In February 2022, the respondent Halton Children’s Aid Society (CAS) was the subject of a ransomware attack. While the CAS’s investigation did not find any evidence that the threat actor had accessed or exfiltrated any data stored in the CAS’s environment, it found that the threat actor had encrypted several CAS servers, including those containing personal information.
The IPC initiated a review of the matter under Part X of the Child, Youth and Family Services Act, 2017 (CYFSA). Section 308(2) of the CYFSA sets out a duty on service providers like the CAS to notify individuals at the first reasonable opportunity if their personal information is stolen, lost, or used or disclosed without authority. The CAS asserts that because the ransomware attack targeted its servers at the external or “container” level, the attack did not “individually impact” file folders and files of personal information held inside the encrypted containers. The CAS takes the position that the encryption event did not result in a theft, loss, or unauthorized use or disclosure of personal information within the meaning of section 308(2), and that the duty to notify does not apply.
In this decision, the adjudicator finds that the threat actor’s encryption of CAS servers at the container level affected the personal information in those servers, by making that personal information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal information within the meaning of section 308(2). As a result, the CAS had a duty to notify affected individuals “at the first reasonable opportunity” of the incident. After taking into account relevant circumstances, including the evidence of diligent efforts by the CAS to contain and to mitigate the risks of the privacy breach, the adjudicator finds that the notice requirement can be met in this case through the posting of a general notice on the CAS’s website, or another form of indirect public notice. The adjudicator orders the CAS to provide this notice within 30 days of the date of this decision.