Public computersclosed off at the Hamilton Public Library following the February 2024 City of Hamilton cybersecurity failure. Credit: Joey Coleman

Ontario’s Information and Privacy Commissioner (IPC) has issued another ruling stating that cybersecurity breaches are privacy breaches.

Significantly, the latest ruling is the first under the Municipal Freedom of Information and Protection of Privacy Act.

Previous rulings dealt with personal information under the Personal Health Information Protection Act. (See IPC rulings: Kingston, Frontenac and Lennox & Addington Public Health,  The Hospital for Sick Children, and Halton Children’s Aid Society.)

The latest decision involves the Sault Ste. Marie Police Services. On August 26, 2021, Sault Ste. Marie Police computers were breached and files encrypted.

In submission to the IPC, Police argued there was no privacy breach because they found ‘that the affected information was encrypted in place and neither obtained nor exfiltrated by the threat actor.’

Ontario’s Privacy Commission ruled it is a privacy breach breach.

“Respectfully, I disagree with the police’s position that the attack did not amount to a privacy breach,” writes IPC Investigator John Gayle. “The threat actor’s encryption of the personal information resulted in an unauthorized use of this information contrary to section 31 of MFIPPA and, therefore, was a privacy breach.”

The IPC ruled that Sault Ste. Marie Police Services did not adequately respond to the breach, and have not taken reasonable measures to prevent future breaches.

Sault Ste. Marie Police have been ordered to implement the IPC orders within three months.

The City of Hamilton has disputed the IPC’s definition of privacy breach.

In response to the three earlier 2024 decisions, the City stated that it does not believe the encryption of personal information should constitute a breach.

Hamilton City Hall believes no personal data was downloaded during the February 2024 cybersecurity failure.

Notwithstanding the City’s viewpoint, the IPC directed Hamilton City Hall to issue private failure notifications.

In mid-November, the City complied by posting a vague statement, only once, to its X account: “For more information on two notifications related to the City’s cybersecurity incident that may impact you, please access the following link.”

Production Details
v. 1.0.0
Published: December 26, 2024
Last updated: December 26, 2024
Author: Joey Coleman
Update Record
v. 1.0.0 original version

Leave a comment

Your email address will not be published. Required fields are marked *