Protecting Your Organization from Ransomware Threats: New Guidance from Ontario’s Information and Privacy Commissioner

The Information and Privacy Commissioner of Ontario (IPC), Ontario’s public sector and health privacy regulator, recently released a technology factsheet titled, “How to Protect Against Ransomware.” This factsheet is intended to provide organizations with an overview of the ongoing threat ransomware presents, their obligations to safeguard personal information and ways to protect against this threat.

Ransomware incidents are the leading type of cyber attack experienced by private-sector organizations. Ransomware is a type of malware used by threat actors to gain access to an organization’s system. Threat actors often render an organization’s system inaccessible and steal their data. Victims are asked to pay a ransom to unlock their systems and to avoid having their data published.

The most common methods to access an organization’s system in a ransomware attack are:

1. Social engineering: a threat actor targets a person within an organization and manipulates them into giving the threat actor access. These attacks commonly originate with phishing emails, misleading websites and online advertisements.

2. Exploiting vulnerabilities in a system connected to the internet: threat actors scan the internet to discover and send malicious software instructions to systems that have not been patched or configured to address known vulnerabilities.

3. Supply chain compromise: sophisticated attackers can compromise third-party products or services, such as open-source software, used by an organization to get direct access to a network.

Ransomware attacks present an opportunity for serious harm to individuals and organizations, including interruption of internal functions and service delivery, financial loss, reputational injury and negative impacts on compromised individuals.

If personal information is stolen in a ransomware attack, applicable privacy and data protection obligations are triggered. Organizations subject to Ontario’s privacy laws must ensure that their cybersecurity programs include reasonable measures to safeguard the personal information they hold from unauthorized access, disclosure and destruction.

Health information custodians and child and family service providers in Ontario face heightened obligations to protect personal information from unauthorized use, copying, modification, loss and theft. Additionally, they must ensure that the retention, transfer or disposal of personal information is undertaken in a secure manner. In the event of a ransomware attack, they are required to notify affected individuals and the IPC. 

To meet privacy and data protection obligations, the IPC recommends that organizations enhance information security accountability, including the following recommendations:

• Create a foundation for accountability with strong governance practices through a privacy and security governance committee consisting of senior executives responsible for information technology, legal services, access and privacy.

• Formalize accountability measures through an information security policy. That policy should set out roles, responsibilities, reporting mechanisms and requirements for putting in place technical, administrative and physical safeguards.

• Implement data protection mechanisms through internal practices and regular evaluation.

• Ensure all contracts with third-party service providers provide the same degree of protection as internal mechanisms.

To safeguard your organization against ransomware attacks, the IPC recommends putting in place a strong cybersecurity program. In the factsheet, the IPC provides a comprehensive overview of suggested cybersecurity practices. Notably, an organization should:

• Develop a clear understanding of its information holdings in terms of sensitivity and volume. Organizations should be attentive to which employees or service providers have access to information and where it is stored.

• Use tools to prevent and detect the methods ransomware attackers use to get access to a network by putting in place email security controls, reducing the number of pathways an attacker can take to get access to the network and regularly scan the network.

• Limit user access and authorizations to only those necessary to perform their specific duties and monitor use.

• Maintain regular backups stored offline and use data loss prevention tools to log, monitor and block network traffic of irregular file transfers to untrusted destinations or known file upload websites.

• Devise a breach response plan. Organizations must take reasonable measures to protect personal information, and several IPC decisions recognize breach response plans as an important element of that obligation. This plan should clearly identify roles for responding to incidents, develop a classification of breach severity and specify procedures for escalation, disconnection, containment, eradication and recovery. Organizations are advised to consult with cybersecurity professionals in drafting this plan and obtain cyber security insurance.

In the event of a ransomware attack, organizations should be aware of the data protection and privacy obligations that apply to them in all of the jurisdictions in which they operate, as they may vary. For example, organizations subject to the federal Personal Information Protection and Electronic Documents Act are required to comply with its breach reporting regime. Additionally, Quebec has recently updated its privacy legislation, including new breach reporting obligations. For more information, read our October 2022 Blakes Bulletin: New Breach Reporting Requirements in Force in Quebec.

For assistance, please contact:
 
Catherine Beagan Flood          +1-416-863-2269
Natalie LaMarche                      +1-416-863-2734
Liliane Langevin                        +1-514-982-5065
 
or any other member of our Cybersecurity group.