The Information and Privacy Commissioner of Ontario ("IPC") recently issued four landmark decisions that impose sweeping notification requirements in respect of ransomware attacks and email account compromise incidents.
In three of the decisions, the IPC adjudicator found that notification to individuals is required where information is rendered inaccessible to an organization because of ransomware encryption, even if the attacker does not exfiltrate, access or view the information and the information is later restored by the organization. In the fourth decision, the IPC adjudicator found that notification to individuals is required where an attacker gains access to an email account containing personal information and the organization cannot rule out the possibility that the attacker viewed information in the account.
In this bulletin, we review the IPC decisions and discuss the implications of the decisions for organizations in Ontario and across Canada.
Background
The IPC decisions arose pursuant to the Ontario Personal Health Information Protection Act ("PHIPA") and Child, Youth and Family Services Act ("CYFSA").
Entities subject to PHIPA are required to notify individuals "at the first reasonable opportunity" if personal health information is "stolen or lost or if it is used or disclosed without authority." Entities subject to CYFSA are subject to the same requirement in respect of breaches of personal information collected for the purpose of providing a service pursuant to that law.
Neither PHIPA nor CYFSA include a harm-based threshold for notification. In other words, unlike the Personal Information Protection and Electronic Documents Act ("PIPEDA") and other laws, which require notification to individuals only in cases where there is a "real risk of significant harm" resulting from a breach, notification under PHIPA and CYFSA is required in each instance where the applicable information is "stolen or lost or if it is used or disclosed without authority."
Ransomware Decisions
PHIPA Decisions 253 and 254 and CYFSA Decision 19 involved cybersecurity attacks where information was encrypted with ransomware.
In the former decisions, the IPC adjudicator determined that ransomware encryption attacks, which made "personal health information unavailable and inaccessible to authorized users of that information" constituted "handling" or "dealing with," and therefore were an unauthorized "use" of, the information. 1 The adjudicator noted that this unauthorized "use" is established "whether or not the threat actor actually views or accesses specific files of personal health information held within the affected containers, or exfiltrates that information [...]." 2
The adjudicator also concluded that there was a "loss" of personal health information triggering the duty to notify on the basis that, as a result of the ransomware encryption, the "information is made unavailable to the authorized user of that information because of an unauthorized activity." 3 The adjudicator distinguished ransomware attacks from "other routine or non-routine disruptions" such as a scheduled software or hardware maintenance or power outage. 4
The adjudicator further held that neither the recovery of the encrypted information following the payment of ransom for the decryption key, nor the restoration of the information from backups, negates the fact that there had been a "loss" and unauthorized "use" of personal health information as a result of the attack. 5
In each of the above decisions, the adjudicator determined that the organizations' public communications about the incidents technically did not comply with PHIPA's notification obligation because they did not include a statement that individuals had a right to complain to the IPC (and in PHIPA Decision 254 the organization's statements fell short in other respects). 6 However, in both cases, the adjudicator concluded that there would be no useful purpose in ordering that further notification be given. 7
CYFSA Decision 19 addressed a ransomware encryption incident against a social services organization involving the personal information of minors collected pursuant to CYFSA. Following the reasoning above, the adjudicator determined that the encryption constituted an unauthorized "use" and "loss" that triggered a duty to notify pursuant to CYFSA. However, the adjudicator adopted a flexible approach to notification, in part because more than two years had passed since the incident. The adjudicator ordered that the organization could provide indirect notification of the breach "through means such as posting a notice on its website or issuing a public release". 8
Email Account Compromise Decision
PHIPA Decision 255 involved unauthorized access to an employee email account containing unencrypted personal health information for a period of one hour.
