I’m working through a reading pile today, and will note briefly that the Saskatchewan IPC has issued a report about the Edge Imaging cyber incident from earlier this year, which affected a number of Ontario school boards.
It was an atypical incident. Edge Imaging used a subcontractor called Entourage Yearbooks to store and process school yearbook photos. A threat actor accessed an Entourage AWS server, downloaded and deleted photos and held them for ransom. Edge ultimately reported to its school board/division clients that Entourage, “reported that they secured the return of all the Canadian photo files from the threat actors, along with their commitment that the photo files have been deleted, and were not distributed.”
The Saskatchewan IPC report deals with whether the photos contained personal information, whether the affected school divisions met their duty to notify, and whether the service providers investigated reasonably, and whether the affected school divisions took appropriate protective steps in light of the incident. It is very cursory. The matter is simply a reminder about outsourcing risks, which school boards need to manage. The Ontario IPC updated its guidance earlier this year – see Privacy and Access in Public Sector Contracting with Third Party Service Providers.
All About Information 