Privacy concerns are at the forefront of our increasingly digital world, with cybercrime such as ransomware, business email compromise and phishing attacks becoming a noticeable risk for organizations. It is essential for municipalities to understand their minimum responsibilities under Saskatchewan and federal legislation, as well as the best practices recommended by provincial and federal privacy commissioners. This article will provide guidance on responding to cyber-attacks and share lessons for Saskatchewan municipalities from recent data breaches.
Municipalities are attractive targets for ransomware attacks and must ensure they are adequately protected from liability stemming from an attack. As we have reported in past articles, incident response plans and strategies are an excellent risk mitigation tool for organizations of any size and location, but in particular for those who collect and use considerable amounts of “personal information”. Municipalities usually process a wide range of personal information from constituents, including sensitive personal information contained in meeting minutes, permit applications, and other documents. They will also collect information on staff, taxes paid by residents, and personal contact information on councillors and residents, to name a few examples.
When privacy breaches occur, whether due to malicious cyber-attacks, inadvertent disclosure, or data loss, municipalities must respond in a way that protects the individuals affected as well as the organization itself.
Municipalities must know their responsibilities under the specific privacy legislation that applies to their operations and with respect to data breaches. The Local Authority Freedom of Information and Protection of Privacy Act (“LA FOIP”), The Health Information Protection Act, (“HIPA”), and the Personal Information Protection and Electronic Documents Act (“PIPEDA”) must all be considered. In Saskatchewan, LA FOIP and HIPA are enforced by the Saskatchewan Information and Privacy Commissioner (“IPC”). PIPEDA is enforced federally by the Office of the Privacy Commissioner of Canada (“OPC”).
Each Act applies to different categories of personal information collected, used, and disclosed for different purposes. Municipalities are local authorities and are generally governed by LA FOIP. However, HIPA will apply to any “personal health information” held by a municipality. In limited circumstances, PIPEDA may also apply to the so-called “MUSH” sector (municipalities, universities, schools, and hospitals) with respect to any personal information processed for a non-core commercial activity. This analysis can be quite complex.
It is important for Saskatchewan municipalities to understand which legislation applies, particularly as it relates to data security incidents involving personal information. Each Act has its own unique requirements with respect to the threshold of a breach, the extent and timing of notification, and the duty to report to the regulator. Municipalities must know the specific obligations under each Act and must always keep in mind that a single breach incident may create obligations under multiple Acts.
In addition to the pre-existing, reactionary duties to a breach or potential breach, LA FOIP and PIPEDA have positive, pre-emptive duties requiring organizations to protect personal information.
This article will outline the positive, pre-emptive duties to protect personal information in the possession of a municipality, as well as what constitutes a breach, and a municipality’s duty to notify and report after the fact.
Positive Duty to Protect:
LA FOIP: s. 23.1(b)
LA FOIP requires municipalities to have administrative, technical, and physical safeguards to protect the integrity, accuracy, and confidentiality of personal information in its possession or under its control. These safeguards include mandatory privacy education for employees, implementation of privacy policies, technology firewalls, and physical alarm systems.
Failure to institute proper safeguards is an offense under the LA FOIP.
HIPA: s. 16
HIPA requires municipalities to establish policies to maintain administrative, technical, and physical safeguards to protect the integrity, accuracy, and confidentiality of personal health information in its possession and under its control, and to protect against any reasonably anticipated threat, hazard, loss of information, or unauthorized access.
Compliance must be enforced at the employee level.
PIPEDA: s. 2(1), Principle 4.9.3, Principle 4.3.5
PIPEDA requires municipalities to enact physical measures such as locked filing cabinets, organizational methods such as security clearances and access on a need-to-know basis, and technological measures such as the use of passwords to protect personal information obtained for a non-core commercial activity. Municipalities must ensure that their employees understand the importance of maintaining confidentiality of personal information and using care in the destruction of any personal information to prevent unauthorized access.
What is a Reportable Data Breach?
LA FOIP: s. 24 – s. 28
LA FOIP defines a breach or misuse of personal information as: collection of more personal information than required by a municipality, a municipality’s use of personal information that is not consistent with the purpose for which it was collected, unauthorized access to personal information, loss of personal information or documents containing personal information, and possession of personal information that is inaccurate.
HIPA: s. 2(m), s. 19, and s. 23 – s. 30
HIPA defines a breach as: any unauthorized access to personal health information, the collection of more personal health information than is required, and the use of personal health information inconsistent with the purpose for which it was collected, the loss of personal health information, and the collection or possession of inaccurate personal health information.
