In Privacy Complaint Report MR21-00090 (the Report or MR21-00090), the Information and Privacy Commissioner of Ontario (IPC) doubled down on its interpretation of an unauthorized “use” of personal information as including situations where a threat actor encrypts drives on which personal information is located, but does not otherwise exfiltrate or directly access, personal information. This decision extends the IPC’s previous interpretation into the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) context.
In its analysis, the IPC considered a trilogy of previous decisions (PHIPA Decisions 253 and 254, and CYFSA Decision 19, together the trilogy decisions) issued under the Personal Health Information Protection Act (PHIPA) and Part X of the Children, Youth and Family Services Act (CFYSA) concerning ransomware attacks involving the encryption of an organization’s servers by a threat actor. In those decisions, the adjudicator found that encryption of an organization’s servers made the information inaccessible to authorized users. On that basis, the adjudicator determined that rendering the information inaccessible amounted to an unauthorized “use “of the information– even though the threat actors had not otherwise viewed or exfiltrated the personal information itself – which triggered notification and reporting obligations under PHIPA and Part X of the CYFSA.
As noted above, the trilogy decisions were decided under PHIPA and the CYFSA, not the MFIPPA at issue in MR21-00090. They have also been criticized as being overly broad and impractical. Nonetheless, the investigator in MR21-00090 found the analysis in the trilogy decisions “informative” in supporting his conclusions regarding whether a privacy breach occurred in MR21-00090, thereby expanding this interpretation of unauthorized uses of personal information, and privacy breaches, to the public sector. Notably, while privacy breaches may be interpreted in a similar manner under the various privacy statutes in Ontario, notification obligations differ between the healthcare/children’s services and public sector contexts.
PRIVACY COMPLAINT REPORT MR21-00090
The Sault Ste Marie Police Service (”Service”) was the target of a ransomware attack that resulted in the encryption of records stored on drives on the Service’s network. The Service took steps to contain, investigate, remediate, and inform local residents about the ransomware attack. The Service also notified the IPC of the incident, despite taking the position that the attack did not amount to a privacy breach because the information was encrypted in place and was not otherwise obtained or exfiltrated by the threat actor.
As a preliminary finding, the investigator concluded that the encrypted records contained information that constitutes “personal information” as that term is defined under MFIPPA. The investigator then considered the two main issues raised by the investigation: (1) whether the Service responded adequately to a breach of personal information; and (2) whether the Service had reasonable measures in place to prevent unauthorized access to records. In doing so, the investigator first needed to determine whether the incident amounted to a privacy breach.
While MFIPPA does not explicitly address privacy breaches, the IPC has issued a guidance document for public sector institutions subject to MFIPPA and its provincial counterpart, the Freedom of Information and Protection of Privacy Act (FIPPA), entitled “Privacy Breaches: Guidelines for Public Sector Organizations” (Privacy Breach Guidelines). The Privacy Breach Guidelines stipulate that a breach occurs when “personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws.” When an institution has encountered a breach, the Privacy Breach Guidelines recommend steps to take to alert appropriate parties, contain and investigate the breach, notify affected individuals if the breach poses a “real risk of significant harm,” and notify the IPC if the breach is “significant.” While the Privacy Breach Guidelines do not have the force of law, they illustrate the IPC’s expectations of public sector institutions when faced with a privacy incident, as illustrated by MR21-00090.
Encryption as a “use” under MFIPPA
In determining whether the ransomware attack amounted to a “breach” as described in the Privacy Breach Guidelines, the investigator considered whether they encryption constituted a “use” of personal information in contravention of MFIPPA.
MFIPPA prohibits the use of personal information except in defined circumstances but does not otherwise define the term “use.” Therefore, to determine whether the encryption by the threat actor constituted a “use” of personal information in contravention of MFIPPA, the investigator applied the modern approach to statutory interpretation (Bell ExpressVu Limited Partnership v. Rex, 2002 SCC 42 at para. 26 and TELUS Communications Inc. v. Wellman, 2019 SCC 19 at para. 47) pursuant to which statutes are to be “read in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament”.
With this in mind, the investigator considered other definitions of “use” in the privacy and access context to inform his interpretation of the term for the purposes of MFIPPA. Specifically, the investigator referred to the definition of “use” in section 2 of PHIPA, which includes “handling or dealing with” the information. The investigator was satisfied that this broad definition aligns with the purpose of MFIPPA, which aims to protect individuals’ privacy regarding their personal information held by institutions.
Armed with this definition of “use,” the investigator concluded that transforming the accessibility of personal information (by encryption of the servers on which it was located) amounted to a “handling of” or “dealing with” that information by the threat actor, even though the threat actor did not access, view, or exfiltrate the information, as similarly decided by the adjudicator in the trilogy decisions. Therefore, the investigator determined that the encryption constituted a “use” within the meaning of the MFIPPA. Since this “use” did not occur within the permitted circumstances set out in MFIPPA, the investigator determined that the use was unauthorized, such that the ransomware attack constituted a privacy breach.
Notification Obligations under the IPC’s Privacy Breach Guidelines vs. PHIPA and CYFSA
The investigator went on to consider whether the Service responded adequately to the breach, having regard to the recommendations in the IPC’s Privacy Breach Guidelines.
Interestingly, despite having found the encryption to be an unauthorized use of personal information resulting in a privacy breach that affected many individuals’ [potentially sensitive (i.e. law enforcement-related)] personal information, the investigator noted that it was unclear whether the incident posted a “real risk of significant harm” to affected individuals. Accordingly, he remarked that it was “not clear” whether the Service should have notified those individuals in accordance with the IPC’s Privacy Breach Guidelines. This contrasts with the notice requirements considered in the trilogy decisions, as notice obligations under PHIPA and Part X of the CYFSA are not contingent upon a risk-based threshold.
IMPLICATIONS AND KEY TAKEAWAYS
Report MR21-00090 expands the IPC’s interpretation of unauthorized uses of personal information for the purposes of Ontario’s public sector privacy legislation (FIPPA and MFIPPA) to include cases where someone renders personal information inaccessible to the organization authorized to use it, without any evidence of exfiltration of the affected information. In this regard, it reinforces the IPC’s broad approach to interpreting activities that will count as a “use” of personal information for the purposes of privacy legislation under the IPC’s jurisdiction.
Organizations should be mindful of this recent trend in IPC privacy breach jurisprudence if they are governed by any of the statutes under the IPC’s jurisdiction, being MFIPPA, FIPPA, PHIPA, and Part X of the CYFSA. As a proactive step, institutions governed by FIPPA and MFIPPA should seek legal advice regarding whether their breach response policies and procedures are adequate, particularly in how they characterize “uses” of personal information and asses whether reporting and notification duties are triggered. Additionally, organizations that are subject to both FIPPA and PHIPA, such as hospitals, healthcare facilities, and government agencies involved in healthcare delivery, should seek legal advice regarding whether breach notification obligations are triggered by a particular incident, given the differing thresholds under PHIPA and the Privacy Breach Guidelines.
Organizations in the private sector should also be mindful of these developments in the IPC’s breach jurisprudence, as they may influence what is considered a privacy breach under private sector privacy legislation. Additionally, private sector organizations that contract with public sector entities can expect to see changes in the breach-related obligations that are incorporated in those contracts.
The author would like to thank articling student Helen Wang for her assistance in preparing this insight.
For more information on this topic, please contact Jaime Cardy or other members of the Dentons Privacy and Cybersecurity group.