“EDSTA 2024: The New Cyber Rules Reshaping Ontario’s Children’s Aid Societies”

Ontario’s New CAS Cybersecurity Laws: What Changes in 2026 and Why It Matters”

News reports and official notices confirm that Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) has experienced at least three major cybersecurity incidents over the past decade.

Enhancing Digital Security and Trust Act, 2024, S.O. 2024, c. 24, Sched. 1

1. The 2016 "Portal" Breach

In April 2016, the agency reported that confidential information was "hacked" and posted to Facebook.

Incident: A link to a confidential report containing the names of 285 clients was posted on the "Smiths Falls Swapshop" Facebook page.

Controversy: While the agency initially claimed they were hacked, a later court ruling found that the documents were actually stored on a publicly accessible WordPress site without a password.

Outcome: This led to a $75 million class-action lawsuit. In 2021, FCSLLG agreed to a $5 million settlement.

2. The 2022 Network Malware Incident

In February 2022, the agency detected suspicious activity that impacted its internal systems.

Incident: An unauthorized third party deployed malware that encrypted certain computer systems at the "container level," making some personal information temporarily inaccessible.

Outcome: A third-party investigation found no evidence that personal information was actually accessed or stolen. Official notices regarding this incident were released as late as October 2025 following regulatory decisions.

3. The 2023/2024 Email Breach

In November 2023, an unauthorized third party gained access to a single employee’s email account.

Incident: The breach was publicly confirmed in February 2024. It involved sensitive details such as full names, case types, kinship services, and Child Protection Identification Numbers (CPIN).

Impact: Initially, the agency reported only two individuals were impacted, but later notified others "out of an abundance of caution".

Note: There is also reporting of a 2018 ransomware attack where servers were encrypted and a $60,000 ransom was demanded, though the agency stated at the time that no data was taken.

The court cases involving Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) revealed systemic security failures where a public website was used in place of a secure portal.

The $5 Million Settlement Details
The M.M. v. FCSLLG class action, settled in May 2021, provided compensation for approximately 282 identified class members and their families.
Total Fund: $5,000,000 plus administration costs.
Payouts: Class members received a reasonable amount without having to prove specific damages.
Legal Fees: The court approved approximately $1.6 million in legal fees, noting the high risk and five-year duration of the litigation.
Honorarium: A $5,000 honorarium was awarded to the representative plaintiff for the personal risks and publicity they endured.

Court-Identified Security Failures
Judicial proceedings, including the acquittal of an alleged "hacker," exposed that no actual hacking took place because there were no barriers to begin with.
WordPress Exposure: Highly sensitive reports were stored on a public WordPress website with no password protection or firewall.
Lack of Access Controls: The "private portal" for board members was actually just a public link that required no username or encryption.
Insurance Denial: The Ontario Court of Appeal upheld an insurer’s decision to deny coverage for the breach, ruling that the data loss resulted from displaying data on an internet website, which was explicitly excluded in the policy.

Links:
https://www.minicounsel.ca/scj/2021/3310
https://canliiconnects.org/en/summaries/73734
https://fcsllg.ca/notice-of-cybersecurity-incident/

Following the high-profile court rulings and class-action settlement, Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) has stated they are "continuously evaluating and strengthening" their security safeguards to prevent future incidents.

The agency has publicly identified several specific safety measures and protocols they claim to have in place:

“Ontario Just Dropped Major New Cyber Rules for Children’s Aid Societies”

Claimed Technical & Physical Safeguards
The agency's current official privacy policy and documentation outline the following measures to protect sensitive data:
Electronic Record Protection: The agency claims all electronic records are protected by passwords, firewalls, and encryption technology.
Physical Security: Paper records are stored in locked storage rooms.
Information Access Limits: Employees are required by law to maintain privacy even after leaving the agency. Access to personal records is subject to strict "risk of serious harm" assessments before disclosure.

Response Protocols for Recent Incidents
In response to the 2022 network malware and 2023 email breach, FCSLLG reported taking the following immediate corrective actions:
Expert Engagement: Immediately hiring third-party cybersecurity specialists to conduct forensic investigations.
Regulatory Reporting: Promptly informing the Information and Privacy Commissioner (IPC) of Ontario and reporting events to law enforcement.
Precautionary Notifications: Sending letters to individuals whose information may have been impacted, even when no direct evidence of misuse was found.

