Executive Summary: Key Legal and Evidentiary Issues

• Interpretation of “use” and “loss” of personal information under Ontario privacy statutes in the context of ransomware attacks.

• Determination of whether ransomware-induced inaccessibility constitutes unauthorized use or loss, triggering notification duties.

• Assessment of whether public or indirect notice satisfies statutory notification requirements after a cyberattack.

• Evaluation of the Information and Privacy Commissioner’s (IPC) statutory interpretation and decision-making process for reasonableness.

• Consideration of the necessity and purpose of notifying affected individuals when no evidence of data exfiltration or viewing exists.

• Judicial review of administrative decisions and the appropriate standard of review for statutory interpretation and findings of fact.

Facts of the case

The Hospital for Sick Children (“SickKids”) and Halton Children’s Aid Society (“Halton”) were both targeted by separate ransomware attacks in 2022. These attacks rendered certain personal information temporarily inaccessible by encrypting the data at the container (system) level, but investigations found no evidence that any personal or health information was viewed, accessed, or exfiltrated by the attackers. Both institutions promptly notified the Information and Privacy Commissioner of Ontario (IPC) about the incidents, but argued that the statutory requirement to notify affected individuals was not triggered, as there was no unauthorized access, use, or loss of data. SickKids, unlike Halton, made public announcements about the attack but did not include information about individuals’ rights to complain to the IPC.

Relevant policy terms and statutory clauses

The statutory frameworks at issue were the Personal Health Information Protection Act, 2004 (PHIPA) for SickKids and the Child, Youth and Family Services Act, 2017 (CYFSA) for Halton. Both statutes require custodians or service providers to take reasonable steps to protect personal information and to notify individuals at the first reasonable opportunity if their information is stolen, lost, or used/disclosed without authority. The statutes also require that such notifications include a statement about the right to complain to the IPC. The terms “use” and “loss” were central to the dispute, with “use” defined in PHIPA as viewing, handling, or otherwise dealing with information, but “loss” not specifically defined in either statute.

The IPC’s review and decisions

The IPC opened investigations into both incidents. After reviewing forensic reports and submissions, the IPC concluded that the ransomware attacks constituted both an unauthorized “use” and a “loss” of personal information, even though there was no evidence of actual viewing or exfiltration. The IPC reasoned that making information unavailable to authorized users through encryption was a form of “handling” or “dealing with” the information, and thus fell within the statutory definition of “use.” The IPC also found that the temporary inaccessibility amounted to a “loss” of information, as it denied the institutions access to data needed for their services.

For SickKids, the IPC found that the hospital’s public notice did not comply with statutory requirements because it omitted reference to the right to complain to the IPC, but decided not to issue a remedial order given the public disclosure already made. For Halton, which had not made a public disclosure, the IPC ordered that notice be provided to affected individuals via the organization’s website or another form of indirect public notice.

Judicial review and appeal

Both SickKids and Halton sought judicial review of the IPC’s decisions, arguing that the IPC’s interpretation of “use” and “loss” was unreasonable and overly broad, potentially leading to over-notification and unnecessary burdens on custodians. The Ontario Hospital Association intervened in support of this position. The IPC maintained that its interpretation was correct and consistent with the statutes’ purposes, emphasizing transparency and accountability even where no direct harm or data exfiltration occurred.

The Divisional Court considered whether the IPC’s decisions were reasonable, whether the statutory interpretation was properly conducted, and whether SickKids’s application was moot in the absence of a remedial order. The Court found that a live controversy remained and that the IPC’s approach to statutory interpretation was not improperly results-oriented. The Court held that the IPC’s findings—that the ransomware attacks constituted unauthorized use and loss, triggering notification duties—were reasonable and justified by the facts and law.

Outcome and ruling

The Divisional Court dismissed both the judicial review applications and Halton’s appeal, upholding the IPC’s decisions. The Court confirmed that notification obligations under PHIPA and CYFSA are triggered by ransomware attacks that render personal information temporarily inaccessible, even if there is no evidence of data being viewed or stolen. The Court did not order costs. The successful party in this matter was the Information and Privacy Commissioner of Ontario. No specific monetary award or costs were ordered in favor of any party.