Alberta OIPC finds Blackbaud incident gives rise to RROSH

Hat tip to my good colleague Francois Joli-Coeur, who let our group know yesterday that the OIPC Alberta has issued a number of breach notification decisions about the Blackbaud incident, finding in each one that it gave rise to a “real risk of significant harm” that warrants notification and reporting under Alberta PIPA.

Blackbaud is a cloud service provider to organizations engaged in fundraising who suffered a ransomware incident last spring in which hackers exfiltrated the personal information of donors and educational institution alumni. The true scope of the incident is unknown, but likely large, affecting millions of individuals across the globe.

Blackbaud issued notably strong communications that de-emphasized the risk of harm. It rested primarily on the payment of a ransom, assurances by the threat actors that they would delete all data in exchange for payment and its ongoing dark web searches. Most affected institutions (Blackbaud clients) notified anyway.

On my count the OIPC issued seven breach notification decisions about the incident late last year, each time finding a “real risk.” In a decision involving an American college with donors or alumni in Alberta, the OIPC said:

In my view, a reasonable person would consider the likelihood of significant harm resulting from this incident is increased because the personal information was compromised due to a deliberate unauthorized intrusion by a cybercriminal. The Organization reported that the cybercriminal both accessed and stole the personal information at issue. The Organization can only assume that cybercriminal did not or will not misuse, disseminate or otherwise make available publicly the personal information at issue.

This is not surprising, but tells us how the OIPC feels about the assurance gained from paying a ransom to recover stolen data.

See e.g. P2020-ND-201 (File #017205).

Case Report – Appeal Court interprets Alberta PIPA time limit

On January 27th, a majority of the Alberta Court of Appeal held that the time limit for completing an inquiry or giving notification of a time extension in Alberta PIPA is mandatory, but that non-compliance does not necessarily result in a loss of jurisdiction.

Section 50(5) of Alberta PIPA establishes a time limit for completing an inquiry in the following language:

50(5) An inquiry into a matter that is the subject of a written request referred to in section 47 must be completed within 90 days from the day that the written request was received by the Commissioner unless the Commissioner

(a) notifies the person who made the written request, the organization concerned and any other person given a copy of the written request that the Commissioner is extending that period, and

(b) provides an anticipated date for the completion of the review.

The majority, in a judgment written by Watson J., held that the decision to extent (and notify of the same) must be given before the expiration of the 90 day time period and that the time period is mandatory rather than directory. The majority also held, however, that loss of jurisdiction does not flow from non-compliance if there has been (my emphasis):

(a) substantial consistency with the intent of the time rules having regard to the reason for the delay, the responsibility for the delay, any waiver, any unusual complexity in the case, and whether the complaint can be or was resolved in a reasonably timely manner, and

(b) that there was no prejudice to the parties, or, alternatively, that any prejudice to the parties is outweighed by the prejudice to the values to be served by PIPA.

Berger J. dissented. He held that the time limit was directory and also took issue with the Applicant’s failure to raise a timely objection before the Commissioner.

This has obvious practical significance to the Alberta OIPC and Alberta practitioners. (Alberta FIPPA has a similar time limit.) It is also a significant administrative law decision on the mandatory/directory point that only a lawyer could love. Commissioner Work says he will appeal.

Hat tip to David Fraser. For his Slaw post that includes the relevant context, see here.

Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner), 2010 ABCA 26 (CanLII).