ARTICLE
30 April 2025

Ransomware Encryption Of Personal Information Can Be A Privacy Breach

RS
Rosen Sunshine LLP

Contributor

Rosen Sunshine LLP are passionate advocates for professionals and health care providers, trusted advisors to regulators and health organizations, and experts in their field. We work on behalf of institutional and private clients, including regulators, service providers, professionals, professional associations, insurance companies, clinics, facilities, and organizations.
A recent Privacy Complaint (MR21-00090) before the Information and Privacy Commissioner of Ontario (IPC) expanded the scope of what will be considered a privacy breach for Ontario public sector bodies.
Canada Privacy

Introduction

A recent Privacy Complaint (MR21-00090) before the Information and Privacy Commissioner of Ontario (IPC) expanded the scope of what will be considered a privacy breach for Ontario public sector bodies. Privacy breaches are generally categorized as unauthorized collection, disclosure or use of personal information or personal health information ("PI" or "PHI"). In the context of privacy law, "use" generally means "viewing", "accessing" "handling", or "dealing with" PI or PHI. This recent IPC case, which involved a ransomware attack, expanded the scope of privacy breaches for public sector bodies by applying an expansive interpretation to "unauthorized use."

Ransomware Attack at Sault Ste Marie Police

The Sault Ste. Marie Police Services (the "Police") reported to the IPC that their network servers were infected with ransomware and that PI stored on data drives on the servers were encrypted. The Police took steps to contain, investigate, remediate and inform residents about the ransomware attack. However, the Police did not believe that the attack was a privacy breach because while the attacker had locked the Police out of these records, the attacker did not obtain or exfiltrate any of the records.

IPC Investigation

The complaint moved to the investigation stage of the IPC's complaint process because the IPC had concerns about the Police's response to the attack and its internal protocols. The investigator looked at two main issues: (1) whether the Police responded adequately to the breach of PI; and (2) whether the Police had reasonable measures in place to prevent unauthorized access to records.

(1) Did the Police respond adequately to the privacy breach

The Police reported the ransomware attack to the IPC. However, in the Police's view, the attack did not result in a privacy breach under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) because the affected personal information was only encrypted, and was not obtained or exfiltrated by the attacker.

The IPC investigator disagreed with this position. While MFIPPA does not define "use", section 31 prohibits the use of PI except in circumstances set out in the subsection. Any "use" occurring outside of the circumstances in section 31 would be considered unauthorized use under MFIPPA.1 The investigator noted that a broad definition of "view, handle or otherwise dealt with information" is a definition that is consistent with the scheme and objective of MFIPPA. The investigator concluded that transforming the accessibility of personal information (by encrypting the servers on which the PI was located) meant that the attacker "handled" or "dealt with" PI, even though the attacker did not access, view, or exfiltrate the information. Therefore, there was unauthorized use of PI.

In terms of the Police responding adequately to the breach, the investigator was satisfied with the steps taken by the Police to contain the breach2, and notify the public and those involved in the breach.3

The investigator acknowledged that the Police took some steps to investigate and remediate the breach.4 However, the investigator was not fully satisfied with the steps taken by the Police to investigate and remediate the privacy breach. The Police did not review their internal policies and practices to protect personal information because they did not believe that a privacy breach occurred. The investigator recommended that the Police conduct an internal review of their policies and practices in protecting PI post-breach to determine whether changes were needed and whether there were lessons learned.

(2) Did the Police have reasonable measures in place to prevent unauthorized access to PI

The investigator found that the Police had measures in place relating to information security, accountability, and ransomware protection. However, the investigator was not satisfied that there were reasonable measures in place to prevent unauthorized access to records and recommended that the Police review their training materials to ensure that it had measures in place to prevent unauthorized access to record.

Key Takeaways

This decision is significant because the IPC expanded its interpretation of unauthorized use. Unauthorized use now includes situations where an attacker encrypts drives where personal information is stored, even if personal information is not directly accessed or exfiltrated.

Institutions, organizations, and other entities governed by privacy legislation such as MFIPPA or the Personal Health and Information Protection Act, 2004 (PHIPA) should review their internal policies and procedures regarding maintaining privacy and appropriately train staff and agents to ensure there are reasonable measures in place to prevent unauthorized access or use. They should also review their privacy breach protocol to ensure it complies with the IPC's expectations to adequately contain the breach, notify those affected, and investigate and remediate the privacy breach.

Footnotes

1. Notably, the definition of "use" is set out in section 2 of the Personal Health Information and Protection Act, 2004 (PHIPA) as, "in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or otherwise deal with the information..."

2. For example, the Police shut down their network services and restricted access to them. The Police worked with law enforcement and other parties to investigate the attack, rebuild and repair their IT infrastructure, and replace their network servers, etc.

3. For example, the Police issued a news release which gave notice of a virtual ransomware attack on their systems, and made the meeting minutes of the Police board meeting publicly available.

4. For example, the Police used certain techniques to investigate the ransomware attack, including the origin of the breach, and purchasing new network systems, changing public-facing IP address and putting in place cloud-based tools to ensure reliability and that they remain operational in the event of an attack. The Police trained staff and simulated attacks, and delivered training material through online learning modules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More