Tag: breach reporting

Ontario (M)FIPPA institutions, file encryption, and breach notification – a hint

As most of you know, the Ontario IPC released four decisions in the summer relating to breach reporting and notification obligations under PHIPA and the CYSFA. One controversial finding (which is subject to a judicial review application) is that the encryption of files by ransomware actors triggers an unauthorized use and a loss of personal and personal health information. Given there is no risk-based threshold for reporting and notification in PHIPA, custodians and service providers must report and notify in respect of this particular kind of breach, even if the threat actors have not stolen or laid eyes on information.

Leaving legal analysis aside, I’ll say that this is odd policy that has led to odd questions about who is affected by file encryption. Do we really care? Does this have any meaning to “affected” individuals?

The negative impact is that it threatens the clarity of communications about matters that institutions need to communicate clearly: “Yes there’s been a privacy breach, but the threat actor(s) didn’t steal or view your information. And information has been “lost,” but not lost as in “stolen.” 🤦🏽‍♂️

One can honestly question whether there is any public good in this garble. The IPC has lobbied for cyber incident reporting, which this interpretation of PHIPA and the CYFSA effectively achieves. Cyber incident reporting should be brought in properly, through legislation, and leave out the notification obligation.

But how far does the finding extend?

The four decisions released in the summer left a question about how the encryption finding would apply to MFIPPA and FIPPA institutions, who are encouraged (but not yet legally required) to report and notify based on the “real risk of signficant harm” standard. This standard will become a legal imperative when the provisions of Bill 194 come into force.

On December 10, the IPC issued a privacy complaint report that addressed file encryption at an MFIPPA institution and (in qualified terms) held that notification was not required. Mr. Gayle explained:

As the affected personal information remains encrypted and the police’s investigation found no evidence of exfiltration, it is not clear whether the breach “poses a real risk of significant harm to [these individuals], taking into consideration the sensitivity of the information and whether it is likely to be misused”. As such, it is not clear whether the police should have given direct notice of the breach to affected individuals in accordance with the IPC’s Privacy Breach Guidelines.

However, I am mindful of the fact that the police provided some notice to the public about the extent of the ransomware attack, and of the investigative and remedial steps they took to address it. I am also mindful of the fact that the breach occurred more than three years ago.

For these reasons, I find that it would serve no useful purpose in recommending that the police renotify affected individuals of the breach in accordance with the IPC’s Privacy Breach Guidelines and, as a result, do not need to decide whether the breach in this case met the threshold of “real risk of significant harm to the individual”.

This is helpful guidance, and should allow MFIPPA and FIPPA institutions to respond to matters with the clearest possible communication.

Sault Ste. Marie Police Services Board (Re), 2024 CanLII 124986 (ON IPC).

Experts, privilege and security incident response

I’d encourage you to read David Fraser’s blog post from last weekend – The value of legal privilege: Your diligent privacy consultant may become your worst enemy.

David’s basic point is sound: structuring a security or privacy expert retainer to support a privilege claim can prevent your own expert’s advice from being used against you. Most often this is done by having legal counsel retain an expert in anticipation of litigation and for the dominant purpose of litigation, with instructions and conclusions going strictly between counsel and expert.

David explains a scenario in which an organization retained an expert to advise on some form of due diligence connected to a subsequent security incident. The expert was apparently quite candid in its written advice, outlining a security problem that amounted to what David compares to a “dumpster fire.” The organization responded partly but not wholly to the expert’s recommendations. That expert’s report will therefore become, as David says, the plaintiff’s Exhibit A.

Being faced with your own expert’s advice is very bad, hence the soundness of David’s point. My additional point: legal privilege is no solution to a bad client-counsel-expert relationship.

The views on what is a reasonable investigation or remediation in the data security context can vary widely between equally qualified experts. Too often, perhaps driven by conflicting interests, security experts recommend what’s possible and rather than what is “due.” A breach coach can help address this problem, identifying trusted experts and working with them to reach a shared and acceptable understanding of the due diligence required in responding to a security incident. With such a relationship, departing from an expert’s recommendations (even though they are privileged) represents a real and meaningful risk. The facts – i.e., the things done based on an expert’s recommendations – are never privileged. If litigation ensues those facts will be picked apart by other experts, and you want the good ones to view the facts the same way as you and your trusted advisor.

Experts that are prone to floating long lists of options need to be retained under privilege because they are dangerous, but even under privilege their advice is worth little. The prescription: do everything you can to build a great client-counsel-expert relationship. Use a breach coach. Keep a roster of trusted experts on retainer. Don’t use experts retained for due diligence advice to do the very remedial work they recommend.