Think Again: Breach Notification is Required

Breach notification plays out differently within various sectors in Ontario. From health legislation to municipal regulations, incident obligations can vary and sometimes operate in a gray area or piggyback off “best practice” approaches. Recently, the requirement for breach notification has garnered attention after the Information and Privacy Commissioner of Ontario (IPC) issued a series of decisions regarding cyber incidents that took place in 3 (three) different organizations[1]. These decisions were made even where the organizations could provide evidence that the personal health information (PHI) held by the organizations, were “not accessed or exfiltrated” by the threat actor. What’s more, the data had been fully restored from backups. These decisions further clarified the breach notification requirements regarding PHI within Ontario

Through this stance, the IPC reiterated the meaning of “loss” in the context of a data breach and breach notification, which impacts how PHI should be managed during a cyber incident. Consequently, we are faced with the question, does the loss of data trigger notification even when the data is encrypted; cannot be accessed by the threat actor; and no harm is incurred by the individual?

The answer to that question is yes. Simply put, the IPC recently confirmed that notification obligations do arise in such situations where PHI is concerned (i.e. even where no serious harm was caused). Where the information is encrypted and not directly accessed, PHIPA[2] is clear about what triggers notification requirements. This is vastly different to PIPEDA which states that in the event of a breach, only where it poses a “real risk of significant harm” to individuals, are notification requirements triggered.

These decisions shine light on how the IPC interprets PHIPA and reiterates the sensitivity and protection required for PHI. Prior to these decisions, organizations experiencing a cyber incident were seemingly operating with the understanding that they did not have to notify data subjects of the breach if the PHI was encrypted (even if by the threat actor – i.e. ransomware), but not accessed, viewed or used by the threat actor, and no harm being incurred by the individual.  

The Concept of 'Encryption', 'Use', and 'Loss'

Organizations still view encryption as a fail-safe when it comes to data breaches. Even where the data is encrypted by the threat actor, if it cannot be accessed, “what’s the harm?”

The IPC has concluded that the encryption of the organization’s servers by the threat actor results in “unauthorized use” and a “loss” of PHI. The IPC made this determination on the basis that the encryption of data (by the threat actor) “affected the personal information in those servers, by making that personal information unavailable and inaccessible to authorized users”, which amounted to a “loss”.

Examining Ontario’s Breach Notification Requirements

In terms of PHIPA, the collection, use or disclosure of PHI without authorization (including theft, loss, or unauthorized copying, modification or disposal of PHI), is considered a breach and triggers notification requirements. In this event, and as emphasized by the IPC, organizations must notify the IPC as well as the affected individuals (unless an exception exists). Notice must be issued at the first reasonable opportunity. Similar notification triggers exist in terms of CYFSA, where the affected individual must be informed of the breach and in some instances, the IPC and the Minister of Children, Community and Social Services.  

In terms of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA)[3] and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)[4], the required notification response falls under “best practice” rather than a prescriptive approach. That is unless the information collected under these provincial or municipal institutions is PHI, in which case PHIPA will apply.

The introduction of Bill 194 is intended to change the breach notification criteria and introduce new breach reporting obligations for public sector organizations covered by FIPPA (not MFIPPA). When a privacy breach poses a real risk of significant harm to affected individuals, these organizations will be required to promptly report the breach. As a result, institutions falling under the jurisdiction of Bill 194 will need to consider this broadened scope of breach notification.

What Next?

What is clear from the above is that organizations should be mindful of which privacy (or health) legislation they are governed by and what their notification requirements are, particularly where a breach occurs.

To this end, organizations should have a detailed breach response plan which will aid employees in the event of a crisis like a cyber-attack and provide the triggers for notification to affected individuals, the IPC, OPC or the Ministry in some respects.

[1] Halton Children’s Aid Society (Re), 2024 CanLII 67087; Hospital for Sick Children (Re), 2024 CanLII 67095 (ON IPC);Kingston, Frontenac and Lennox & Addington (KFL&A) Public Health (Re), 2024 CanLII 67096 (ON IPC).

[2] PHIPA is Ontario’s Personal Health Information Protection Act and applies to all personal health information collected and processed by Ontario’s entities.

[3] FIPPA applies to Ontario's provincial ministries and most provincial agencies, boards and commissions, as well as community colleges, universities, Local Health Integration Networks (LHINs) and hospitals.

[4] MFIPPA applies to local Ontario government institutions, including municipalities, police services boards, school boards, conservation authorities, boards of health and transit commissions.