The organization was able to demonstrate that attacker did not use the account to download emails or send or forward any emails. However, the organization acknowledged that it was not possible to know whether the attacker searched the inbox, or viewed or opened the emails in the account containing personal health information. On this basis, the IPC adjudicator concluded that, on a balance of probabilities, the attack involved unauthorized "disclosure" and "use" of personal health information requiring notification to individuals pursuant to PHIPA. 9
In addition, while the respondent organization had notified individuals in this case, the adjudicator held that the organization failed to meet its obligation to do so "at the first reasonable opportunity" as the notices were sent a year after the incident. 10
Conflict with Existing Practices
The IPC decisions are at odds with the practices of many organizations. For example, with respect to ransomware cases, where information is not viewed or taken by an attacker but is merely encrypted by the ransomware program, and is later recovered through decryption or from backups, many organizations typically consider that there has been no "loss" or unauthorized "use" of the information triggering notification to individuals; rather, the information was only temporarily inaccessible.
In addition, PHIPA Decision 255 suggests that where there is a potential breach of personal health information because the organization is not able to rule out the possibility that information was viewed by an attacker or other unauthorized individual, organizations must nonetheless treat that as a breach and notify individuals accordingly. This is inconsistent with the practices of many organizations. Moreover, the IPC's rationale could seemingly be applied to any scenario, not just email compromise cases, where: (a) an unauthorized individual is able to access personal information; and (b) the organization cannot rule out the possibility that the personal information was accessed.
Implications of the Decisions
All organizations subject to PHIPA and CYFSA should be mindful of the IPC's expansive interpretation of when the obligation to notify individuals is triggered under those laws, particularly in respect of ransomware and email compromise incidents. Where possible, such organizations should seek to gather evidence to distinguish the IPC decisions from the incidents that they experience.
Also, organizations subject to PHIPA and CYFSA should not assume that the IPC will adopt a flexible approach to notifications in future. While the IPC was prepared to adopt a flexible approach in the cases discussed above, particularly given that years had passed since the incidents in question, the IPC plainly expects, and PHIPA requires, that notification be made in the prescribed manner "at the first reasonable opportunity".
Beyond PHIPA and CYFSA, it remains to be seen whether the above IPC decisions may influence other Canadian privacy regulators' interpretation of when a privacy breach is considered to occur. 11 Most Canadian privacy laws applicable to the private sector, public sector, and health sector, including PIPEDA, contain privacy breach notification provisions. The definition of when a breach occurs under such statutes is similar to the definition under PHIPA and CYFSA. Organizations should anticipate the possibility that the IPC decisions may influence other regulators to expansively interpret the circumstances that qualify as a breach. In their investigation and response to incidents, organizations should seek to identify facts that will help distinguish such incidents from those addressed in the IPC decisions.
On the other hand, it should be noted that, unlike PHIPA and CYFSA, almost all privacy laws in Canada, including Ontario's proposed amendments to its public sector privacy law, include a harms-based threshold for determining whether an organization must notify individuals about a breach. In PIPEDA and other statutes, for example, a breach must give rise to a "real risk of significant harm" or similar threshold, before organizations are required to notify individuals. This threshold may limit the extent to which other Canadian privacy regulators are influenced by the IPC decisions. However, given that the IPC decisions expansively interpret what qualifies as a breach, organizations should ensure that legal advice is obtained in determining whether notification is required pursuant to privacy laws that include a harm-based threshold. This determination could have a very significant impact on the scope of notifications, if any, that may be needed in a given case. Privacy breach plans and incident response plans should be updated in light of the above.
Footnotes
1. PHIPA Decision 253 at para 40. See also PHIPA Decision 254 at para 29.
2. Ibid at para 42. See also PHIPA Decision 254 at para 30.
3. Ibid at para 50. See also PHIPA Decision 254 at para 36.
4. Ibid at para 51. See also PHIPA Decision 254 at para 37.
5. Ibid at paras 36 and 49. See also PHIPA Decision 254 at para 36.
6. Ibid at para 65; PHIPA Decision 254 at para 48.
7. Ibid at para 65; PHIPA Decision 254 at para 49.
8. CYFSA Decision 19 at para 75.
9. PHIPA Decision 255 at para 25.
10. Ibid at paras 58-59.
11. The determination that a breach has occurred will trigger record-keeping obligations in a number of Canadian privacy laws, including PIPEDA. As discussed below, whether notification and reporting obligations are triggered will depend on a harm-based threshold under most Canadian privacy laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.