Tag: data security

File path information, network security and FOI

On March 7, 2025, the Saskatchewan Court of King’s Bench affirmed the withholding of file path information from a requester who sought the information under Saskatchewan’s provincial freedom of information statute.

The Court described the information as “file path addresses/links and barcodes within the documents that describe the process of accessing information/data stored in specific databases on a computer system.”

Notably, the institution relied on the class-based exemption for information with proprietary value. Proof of a non-speculative risk of harm is not required to invoke such this exemption, but case law in Saskatchewan and Ontario narrows the class to information with “inherent monetary value” and a proprietary character (in my words). The Court held that the exception applied based on an affidavit that stated that granting access would provide, “an instruction manual for any person with access to SHA’s systems to quickly and effectively identify and access locations on SHA’s systems that contain sensitive personal and personal health information and other sensitive security information…”

In 2023, the IPC/Ontario rejected a claim made by the Ontario Ministry of Health that file path information was exempt from the right of access because the Ministry failed to prove a non-speculative risk of harm. It commented, “I do not accept that disclosure of the file path information (the location of a specific document in the ministry’s computer system) could reasonably be expected to compromise the security of the ministry’s computer system or allow unauthorized individuals to infiltrate the ministry’s computer systems. The ministry has not adequately explained how this information could be used to access the ministry’s computer system by an individual who is not a ministry employee.”

I’ve underlined the text above to highlight the flaw in the Ministry’s argument—though, to be fair, it was addressing only two lines of file path information. It is difficult to conceive how file path information could be used to compromise a network. However, one can easily see how such information could assist a malicious actor in quickly locating valuable data within a network. File path information should be exempt, and the new Saskatchewan case will help make that argument. It’s a particularly good case because it rests on a class based exemption and not amore circumstantial harms based exemption.

Note that the IPC/Ontario has withheld other information about a network to protect it from malicious actors. See Ontario Lottery and Gaming Corporation (Re), 2016 CanLII 85802 (ON IPC), <https://canlii.ca/t/gw1g6>, retrieved on 2025-09-23.

Schiller v Saskatchewan Health Authority, 2025 SKKB 37 (CanLII), <https://canlii.ca/t/kb2fh>, retrieved on 2025-09-23.

BC arbitrator finds privacy violation arises out of employer investigation

On October 31, British Columbia labour arbitrator Chris Sullivan awarded $30,000 to a union based on a finding that an employer unnecessarily investigated statements made by a union president in a video that the union claimed to be confidential. He based this award on a breach of the anti-union discrimination provision in the Collective agreement, the union interference provision in the BC Labour Relations Code, and a breach of the BC Freedom of Information and Protection of Privacy Act.

The union posted the video on YouTube without password protection. The union president testified, “that he first attempted to use the private setting for posting videos to the website, but this proved difficult to use as he had to manually enter a great deal of information in order to utilize this setting.” He posted the video openly, but rendered it unsearchable, and posted a confidentiality warning on the YouTube account and embedded a confidentiality warning in the video. The latter warning stated, “[this] video content is considered confidential and intended solely for ATU members.”

A union member leaked the URL for the video to someone in management who did not wish to be identified, who in turn reported the video to another member of management, stating, “you should check this out, it goes against what you are trying to build at transit.” That manager used the URL to watch the video and make a copy, ultimately disciplining the president for what he said in the video (later settling for a without prejudice disciplinary withdrawal). When the union demanded the employer destroy its copy, the employer asserted that it had obtained the video from a union member and that it was searchable on YouTube, both proven to be incorrect.

The crux of Arbitrator Sullivan’s finding is that the employer had no basis for investigating. He said:

Mr. Henegar had received only the Post-it note, followed by a conversation, with a supervisor/manager of the Employer, who did not want their identity revealed. On its own terms, the Employer’s Harassment and Respectful Workplace Policy was not engaged against Mr. Neagu, as no formal complaint was ever made against him, nor was he provided with any details of a complaint including the identity of a complainant as is required by that Policy. Mr. Neagu’s comments as Local Union President in the YouTube Video did not warrant an Employer investigation on any reasonable basis.

The employer and union had agreed that the video contained the union president’s personal information, so it followed from the above finding that the employer had collected the video in breach of FIPPA given the collection was not “necessary.”

This was a debacle. If the employer had watched the video and stopped I suspect it would have been found to be blameless. (Recall that it withdrew its disciplinary charge in a without prejudice settlement that had a plainly prejudicial impact on the outcome.) There were also too many other bad facts that bore upon the employer, including the fact it did not (or felt it could not) disclose the identity of the management employee who raised the video as a concern, and the facts that showed its entire premise for proceeding with investigation and discipline was flawed – my reading of the facts, not that of Arbitrator Sullivan, who held that management’s assertions were intentionally dishonest.

I don’t like this privacy finding for two reasons. First, having not seen the video, I question whether a speech from a union president to union members contains the president’s personal information. Second, Arbitrator Sullivan affirmed the president’s expectation of privacy despite the president’s election not to secure the video through the best means possible. As those who follow this blog know, I’m a fan of using the waiver/abandonment doctrine to incentivize good security practices and hold users accountable for bad security practices. That was not done in this case, though Arbitrator Sullivan’s affirmation was obiter.

