Report Cybersecurity Breach - Abbotsford Bylaw

Abbotsford, British Columbia residents and organisations should act quickly after any cybersecurity incident that affects personal or municipal data. This guide explains who to notify, what to preserve, and how incidents involving the City, local businesses, or individuals are handled under provincial and municipal processes. Follow the steps below to contain harm, preserve evidence for investigations, and notify the right authorities.

What to report

Report incidents that involve unauthorised access, data exfiltration, ransomware, theft of devices containing personal information, or suspected compromise of City systems or accounts. Include scope, data types affected, known timelines, and any extortion demands.

• Incident summary: date/time, systems affected, and initial impact.
• Data types: personal information, financial records, health or staff records.
• Evidence: logs, screenshots, ransom notes, and chain-of-custody notes.

Who to notify

If the incident is criminal (theft, extortion, network intrusion), contact the Abbotsford Police Department for investigation and evidence collection. Report online or contact non-emergency police^[3]

If the incident involves City-held personal information or a municipal system, notify the City of Abbotsford's Access to Information/Privacy contact and follow the City reporting procedures listed on the municipal website.

For privacy breaches affecting public bodies in British Columbia, the Office of the Information and Privacy Commissioner for BC (OIPC) provides guidance on reporting and mitigation. See OIPC breach guidance for public bodies and steps to notify affected individuals and the Commissioner. OIPC guidance^[1]

Penalties & Enforcement

Municipal cybersecurity incidents are addressed through a mix of criminal investigation, administrative oversight under provincial privacy law, and municipal policies.

• Monetary fines: not specified on the cited page for municipal breaches; consult the controlling statute and OIPC guidance for enforcement approaches.^[2]
• Escalation: criminal offences are pursued by police; privacy breaches by public bodies are reviewed by the OIPC and may lead to orders or corrective directions.^[1]
• Non-monetary sanctions: ordering remedial steps, reports to affected individuals, records retention or destruction orders, and court actions are available remedies; specific penalties or amounts are not listed on the cited municipal pages.^[2]
• Enforcer and complaint pathway: Abbotsford Police for criminal matters; OIPC for privacy complaints under the Freedom of Information and Protection of Privacy Act (FOIPPA).^[3][1]
• Appeals and review: OIPC decisions and orders include appeal or judicial review pathways; time limits for filing complaints or requests are not specified on the cited municipal pages and should be confirmed with the OIPC or legal counsel.^[1][2]

Applications & Forms

The City may publish an Access to Information or Privacy contact form for municipal incidents; specific form names or numbers are not specified on the cited municipal pages. For privacy complaints or requests for review, the OIPC accepts complaints and guidance is available on their site.^[1]

Immediate action steps

• Contain: disconnect affected devices from networks if safe to do so.
• Preserve evidence: retain logs, images, and any extortion communications.
• Notify police if criminal activity is suspected; use Abbotsford Police non-emergency reporting options. Contact Abbotsford Police^[3]
• Notify the City privacy contact if City systems or records are involved.
• Notify affected individuals promptly where required by law and follow OIPC guidance when public bodies are involved.^[1]

FAQ

Who investigates a cyber incident that affects city systems?

The Abbotsford Police Department investigates criminal activity; the City and the OIPC handle privacy and administrative reviews.

Must affected individuals be notified?

Notification requirements depend on the scope and governing privacy law; OIPC guidance explains obligations for public bodies in BC.^[1]

Are there set municipal fines for cybersecurity breaches?

Specific monetary fines for municipal cyber incidents are not specified on the cited municipal pages; enforcement tends to be corrective orders or criminal prosecution where appropriate.^[2]

How-To

1. Identify affected systems and data, and log the time and scope of the incident.
2. Isolate impacted devices and preserve system logs and images without altering originals.
3. Contact Abbotsford Police for criminal matters and the City privacy contact for municipal data concerns.^[3][1]
4. Follow OIPC guidance for notification of affected individuals and remedial steps if a public body is involved.^[1]
5. Keep records of all actions, communications, and reports for investigations and any legal reviews.

Key Takeaways

• Act quickly to contain and preserve evidence.
• Report criminal conduct to Abbotsford Police and privacy concerns to the City and OIPC.
• Record all steps taken and communications for investigations and potential reviews.

Help and Support / Resources

• City of Abbotsford - Access to Information & Privacy
• Abbotsford Police Department
• Get Cyber Safe - Government of Canada

1. [1] Office of the Information and Privacy Commissioner for British Columbia - guidance on privacy breaches
2. [2] Freedom of Information and Protection of Privacy Act (FOIPPA) - BC Laws
3. [3] Abbotsford Police Department - Reporting and non-emergency contact