Ontario’s Divisional Court has confirmed public institutions must protect against cybersecurity breaches and that it constitutes a privacy breach when cybercriminals breach systems holding personal information.
The ruling follows litigation launched by The Hospital for Sick Children and the Halton Children’s Aid Society against the Information and Privacy Commissioner of Ontario, using public funds. (Other institutions that were subject to similar IPC orders did not join the appeal.)
The institutions experienced separate ransomware attacks in 2022, resulting in the encryption of personal information held by them.
Both institutions stated there was no evidence the data was stolen or used by the cybercriminals.
The IPC, in multiple decisions, ruled this constitutes a privacy breach because the encryption is an “unauthorized use of personal information” and public institutions are required to notify the public of these breaches.
Public Institutions Argued They Should Not Have to Inform Public
In their joint application to the Superior Court, the institutions argued they only informed the IPC of the ransomware attacks “as a courtesy only, arguing that the statutory notification requirement was not engaged.” [Para 21]
They argued there was no “use” or “disclosure” of personal information, specifically that encryption is not “use” and they were confident no data was taken by the cybercriminals.
The IPC accepted each institution’s findings that the data was not stolen and that cybercriminals did not view the data.
The IPC did rule the encryption was a “use” of personal information and the inability of the institutions to access their data was a “loss” of personal information.
Divisional Court Upholds Privacy Protections, Agrees with IPC
Justice Richard Lococo, writing for a unanimous three-judge panel alongside Justice Harriet Sachs and Justice Alexander Kurke, wrote that accepting the institutions’ arguments that they do not need to inform the IPC of breaches would “unduly restrict the obligation imposed on information custodians to be transparent and accountable in relation to the expanding threat of cyber attacks of this nature.”
“The absence of a requirement to notify in these circumstances also would interfere with the IPC’s ability to ensure that information custodians conduct a proper investigation to determine whether individuals’ personal information was compromised.”
Therefore, each incident constituted a privacy breach and public notification was required.
Ruling’s Implications for Hamilton
The ruling confirms that Hamilton’s February 2024 cybersecurity failure, which an independent investigator found was the result of gross negligence and that the City failed to meet the requirements of its insurance policy, was a privacy breach under the Municipal Freedom of Information and Privacy Act.
The IPC investigation reviewing the Hamilton incident is ongoing.
Production Details
v. 1.0.0
Published: September 18, 2025
Last updated: September 18, 2025
Author: Joey Coleman
Update Record
v. 1.0.0 original version