The damages award is large for a privacy case, but it was driven by a finding that the employer engaged in a serious interference with union rights.

Corporation of The District of West Vancouver v Amalgamated Transit Union, Local 134, 2024 CanLII 124405 (BC LA)

Saskatchewan IPC issues report on Edge imaging incident

I’m working through a reading pile today, and will note briefly that the Saskatchewan IPC has issued a report about the Edge Imaging cyber incident from earlier this year, which affected a number of Ontario school boards.

It was an atypical incident. Edge Imaging used a subcontractor called Entourage Yearbooks to store and process school yearbook photos. A threat actor accessed an Entourage AWS server, downloaded and deleted photos and held them for ransom. Edge ultimately reported to its school board/division clients that Entourage, “reported that they secured the return of all the Canadian photo files from the threat actors, along with their commitment that the photo files have been deleted, and were not distributed.”

The Saskatchewan IPC report deals with whether the photos contained personal information, whether the affected school divisions met their duty to notify, and whether the service providers investigated reasonably, and whether the affected school divisions took appropriate protective steps in light of the incident. It is very cursory. The matter is simply a reminder about outsourcing risks, which school boards need to manage. The Ontario IPC updated its guidance earlier this year – see Privacy and Access in Public Sector Contracting with Third Party Service Providers.

Edge Imaging (Re), 2024 CanLII 90510 (SK IPC).

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

  • A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
  • Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

Where’s that workplace surveillance bill? More thoughts pending its release

It’s Friday at 4:20pm and I don’t see an Ontario workplace surveillance bill yet, so here are a couple more thoughts – one positive, one negative and one neutral.

Positive – Organizations ought to employ “information technology asset management” – a process for governing their network hardware and software. Those organizations with strong asset management practices will have little difficulty identifying how employees are “monitored.” For those who are weak asset managers, the new bill is an invitation to improvement and rooting out unmanaged applications.

Negative – As I said yesterday, the devil will be in the detail, and the scope of the “monitoring” that is regulated will be key. Monitoring must be defined in a way that does not affect non-routine processes – i.e., audits and investigations. Those raise a different kind of privacy concern, and a notification requirement shouldn’t frustrate an organization’s ability to investigate.

Neutral – Organizations typically keep security controls confidential to protect against behavior we call “threat shifting” – the shifting of tactics to circumvent existing, known controls. I’m doubtful the type of disclosure the bill will require will create a security risk, but it’s an issue to consider when we see the text.

Bring on the bill!

Cyber class action claims at an inflection point

Yesterday, I happily gave a good news presentation on cyber claims legal developments to an audience of insurance defence lawyers and professionals at the Canadian Insurance Claims Managers Association – Canadian Independent Adjusters’ Association – Canadian Defence Lawyers joint session.

It was good news because we’ve had some recent case law developments create legal constraints on pursuing various common claims scenarios, namely:

  • The lost computer, bag or other physical receptacle scenario – always most benign, with notification alone unlikely to give rise to compensable harm, a trial judgement looking positively at a one year credit monitoring offer and proof of causation of actual fraud a long shot at best
  • The malicious outsider scenario – for the time being looking like it will not give rise to moral damages that flow from an intentional wrong (though this will be the subject of an Court of Appeal for Ontario hearing soon in Owsianik)
  • The malicious insider scenario – partly addressed by a rather assertive Justice Perell finding in Thompson

We’re far from done yet, but as I say in the slides below, we’re at the early stages of an inflection point. I also give my cynical and protective practical advice – given the provable harms in the above scenarios flow mainly from the act of notification itself, notify based on a very strong analysis of the facts and evidence; never notify because there’s a speculative risk of unauthorized access or theft​. Never a bad point to stress.

Cyber security for the regulator and regulated

On Monday I addressed an audience a the Ontario Regulatory Authorities continuing professional development conference on the topic of cybersecurity. It was a good chance to record an updated and concise view of the Canadian threat environment along with the cyber defence and incident response issues facing Canadian organizations. Here are the slides for your reading pleasure.

Cybersecurity governance and the empowerment of corporate leadership

I had the honour of presenting on cybersecurity oversight today at the Association of Workers’ Compensation Boards of Canada annual Governance Summit. The theme ended up being about leadership and empowerment. I’d like board members to believe that the information security knowledge they require to meet their duties is well within their grasp and to feel a little excited about the learning process. Slides below FYI.

Manitoba Ombudsman blesses response to e-mail incident

Manitoba Ombudsman Jill Perron has issued her report into Manitoba Families’ 2020 e-mail incident. The incident involved the inadvertent e-mailing of personal health information belonging to 8,900 children in receipt of disability services to approximately 100 external agencies and community advocates. It is such a common incident that it is worth outlining the Ombudsman’s incident response findings.

