “loss” of that information had occurred within the meaning of section 308(2) of the CYFSA and 12(2) of PHIPA, thereby triggering the duty to notify affected individuals.
Notably, the adjudicator went on to distinguish the ransomware attacks in question from other “non-routine disruptions” to an organization’s ability to access or use personal information, such as an unexpected power outage or scheduled system maintenance. She noted that an overly broad interpretation of the terms “lost” and “loss” could require the notification of individuals in situations like these, and quickly lead to notification fatigue, disproportionate costs, or other unintended consequences. However, by adopting a purposive approach, she found that sections 12(2) and 208(2) of PHIPA and CYFSA, respectively, call for individuals to be notified if there has been an unauthorized act respecting their personal information. She found that it is consistent with the purposes these notice provisions for affected individuals to be informed of a threat actor’s “malicious action done with the intention of, and having the effect of, denying [an organization] access to those individuals’ personal information” under the organization’s custody or control.
Encryption as a “disclosure”
Recall that notice obligations are triggered under PHIPA and CYFSA where personal information is “stolen or lost or if it is used or disclosed without authority.”Given the adjudicator’s findings that encryption constituted a “loss” and a “use” of the personal information, she declined to determine whether it also amounted to a “disclosure” of that information.
Notification obligations
Having found that personal information was lost and used without proper authority, the adjudicator determined that the organizations were obliged to notify all individuals who personal information was affected “at the first reasonable opportunity.”
Both the Hospital and KFL&A had provided some form of notice; KFL&A had issued news releases about the attack and recovery process, and the Hospital posted updates on its website and social media informing the public of the attack and its investigation and remediation efforts. However, neither organization informed individuals of their right to file a complaint with the IPC as required by section 12(2)(b) of PHIPA, and therefore the adjudicator determined both failed to satisfy their statutory notice requirements. The adjudicator noted that there is some flexibility in how these notification obligations may be satisfied, which can be influenced by the number of affected individuals, the adequacy of an organization’s response to the attack, the volume and sensitivity of affected personal information, and the evidence of any ongoing risks. Given the circumstances in these two cases (including the passage of time, the sufficiency of the organizations’ responses, and the fact that no useful purpose would be served), she declined to require additional notification be provided.
The CAS had not provided individuals with any form of notice of the ransomware attack that it faced, and was therefore ordered to do so. However, the adjudicator determined that indirect notice via a posting on the CAS’ website or some other form of public notice was sufficient in the circumstances.
IMPLICATIONS AND KEY TAKEAWAYS
These decisions provide a few key takeaways regarding what constitutes a “loss” and “use” of personal information for the purposes of PHIPA and CYFSA – namely:
- Unauthorized encryption of personal information is a kind of “handling” of or “dealing with” the information that amounts to an unauthorized “use” of the information;
- If a threat actor does something to make personal information inaccessible/unavailable to its authorized users, such that the authorized users cannot process the affected information for the purposes of providing authorized services, that amounts to a “loss” of the information;
- Evidence of exfiltration of or direct access to the personal information is not required to establish that a “use” or “loss” of personal information has occurred; and
- Recovery of the affected personal information through backups or decryption does not negate the “loss” or an organization’s notification obligations.
These decisions likely expand the scope of activities/incidents that constitute a breach of personal information beyond organizations’ current expectations, and underscore that a purposive approach should be used when assessing whether notification obligations are triggered. Therefore, organizations governed by these statutes should seek legal advice about whether their existing notification policies and procedures satisfy their statutory obligations. Organizations governed by other statutes (e.g., PIPEDA) should consider the reasoning in these decisions when evaluation their own obligations under PIPEDA.
Further, where notification obligations are triggered under PHIPA and CYFSA, these decisions make it clear that there is flexibility in terms of the form of that notice. While some circumstances may call for individuals to be notified directly, others may permit indirect notification by way of a public posting on an organization’s website, or other form of public notice. The appropriate form will depend on an assessment of the number of affected individuals, the adequacy of an organization’s response to the attack, the volume and sensitivity of affected personal information, and the evidence of any ongoing risks.
Finally, organizations falling under PIPEDA and other private sector privacy statutes would be well served to pay attention to the application of similar statutes. The IPC’s recent jurisprudence may influence the scope of what constitutes a breach under these statutes,[7] which would, in turn, result in statutory remediation and record-keeping obligations being triggered by new categories of activities, such as unauthorized encryption. That said, it may be less likely that encryption alone, without any evidence of a threat actor accessing, viewing, or exfiltrating personal information, would satisfy the risk-based notification thresholds seen under PIPEDA and the substantially similar legislation in Alberta and Québec.
For more information on this topic, please contact the author, Jaime Cardy.
[1] “Personal information” is used throughout this article to refer to both “personal information” as defined in Part X of the CYFSA, and “personal health information” as defined in PHIPA.
[2] Though there are variations in the definition of “personal information” under different statutes, personal information is generally data that, on its own or in combination with other pieces of data, could identify a particular individual. (Office of the Privacy Commissioner of Canada. “Privacy laws in Canada.”) PHIPA includes an enumerated list of categories of information that are considered “personal health information” for the purposes of that statute.
[4] Such as the “real risk of significant harm” threshold seen in section 10.1(3) of PIPEDA. Similar requirements are also seen under Québec’s Act respecting the protection of personal information in the private sector (Québec’s Privacy Act) and Alberta’s Personal Information Protection Act (PIPA), and are proposed to be added to Ontario’s Freedom of Information and Protection of Privacy Act by Bill 194.
[5] PHIPA, section 12(2); CYFSA, section 308(2).
[6] And Alberta’s PIPAand Québec’s Privacy Act.
[7] Notably, the provisions regarding privacy breaches and their corresponding notice requirements refer to a “loss” of personal information in PIPEDA, Québec’s Privacy Act, and Alberta’s PIPA, and an unauthorized “use” of personal information in Québec’s Privacy Act.
