Category: cyber security

File path information, network security and FOI

On March 7, 2025, the Saskatchewan Court of King’s Bench affirmed the withholding of file path information from a requester who sought the information under Saskatchewan’s provincial freedom of information statute.

The Court described the information as “file path addresses/links and barcodes within the documents that describe the process of accessing information/data stored in specific databases on a computer system.”

Notably, the institution relied on the class-based exemption for information with proprietary value. Proof of a non-speculative risk of harm is not required to invoke such this exemption, but case law in Saskatchewan and Ontario narrows the class to information with “inherent monetary value” and a proprietary character (in my words). The Court held that the exception applied based on an affidavit that stated that granting access would provide, “an instruction manual for any person with access to SHA’s systems to quickly and effectively identify and access locations on SHA’s systems that contain sensitive personal and personal health information and other sensitive security information…”

In 2023, the IPC/Ontario rejected a claim made by the Ontario Ministry of Health that file path information was exempt from the right of access because the Ministry failed to prove a non-speculative risk of harm. It commented, “I do not accept that disclosure of the file path information (the location of a specific document in the ministry’s computer system) could reasonably be expected to compromise the security of the ministry’s computer system or allow unauthorized individuals to infiltrate the ministry’s computer systems. The ministry has not adequately explained how this information could be used to access the ministry’s computer system by an individual who is not a ministry employee.”

I’ve underlined the text above to highlight the flaw in the Ministry’s argument—though, to be fair, it was addressing only two lines of file path information. It is difficult to conceive how file path information could be used to compromise a network. However, one can easily see how such information could assist a malicious actor in quickly locating valuable data within a network. File path information should be exempt, and the new Saskatchewan case will help make that argument. It’s a particularly good case because it rests on a class based exemption and not amore circumstantial harms based exemption.

Note that the IPC/Ontario has withheld other information about a network to protect it from malicious actors. See Ontario Lottery and Gaming Corporation (Re), 2016 CanLII 85802 (ON IPC), <https://canlii.ca/t/gw1g6>, retrieved on 2025-09-23.

Schiller v Saskatchewan Health Authority, 2025 SKKB 37 (CanLII), <https://canlii.ca/t/kb2fh>, retrieved on 2025-09-23.

Critical Cyber Systems Protection Act is back – seven points for designated operators

It is no surprise that the federal government has brought back its federal critical infrastructure cyber security bill, a bill labeled C-8 that will enact the Critical Cyber Systems Protection Act. When the prior government first proposed this law in 2022 as bill C-26, its stated objective was to “address longstanding gaps” in its ability to protect systems and services of national importance. Industry is generally onside, mobilized by the by the 2021 ransomware attack against Colonial Pipelines that highlighted the fragility of North American supply chains.

The CCSPA – which will apply to “designated operators” of federally regulated critical cyber systems – has come back in much the same form as introduced with Bill C-26. In lieu of providing a summary of the entirety of Bill C-8, here are seven points for designated operators to consider.

  1. The CSSPA will be framework legislation with very limited substance or clear guidance. Designated operators can assess only the high-level requirements relating to cyber security program establishment, implementation and maintenance, with the required substance of cyber security programs likely to be dealt with in detail by regulation
  2. The “critical cyber system” definition will delineate the scope of obligations, and is very broad: “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.” The words “could affect” establish a low criticality threshold. In its current form, Bill C-8 likely encompasses control systems and a wide range of other systems.
  3. It appears that designated operators will be permitted to prioritize and schedule their risk mitigation commitments, with the exception of risk mitigation commitments relating to supply chain risks. Bill C-8 prioritizes supply chain risks by stipulating that designated organizations must take steps to mitigate such risks “as soon as” they are identified. This distinction does not appear to be risk-based, noir is the rationale is clear.
  4. Incident reporting (to the Communications Security Establishment) is to be done within 72 hours, presumably of validation. The incident definition, however, is broad: “an incident, including an act, omission or circumstance, that interferes or may interfere with… the continuity or security of a vital service or vital system… or the confidentiality, integrity or availability of the critical cyber system.” Operationalizing an obligation to report an occurrence that “may” have an impact will be difficult. Designated operators will struggle to distinguish between the many immaterial “cyber events” – e.g., alerts and false positive reports – that they identify and cyber incidents that must be reported. Designated operators may also rush to report and over-report given the Bill does not contemplate a period of assessment or investigation.
  5. The government’s power to issue binding directions is broad, and not expressly constrained by pre-conditions such as necessity or reasonableness. There is no requirement to consult with designated operators about potential operational impact or other concerns prior to or after issuing a direction nor will directions be subject to the same vetting process that applies to regulations under the Statutory Instruments Act.
  6. Designated operators may seek judicial review of directions by applying to Federal Court. In one of the few changes implemented with Bill C-8, the government has (positively) removed provisions that contemplated the hearing of these review applications ex parte and in camera.
  7. Like its predecessor, Bill C-8 provides for government use and disclosure of information provided by designated operators and, to protect the security and business interests of designated operators, deems certain information confidential. The question is whether the balance struck by the Bill is proper and fair to designated operators given the sharing allowances in the Bill are broad.

Government is legitimately concerned with the need for a responsive regime that encourages the protection of critical infrastruture from adversaries, though there are legitimate and important questions for critical infrastructure owners and operators to consider about whether Bill C-8 strikes an appropriate balance.