Ransomware Attack: What Canadian SMEs Must Do Under PIPEDA and Alberta PIPA

What makes ransomware different from other breaches

Most breach scenarios leave access probability as an open question. Ransomware removes that ambiguity. When ransomware executes on your systems, the attacker has been inside your environment. Access is confirmed or highly probable — and the act is deliberate and malicious.

These two facts — confirmed access and malicious intent — are the two heaviest RROSH factors under PIPEDA. Ransomware attacks consistently produce HIGH or CRITICAL verdicts when personal information was present on affected systems. The question is rarely whether you have reporting obligations. It is how quickly you can satisfy them.

A second characteristic matters: ransomware attacks are ongoing breaches. Attackers commonly spend days or weeks in a network before deploying the encryption payload. Your containment date is not your breach start date.

---

Immediate containment — ransomware-specific

Do not pay the ransom before obtaining legal advice. Payment may violate Canadian or US sanctions regulations if the attacker is a designated entity. This determination must happen before any payment is made, regardless of operational pressure.

Do not wipe affected systems before forensic review. Destroying evidence before your incident response investigation is complete will undermine your breach report and may constitute obstruction if regulatory proceedings follow.

Ransomware-specific steps:

• Isolate affected systems from the network immediately — do not shut them down unless instructed by your incident response firm
• Disable compromised accounts and revoke active sessions
• Engage your cyber insurer before taking further action — most policies require notification before remediation begins
• Engage an incident response firm if you do not have internal forensic capability
• Preserve all available logs, including firewall, endpoint, and authentication logs from the period before the encryption event
• Identify the dwell time — when did the attacker first enter the environment? This is your breach start date, not the encryption date

---

What drives RROSH in a ransomware attack

Three factors make ransomware consistently produce high RROSH scores:

1. Malicious intent is confirmed. Under PIPEDA and Alberta PIPA, a deliberate or malicious breach cause is a significant weighted RROSH factor. Ransomware is never accidental.

2. Access is confirmed or highly probable. Attackers who deploy ransomware have already accessed your systems. Modern ransomware groups routinely exfiltrate data before encrypting — even if you do not see evidence of exfiltration, regulators expect you to treat access as confirmed unless forensic evidence affirmatively rules it out.

3. Sensitive data types multiply the score. If employee records, customer financial information, health data, or credentials were on affected systems, each data type adds weight. Organizations that assume "we're a small business, our data isn't that sensitive" consistently underestimate this factor.

The only factor that commonly reduces a ransomware RROSH score is confirmed encryption at rest at the time of the attack. If affected data was encrypted with keys not accessible to the attacker, access is not confirmed. This must be established forensically — not assumed.

---

Likely verdict range

HIGH to CRITICAL in most cases where personal information was present on affected systems.

MINIMAL or LOW verdicts are rare in ransomware attacks and generally require: (a) confirmed encryption at rest, (b) only non-sensitive personal information (contact details only, no financial, health, or credential data), and (c) rapid containment with no evidence of exfiltration.

If you are uncertain, assume HIGH and assess downward as forensic information becomes available. Reporting on a HIGH verdict and subsequently establishing that harm risk was lower is far better than failing to report and being found in violation.

---

Scenario-specific obligations and complications

Sanctions risk before paying ransom. The Government of Canada's autonomous sanctions and the US OFAC sanctions list both include ransomware groups. Paying a sanctioned entity exposes your organization to regulatory penalties independent of the privacy breach. Obtain legal advice specifically on this point before any payment decision.

Dwell time determines your breach start date. Your reporting obligation clock starts from when the breach began — which in a ransomware attack is when the attacker first accessed your environment, not when encryption was detected. Forensic investigation to establish dwell time affects how you complete your breach report.

Third-party vendor involvement. If ransomware entered through a managed service provider, cloud platform, or software supplier, the vendor is a party to the breach. Your OIPC Alberta submission requires documentation of vendor involvement and your coordination steps. Your service agreement should obligate the vendor to cooperate — document every communication.

Alberta PIPA individual notification timing. Under the OIPC Alberta's April 2024 streamlined review process, organizations that notify affected individuals simultaneously with regulatory reporting receive a private closing letter rather than a public investigation. The practical implication: do not delay individual notification to await regulatory direction.

---

Documents you will need

For a ransomware attack where RROSH is confirmed:

• Internal Incident Record — always required; begin populating immediately, retain for 24 months
• OPC PIPEDA Breach Report — required if PIPEDA RROSH threshold is met (almost certain in a ransomware attack involving personal information)
• OIPC Alberta PIPA Notification Form — required if Alberta PIPA applies; email to breachnotice@oipc.ab.ca
• Individual Notification Letter — required where INDIVIDUAL_NOTIFICATION obligation fires
• AB PIPA Individual Notice (s.19.1) — required for Alberta PIPA individual notification; attach to your OIPC AB submission

ClearBreach generates all of these automatically from your assessment answers.

---

Common mistakes — ransomware specifically

Waiting for full forensic confirmation before notifying. Regulators do not require certainty — they require action as soon as you determine RROSH is present on the available information. Waiting weeks for a forensic report before filing is one of the most common compliance failures in ransomware incidents.

Treating the encryption date as the breach date. Ransomware attackers are typically present in your environment for days or weeks before deploying the payload. Your breach report must reflect the actual breach start date once dwell time is established.

Assuming encryption at rest means no breach. If data was encrypted but the attacker had access to the encryption keys (for example, keys stored alongside the data, or keys accessible through compromised admin accounts), encryption does not reduce the access probability. This requires forensic confirmation to establish.

Wiping systems before forensic review. Operational pressure to restore systems is real. But destroying evidence undermines your ability to complete an accurate breach report, and regulators may draw adverse inferences from gaps in your investigation record.

---

MSP note

If you are an MSP and your client was hit by ransomware, your obligations depend on whether you handle personal information on the client's behalf. If you do — and you almost certainly do — you have obligations as a service provider under PIPEDA and as an organization under Alberta PIPA.

Engage your client immediately. Document every communication. Your service agreement should define which party leads regulatory notification — confirm this before acting unilaterally on the client's behalf. If the ransomware entered through your systems or through a tool you manage, you are a direct party to the breach, not just a service provider.

ClearBreach MSP tier allows you to run a structured assessment for your client within your account. Use it to establish the RROSH verdict before advising the client on their regulatory obligations.

---

Ready to assess this breach? ClearBreach walks you through 18–23 questions and generates your assessment verdict, regulator reports, and individual notification letters automatically — in under 15 minutes. Start your assessment →