Manitoba Families meant to transfer the information to the Manitoba Advocate for Children and Youth to support a program review. It included information about services received. Some records included diagnoses.

Manitoba Families mistakenly blind copied the external agencies and advocates on an e-mail that included the information in an encrypted file and a follow-up e-mail that included the password to the file. It had made the same mistake about a week earlier. Several agencies alerted Manitoba Families to its error, and it began containment within a half hour.

The Ombudsman held that Manitoba Families’ containment effort was reasonable. She described it as follows.

Attempts at recalling the email began minutes later at 8:29 a.m. and continued at various intervals. Also, at 8:35 a.m., CDS sent an email to all unintended recipients noting in bold that they were incorrectly included on a confidential email from Children’s disAbility Services and requested immediate deletion of the email and any attachments. Follow up calls to the unintended recipients by CDS program staff began to occur that morning to request deletion of the emails and a list was created to track these calls and the outcomes. A communication outline was created for these calls which included a request to delete emails, a further request that emails be deleted from the deleted folder and that any emails that went to a junk email folder also be deleted…

In January 2021, we received additional written communication from the program stating that all agency service providers and advocates were contacted and verified deletion of the personal health information received in error. The log form created to track and monitor the name of the organization, the date and details of the contact was provided to our office.

The Ombudsman reached a similar finding regarding Manitoba Families’ notification effort, though she needed to recommend that Manitoba Families identify the agencies and advocates to affected individuals, which Manitoba Families agreed to do upon request.

What’s most significant – especially given class action proceedings have been commenced – is a point the Ombudsman made about evidence that Manitoba Families appears not to have gathered.

In addition to assuring families about the deletion of the email, additional information such as who viewed the email, if the attachment was opened and read, whether it was forwarded to anyone else or printed, whether it was stored in any other network drive or paper file or, conversely, that no records exist – can be helpful information to provide those affected by a privacy breach. It is best practice, therefore, to provide families with as much assurance as possible about the security of their child’s health information.

The question is, what is one to make of an arguable shortcoming in an incident response investigation? I say “arguable” because the probability of any of these actions occurring is very low in the unique circumstances of this incident, which involved trusted individuals receiving a password-protected and encrypted file. Manitoba Families ought to have collected this evidence because they called the e-mail recipients anyway, it is helpful and was probably available for collection. If it did not do so, however, I believe it is perfectly acceptable to for Manitoba Families to stand by the scope of a narrower investigation and and put the plaintiff to proof.

PHIA Case 2020-1304

The Five Whys, the discomfort of root cause analysis and the discipline of incident response

Here is a non-law post to pass on some ideas about root cause analysis, The Five Whys, and incident response.

This is inspired by having finished reading The Lean Startup by Eric Ries. It’s a good book end-to-end, but Ries’ chapter on adaptive organizations and The Five Whys was most interesting to me – inspiring even!

The Five Whys is a well-known analytical tool that supports root cause analysis. Taichii Ohno, the father of the Toyota Production System, described it as “the basis of Toyota’s scientific approach.” By asking why a problem has occurred five times – therefore probing five causes deep – Ohno says, “the nature of the problem as well as its solution becomes clear.” Pushing to deeper causes of a failure is plainly important; if only the surface causes of a failure are addressed, the failure is near certain to recur.

Reis, in a book geared to startups, explains how to use The Five Whys as an “automatic speed regulator” in businesses that face failures in driving rapidly to market. The outcome of The Five Whys process, according to Ries, is to make a “proportional” investment in corrections at each five layers of the causal analysis – proportional in relation to to the significance of the problem.

Of course, root cause analysis is part of security incident response. The National Institute of Standards and Technology suggests that taking steps to prevent recurrences is both part of eradication and recovery and the post-incident phase. My own experience is that root cause analysis in incident response is often done poorly – with remedial measures almost always targeted at surface level causes. What I did not understand until reading Ries, is that conducting the kind of good root cause analysis associated with The Five Whys is HARD.

Ries explains that conducting root cause analysis without a strong culture of mutual trust can devolve into The Five Blames. He gives some good tips on how to implement The Five Whys despite this challenge: establishing norms around accepting the first mistake, starting with less than the full analytical process and using a “master” from the executive ranks to sponsor root cause analysis.

From my perspective, I’ll now expect a little less insight out of clients who are in the heat of crises. It may be okay to go a couple levels deep while an incident is still live and while some process owners are not even apprised of the incident – just deep enough to find some meaningful resolutions to communicate to regulators and other stakeholders. It may be okay to tell these stakeholders “we will [also] look into our processes and make appropriate improvements to prevent a recurrence” – text frequently proposed by clients for notification letters and reports.

What clients should do, however is commit to conducting good root cause analysis as part of the post-incident phase:

*Write The Five Whys into your incident response policy.

*Stipulate that a meeting will be held.

*Stipulate that everyone with a share of the problem will be invited.

*Commit to making a proportional investment to address each identified cause.

Ries would lead us to believe that this will be both unenjoyable yet invaluable – good reason to use your incident response policy to help it become part of your organization’s discipline.