by Dev User | Jan 28, 2021 | Uncategorized
January 2021 Charity & NFP Law Update
On January 5, 2021, the Office of the Saskatchewan Information and Privacy Commissioner (the “Commissioner”) released its Investigation Report on the ransomware attack affecting eHealth Saskatchewan (“eHealth”), the Saskatchewan Health Authority (“SHA”) and the Ministry of Health (“Health”) in late 2019 and early 2020.
The ransomware attack occurred when, on December 20, 2019, an SHA employee opened a corrupt Microsoft Word document from their personal email account on their personal device which was at the time charging via USB connection on their SHA workstation. The corrupt Microsoft Word document triggered the execution of a “Ryuk” ransomware on the workstation and subsequently infiltrated and encrypted a number of files on the shared network infrastructure of eHealth, the SHA and Health on January 5, 2020.
Although the Commissioner was not able to conclude exactly how many files were potentially affected, it was determined that approximately 50 million files were exposed to the ransomware, of which a minimum of 547,145 potentially contained personal information and/or personal health information. The investigation found that the employee had received privacy training but had not received training on the SHA’s Acceptable Use of Information Technology (IT) Assets policy.
In its report, the Commissioner found, among other things, that there was a privacy breach affecting personal information and personal health information of individuals, as defined in Saskatchewan’s The Freedom of Information and Protection of Privacy Act and The Health Information Protection Act, respectively, and that eHealth failed to fully investigate two early threat occurrences which may have prevented the subsequent attack and extraction of data. The Commissioner also found that SHA had not provided the employee who caused the breach with training on its Acceptable Use of IT Assets policy, that eHealth, the SHA and Health failed to contain the breach and that eHealth, SHA and Health failed in their breach notification obligations. Further, the Commissioner found that the SHA and Health failed their duty to protect personal information and personal health information without having all the necessary checks and balances in place to ensure that eHealth was not handling their IT service delivery in a deficient manner.
The Commissioner made a number of recommendations in its report, including that:
- eHealth utilize key network security logs and scans to effectively monitor the eHealth IT network and detect malicious activity.
- eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected.
- eHealth continue dark web monitoring for a minimum of five years from the date of this Report.
- The SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts.
- eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests it.
- eHealth review and reconsider the 70% cyber security training pass mark for its employees and its partners’ employees and increase the pass mark to a minimum of 90%.
- eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats.
- The Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by Saskatchewan Telecommunications, the Provincial Auditor and this Report.
The Commissioner’s report is particularly relevant in the context of the National Cyber Threat Assessment 2020 (the “Assessment”) recently released by the Canadian Centre for Cyber Security which warns that “as more information is shared and stored online, the threat to individual privacy increases.” In this regard, the Assessment further states that “cybercrime remains the most common threat faced by Canadian organizations of all sizes” and that “cyber threat actors have expanded the use of [Business Email Compromise] beyond traditional business victims to target religious, educational, and not-for-profit organizations.”
Although the ransomware attack on eHealth and SHA involved a personal email account on a personal device which was connected to a network computer via USB, as opposed to a business email account, the Commissioner’s report is an important reminder for charities and not-for-profits of the importance of having appropriate policies and implementing appropriate training and protocols to ensure employees know what to do in order to protect the personal information under the control of the organization.
Read the January 2021 Charity & NFP Law Update
by Dev User | Jan 28, 2021 | Uncategorized
January 2021 Charity & NFP Law Update
Ontario Bill 118, Occupiers’ Liability Amendment Act, 2020 (“Bill 118”), received Royal Assent on December 8, 2020. Once Bill 118 has been proclaimed into force, it will amend the Occupiers’ Liability Act (the “Act”) to provide certain protections to “occupiers” of a premises, including charities and not-for-profits. Broadly speaking, the amendments prohibit plaintiffs from bringing an action against occupiers of a premises, and independent contractors employed by an occupier for snow or ice removal from the premises, for personal injury damages related to snow or ice injuries suffered by the plaintiff, unless they first serve written notice of the claim within 60 days of the injury. Occupiers are defined in the Act as including “(a) a person who is in physical possession of premises, or (b) a person who has responsibility for and control over the condition of premises or the activities there carried on, or control over persons allowed to enter the premises, despite the fact that there is more than one occupier of the same premises.”