Examples of a breach include: collection of health services number for a non-health-related service; when personal health information is collected from a third party; collecting personal health information for one service and using it to promote a different service; accessing personal health information beyond a need-to-know basis; and sharing personal health information with another organization without consent.
PIPEDA: s. 2(1), and s. 4.7.1
Under PIPEDA, a data breach occurs where there is a breach of security safeguards that involves any unauthorized use, access, theft, or loss of personal information. Personal information includes virtually any information related to an identifiable individual.
What Must be Reported?
LA FOIP: s. 28.1
Under LA FOIP, a municipality must report a breach to any affected individual whose personal information was subject to an unauthorized access or disclosure where such unauthorized access or disclosure creates a “real risk of significant harm” (“RROSH”). RROSH is defined at page 31 of the IPC Dictionary. It is recommended municipalities undertake proactive and early reporting to affected individuals and the IPC to minimize legal and reputational liability.
HIPA: s. 10, s. 14, and s. 42
Under HIPA, it is mandatory to notify an individual for any personal information that is disclosed without consent, which encompasses data breaches (including disclosures made by accident). While there are no mandatory reporting requirements for a privacy beach to the IPC, the recommended best practice is to report the breach to all affected individuals and the IPC. Any person can apply to the IPC for a review if they suspect HIPA has been contravened, and the review findings are made public. IPC recommends following their breach steps outlined at page 2 of the Privacy Breach Guidelines for Trustees.
PIPEDA: s. 10.1 and s. 10.3
Under PIPEDA, a municipality must notify the OPC and any affected individual of any unauthorized access to personal information, or breach of security safeguards that posed a RROSH. The OPC provides a breach report form to streamline the reporting process.
Municipalities must also create and maintain a record of every breach involving personal information subject to the Act, whether or not there is a RROSH. It is an offense to knowingly contravene the reporting, notification, and record-keeping requirements under PIPEDA.
Lessons From LifeLabs Investigation
In October 2019, LifeLabs LP (“LifeLabs”) discovered a cyber-attack which resulted in unauthorized disclosure of personal health information of over 90,000 Saskatchewan residents. LifeLabs reported the attack to the individuals affected without providing specific information, and delayed in reporting the breach to the IPC. The IPC found that the Saskatchewan Health Authority (“SHA”) had control of the majority of the information at the time of the attack and therefore considered a Trustee under HIPA.
Unfortunately, LifeLabs was not able to authenticate the identities of certain individuals, as well as did not provide the proper information to persons affected by the breach, and therefore the IPC was not satisfied with the notification efforts of LifeLabs and the SHA. The IPC also found that because a fulsome, detailed report was not provided, LifeLabs did not demonstrate that it fully investigated the breach nor adopted appropriate preventative measures. LifeLabs was further found to be in contravention of s. 16(b) and 16(c) of HIPA as they did not have written security policies nor reasonable safeguards in place at the time of the breach.
The IPC subsequently made, among others, the following significant recommendations:
- The SHA undertake a full audit of LifeLabs systems and responses to breaches to ensure any future breaches are fully addressed as well as to ensure LifeLabs is in compliance with HIPA and the contract between LifeLabs and the SHA and consider terminating the contract if these standards were not met;
- SHA provide quarterly updates to the IPC about its progress in implementing the recommendations;
- SHA and LifeLabs provide cyber security protection to affected individuals from Saskatchewan for a minimum of five years; and
- The Ministry of Health inspect LifeLabs’ documents, records, and equipment to ensure LifeLabs is adequately protecting personal health information in the public interest and determine whether LifeLabs’ license should be suspended or cancelled.
LifeLabs shows the significance of implementing strong security measures proactively as well as the importance of working with the IPC and fully notifying affected persons of any data breaches to mitigate any potential harm arising from a security incident or other data breach.
Data security incidents can occur at any time. It is crucial for municipalities to adopt the required proactive safeguards to limit the frequency and detrimental consequences of breaches, as well as a targeted incident response plan in the event one does occur. Once a breach is detected, municipalities must work fast not only to contain the incident, but also to investigate the nature and cause, and assess any number of potentially numerous notification and reporting obligations under the relevant legislation. Understanding all the potentially applicable requirements is imperative to ensuring compliance and avoiding unnecessary legal, contractual, and reputational risks.