New Legislative Requirements (2025–2026)
FCSLLG is now subject to stricter provincial oversight. New Ontario legislation as of March 2026 mandates that Children’s Aid Societies must:
Mandatory Practices: Follow enhanced cybersecurity rules for vital public services.
Maturity Assessments: Complete cyber maturity assessments every two years.
Designated Contact: Appoint a single point of contact for all critical incident reporting to the province.

Despite these claims, critics and advocacy groups have highlighted "red flags" in the agency's response history, specifically pointing to a lack of technical detail in public statements and a pattern of repeated failures since 2016.

Consolidated News & Legal LinksMajor News Articles CTV News (Feb 2024): 'I am deeply troubled': 2024 data breach impacts clients Hometown News (Feb 2024): Experts investigate email breach at FCSLLG Ottawa Citizen (June 2020): CAS whistleblower cleared of hacking charges CBC News (April 2016): Family services sued for $75M after personal info leaked News Watch (April 2016): Majority of 285 victims contacted after breachLegal & Official Ontario CAS Cybersecurity Breaches

Ontario Children’s Aid Societies (CAS) Cybersecurity Summary

Several Ontario Children’s Aid Societies (CAS) have experienced significant cybersecurity breaches, ranging from ransomware attacks to inadvertent data leaks.

Major Documented Incidents

Year Organization Incident Type Details
2016 FCSLLG (Lanark, Leeds & Grenville) Public Exposure A list of 285 names was posted on Facebook. Investigators found the "private portal" was actually a publicly accessible WordPress site without a password.
2018 Oxford County CAS Ransomware The agency reportedly paid a $5,000 ransom to regain access to local servers containing sensitive data.
2018 FCSLLG Ransomware Servers were encrypted with a $60,000 ransom demand. The agency denied the request and restored data from backups.
2022 Halton CAS Ransomware A February attack resulted in the encryption of several servers. While no data exfiltration was proven, the IPC ruled this as an unauthorized "use" and "loss" of information.
2023 FCSLLG Email Breach An unauthorized third party gained access to a single staff member’s email account, potentially exposing details such as Child Protection Identification Numbers (CPIN).
2024 FCSLLG Email Breach A second email-related breach was confirmed in February, leading to notifications for individuals whose sensitive personal info was exposed.

Internal & Third-Party Breaches

  • CPIN Inadvertent Disclosure (2021/2023): The Ministry of Children, Community and Social Services inadvertently shared files containing Indigenous registration numbers with six external organizations during a system review.
  • Unauthorized Employee Access: An employee of a southwestern Ontario CAS was found to have accessed CPIN without authorization, affecting the privacy of 24 individuals.
  • PowerSchool Breach (2024/2025): While primarily a school board vendor, this major cyberattack affected millions and involved custody indicators and medical alerts relevant to child welfare agencies.

“EDSTA 2024: The New Cyber Rules Reshaping Ontario’s Children’s Aid Societies”

New provincial standards for Ontario Children’s Aid Societies (CAS) have undergone significant modernization through the Enhancing Digital Security and Trust Act (EDSTA), 2024 and related amendments to the Freedom of Information and Protection of Privacy Act (FIPPA). These changes, many of which come into full force on July 1, 2026, focus on three key pillars: cybersecurity, data protection for minors, and AI governance.

1. Mandatory Cybersecurity Standards
Under O. Reg. 51/26 (Cyber Security), CAS organizations are now treated as "vital public services" with mandated security practices:
Designated Contact: Each agency must appoint and report a primary and alternate point of contact for cybersecurity to the provincial Chief Information Security Officer (CISO).
Maturity Assessments: Organizations must conduct comprehensive Cyber Security Maturity Assessments (CMAs) every two years and submit summaries to the Ministry.
Incident Reporting: Critical cybersecurity incidents must now be formally reported to the Ministry within 72 hours of confirmation.