In addition to the 60-day timeframe for service, Bill 118 requires that written notice must set out the date, time and location of the injury. Where an occupier receives service of such a notice, Bill 118 requires them to subsequently serve a copy of that notice to all other occupiers and their independent contractors, as the case may be. Similarly, where an independent contractor receives service of such notice, they must serve a copy of that notice to the occupier that employed them.
Bill 118 also provides that, where the injury has resulted in death, failure to give notice will not prevent an action against an occupier or their independent contractor. Further, failure to give notice or sufficient notice will not prevent an action if a judge finds that there is “reasonable excuse for the want or the insufficiency of the notice and that the defendant is not prejudiced in its defence.”
As the range of individuals and entities that can fall within the scope of the definition of “occupiers” under the proposed legislation is broad and includes, for example, property owners, tenants, and licensees, this new protection will be afforded to charities and not-for-profits that are in physical possession of premises, as well as to any independent contractors they hire to remove snow or ice from the premises. Once proclaimed into force, this new 60-day notice period will likely serve to reduce snow and ice ‘slip and fall’ claims against occupiers, but it is important to note that the Limitations Act, 2002, (as amended) remains in force, which has generally a two-year limitation period, and an analysis will be necessary depending on the facts of each case to determine whether a potential lack of notice under the Occupiers’ Liability Act will serve as an absolute defence. Even if an individual serves the requisite notice under the Act, they will still need to commence an action in accordance with the Limitations Act, 2002, (as amended) to preserve and pursue their right to commence an action for damages.
Read the January 2021 Charity & NFP Law Update
by Dev User | Jan 28, 2021 | Uncategorized
January 2021 Charity & NFP Law Update
Supporting evidence is essential for any employer arguing that an employee could have mitigated their damages by finding comparable employment after termination. The Ontario Superior Court in Rothenberg v Rogers Media Inc. awarded a long-time radio broadcaster 21 months’ compensation in lieu of reasonable notice after he was terminated by his employer and could not find another job in his field. Although the COVID-19 pandemic began during the plaintiff’s reasonable notice period, the court did not hold that to be an exceptional circumstance, although the decision does not entirely settle the issue of how the pandemic may affect reasonable notice. This Bulletin summarizes the facts of the case and highlights the court’s analysis of the issues.
For the balance of this Bulletin, please see Charity & NFP Law Bulletin No. 485.
Read the January 2021 Charity & NFP Law Update
by Dev User | Jan 28, 2021 | Uncategorized
January 2021 Charity & NFP Law Update
An Ontario Divisional Court ruling dismissed an appeal of a decision recognizing that the members of one not-for-profit were de facto members of another charity. On January 6, 2021, the Divisional Court in Bose v Bangiya Parishad Toronto (the “Appeal”) dismissed the appeal of an August 26, 2019 Superior Court decision on two applications that awarded costs (the “Applications”). The Applications, discussed in the October 2019 Charity & NFP Law Update, concerned a dispute that arose in 2016 between the Prabasi Bengal Cultural Association, which organized cultural events for members of the Bengali community (“Cultural Organization”), and the Bangiya Parishad Toronto (“Religious Corporation”), which are both not-for-profit corporations incorporated under the Corporations Act (Ontario).
For several decades, the two organizations had a common board of directors and issued consolidated financial statements. The Religious Corporation owned the community centre — the Tagore Centre — from which both organizations have carried out their programs over the years. The Cultural Organization was properly organized under its incorporating statute and held membership elections. In contrast, the Religious Corporation was never properly organized from a corporate law perspective. The board of directors of the Cultural Organization functioned as the board of directors for both corporations, and members of the Cultural Organization were always treated as members of the Religious Corporation, even though the by-laws of the Cultural Organization did not mention the Religious Corporation.