2. Enhanced Privacy Protections
New requirements under O. Reg. 52/26 specifically target the digital safety of children and youth:
Privacy Impact Assessments (PIAs): CAS agencies are now legally required to conduct a PIA before collecting personal information or significantly changing how they use existing data.
Safeguarding Duty: There is an express statutory requirement to take "reasonable steps" to protect personal information against theft, loss, and unauthorized use or disclosure.
Breach Notifications: Agencies must notify the Information and Privacy Commissioner (IPC) and affected individuals of any breach that meets the "real risk of significant harm" (RROSH) threshold.

3. Operational & Service Standards
Beyond digital security, societies continue to be governed by the Ontario Child Protection Standards (2016), which set minimum expectations for:
Intake & Investigation: Mandatory timelines and procedures for assessing reports of child harm.
Case Management: Requirements for medical, dental, and vision examinations for children in care.
CPIN Integration: Uniform use of the Child Protection Information Network (CPIN) to ensure consistent data and practice across the province.

Source:
Bill 194 – Strengthening Cyber Security and Building Trust in the Public Sector Act (IPC)

Popular posts from this blog

THE GOLDEN BALLROOM/BUNKER

Image
Ben Meiselas reports on the shocking admission by Donald Trump’s DOJ in a court case where the DOJ admits to a secret project underneath the ballroom which they claim is needed to protect Donald Trump’s life for “national security purposes.” "You unlock this door with the key of complicity. Beyond it is another dimension — a dimension of betrayal, of indulgence, of fear. You’re moving into a land of both shadow and substance, of politics and paranoia. You’ve just crossed into… the MAGA Zone." "Tonight’s story: A leader sworn to protect his nation makes a bargain with its enemies. The deal? Silence in the face of nuclear annihilation. No retaliation, no defense — only surrender dressed in secrecy. While citizens live unaware, their president builds a palace beneath the earth, a ballroom of gold, of marble and chandeliers, a masquerade hall for billionaires. But behind the gilded doors lies not music and laughter, but a bomb shelter — a sanctuary for the few, pur...
Read more

Conceptual Summary #2: (∂t2​S−c2∇2S+βS3)=σ(x,t)⋅FR​(C[Ψ])

Image
The tests designed to find the Aether—principally the Michelson-Morley experiment (M-M)—would be largely ineffective at detecting the fundamental S field (Substrate) in the Reactive Substrate Theory (RST) framework, though their null results are highly compatible with RST's structure. The reason lies in the distinct conceptual definition and behavior of the two media. The Test: Michelson-Morley and the Aether. The M-M experiment was designed to detect the "aether wind," a predicted change in the speed of light caused by the Earth's motion relative to a stationary, rigid medium—the classical Luminiferous Aether. Classical Aether: A static, absolute reference frame; an elastic, passive, material-like medium that fills space and serves as a carrier for light waves. Predicted Result: Light traveling parallel to Earth's motion through the Aether should be slightly slower than light traveling perpendicular to it. Actual Result (Null Result): No significant differenc...
Read more

ICE PROUDLY ANNOUNCES NEW “ELITE” TASK FORCE COMMANDER JEREMY DEWITTE

Image
For Immediate Release OFFICE OF STRATEGIC SUPPRESSION & DESPERATE RECRUITMENT U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT (ICE) SUBJECT: ICE PROUDLY ANNOUNCES NEW “ELITE” TASK FORCE COMMANDER JEREMY DEWITTE; AGENCY TO ADOPT FULL “MOTOR ESCORT” DOCTRINE BY Q3 WASHINGTON, D.C. — In a historic moment that experts are calling “a cry for help” and insiders are calling “Tuesday,” U.S. Immigration and Customs Enforcement (ICE) has officially appointed Jeremy Dewitte as National Coordinator of the newly created Tactical High-Visibility Fallujah Squadron & Escort Wing (T.H.V.F.S.E.W.) . This appointment follows a PBS NewsHour report highlighting ICE’s bold new hiring strategy: removing every meaningful hiring standard. After eliminating outdated requirements such as "must not be a professional police impersonator," "must possess a valid driver's license," and "must not be a registered sex ...
Read more