When the dispute arose, a minority of the Religious Corporation’s board took action to nullify the election of that board and purported to form a new board of directors for the Religious Corporation (the “New Board”). The New Board then began to govern the Religious Corporation independently of the Cultural Organization and took steps to change the locks of the Tagore Centre so the Cultural Organization members could no longer access it. The Applications were brought by the Cultural Organization: (1) To regain access to the Tagore Centre (“Lease Application”); and (2) To resolve the issue of who were the lawful directors of the Religious Corporation are (“Governance Application”). The Applications judge ordered: (1) That the Religious Corporation must deliver the keys for the Tagore Centre to the Cultural Organization; and (2) That an election be held for a new common board of directors within 30 days where the paid-up members of the Cultural Organization would be entitled to vote. The Applications judge also awarded costs of $20,000 in favour of the applicants in the Lease Application and $35,000 to the applicants in favour of the Governance Application.
The Religious Corporation appealed the orders and also argued that the costs were excessive. The Divisional Court noted that it was not possible to call a meeting of the members of the Religious Corporation, because the Religious Corporation had not taken the formal steps necessary to enact its own by-laws or admit its own members. However, the Divisional Court recognized that this does not mean that the Religious Corporation did not have members, as the Religious Corporation had treated the members of the Cultural Organization as its members for decades, and the members of the Cultural Organization had regarded themselves as members of the Religious Corporation. In this regard, the Divisional Court recognized that the Religious Corporation’s members, were the paid-up members of the Cultural Organization and s. 297 of the Corporations Act (Ontario) gave the Application Judge the authority to have those members hold a meeting to determine whom they wished to run their organizations, as the most practical and democratic option.
As mentioned earlier in this summary, the Divisional Court upheld the findings in the Applications. This decision illustrates what can happen when factions within a not-for-profit corporation attempt to take over control of the board of directors in a manner that is prejudicial to the rights of its members. This case also affirms the importance of complying with basic corporate law requirements (including adoption of an appropriate by-law and complying with by-law provisions).
Read the January 2021 Charity & NFP Law Update
by Dev User | Jan 28, 2021 | Uncategorized
January 2021 Charity & NFP Law Update
Consultation on Permanent Amendments to Corporate Legislation in Ontario
The government of Ontario is conducting a consultation to seek feedback on potential permanent changes to corporate legislation, including the Ontario Corporations Act (“OCA”), Not-for-Profit Corporations Act, 2010 (“ONCA”), and Co-operative Corporations Act (“CCA”) to enable digital and virtual processes in the province.
The COVID-19 Response and Reforms to Modernize Ontario Act, 2020, which received Royal Assent on May 12, 2020, temporarily amended the OCA and CCA to permit virtual meetings and defer AGMs in some circumstances in response to the COVID-19 pandemic as a result of the first emergency declaration on March 17, 2020. While the timeframe for AGMs was not extended after the ending of the first emergency declaration on July 24, 2020, the temporary amendments permitting electronic meetings were extended until May 31, 2021, as discussed in the October 2020 Charity & NFP Law Update.
The government is now seeking input from the public and stakeholders on making these changes permanent, or providing further temporary changes in relation to virtual processes. In this regard, the Ministry of Government and Consumer Services has produced sector-specific feedback forms to canvas the sector on potential permanent amendments to the OCA, ONCA and CCA regarding (1) virtual meetings, (2) electronic delivery of notices and documents, and (3) storage/examination of records through electronic means. For those interested, feedback must be provided by February 8, 2021.
Amendments to Ontario Co-operative Corporations Act
Ontario’s Bill 213, Better for People, Smarter for Business Act, 2020 received Royal Assent on December 8, 2020, introducing changes to various provincial corporate and business-related statutes. Among the changes, Bill 213 amends the Co-operative Corporations Act to include new section 168.1, regarding the availability of a co-operative’s property to satisfy judgments.
Section 168.1 provides that where a co-operative’s property becomes forfeited corporate property, as defined under the Forfeited Corporate Property Act, 2015, as a result of a dissolution, that property will not be available to satisfy a judgment, order, or decision against the co-operative, and cannot be sold in power of sale proceedings. Substantively the same provisions were previously included in section 39 of the Forfeited Corporate Property Act, 2015, and have been repealed from that Act.
Similar provisions regarding the availability of property to which the Escheats Act, 2015 apply have also been included in section 168.1.
Read the January 2021 Charity & NFP Law Update
