As more of our lives are conducted online, the potential for cyber security breaches increases each year. The quick adoption of new technologies, including 5G networks, has exposed Canadian infrastructure to cyber security threats and has the potential to compromise national security. In response, the Government of Canada has proposed Bill C-26 to secure Canada’s critical cyber security systems and enact a comprehensive regulatory framework to protect these systems. The legislation will create stringent cyber security programming and reporting requirements for Canadian businesses and individuals if passed.
Canadian Cybersecurity Legislative Framework
Canadian cyber security legislation can be traced back to the late 1990s when the government first began recognizing the growing threat of cyber attacks. In 2000, the government established the Canadian Cyber Incident Response Centre to monitor and respond to cyber incidents. In 2002, the government introduced the Personal Information Protection and Electronic Documents Act, which established guidelines for collecting, using, and disclosing personal information in the digital environment. After that, Canadian cyber security legislation has evolved to address the growing threat of cyber attacks, focusing on protecting personal data and critical infrastructure, and promoting cyber security best practices.
Most recently, in 2019, the government introduced the Communications Security Establishment Act, which aims to enhance the resilience of Canada’s critical infrastructure against cyber attacks by establishing the Communications Security Establishment (“CSE”). The CSE advises and supports critical infrastructure owners and operators on cybersecurity best practices. With rising geopolitical tensions and more frequent state-sponsored cyber attacks targeting critical infrastructure, the CSE and the Cyber Security & Infrastructure Security Agency have identified the need for more stringent cybersecurity policies for critical systems.
Bill C-26: Enacting Stringent New Cybersecurity Regulations
On June 14, 2022, the Honourable Marco Mendicino, Minister of Public Safety, introduced Bill C-26, which proposes new cyber security requirements on telecommunications suppliers and other critical infrastructure operators to protect services pertinent to Canada’s security and public safety. The Act is currently in its second reading at the House of Commons and was most recently debated at December 1, 2022, sitting.
The objective of Bill C-26 is two-fold:
- To amend the Telecommunications Act to secure Canada’s telecommunications systems, specifically by enforcing the ban on Huawei Technologies and ZTE from constructing or offering services on Canada’s 5G infrastructure and removing related 4G equipment by 2027.
- To enact the Critical Cyber Systems Protection Act (the “Act”), which mandates comprehensive regulatory frameworks for businesses to protect Canada’s critical infrastructure and foster information sharing with government entities.
Requirements of the Critical Cyber Systems Protection Act
The Act’s regulatory scheme will apply to “designated operators,” defined by the Act as “persons, partnerships or unincorporated organizations that operate a work or carry on an undertaking or business in respect of a vital service or vital system.” These services or systems include telecommunications services, energy creation and distribution operators, transportation systems, and banking services. Suppose an entity is determined to be a designated operator. In that case, it will be assigned to the appropriate regulator, e.g. the Canadian Energy Regulator, the Canadian Nuclear Safety Commission, the Superintendent of Financial Institutions, etc.
Furthermore, designated operators would be required to implement the systems outlined below.
Establish a Cyber Security Program
If an entity would be classified as a designated operator, the entity must establish a cyber security program within 90 days. The Act includes several factors which must be accounted for in the program and must meet the following criteria:
- Identify and manage any organizational cyber security risks, including risks associated with the designated operator’s supply chain and its use of third-party products;
- Protect its critical cyber systems from being compromised;
- Detect any cyber security incidents affecting, or having the potential to affect its critical cyber systems;
- Minimize the impact of cyber security incidents affecting critical cyber systems; and
- Do anything that is prescribed by the regulations.
Once a cyber security program identifies a cyber security risk, the designated operator must “take reasonable steps, including any steps prescribed by the regulations, to mitigate those risks.” The Act also includes the requirement to review the program regularly and notify the appropriate regulators of program changes, ownership/control changes, and use of third-party services.
Reporting of Cyber Security Incidents
The Act includes the requirements to immediately report “cyber security incidents” to the Communications Security Establishment. The Act defines a cyber security incident as an “act, omission, or circumstance that interferes or may interfere with a) the continuity or security of the vital service or system, or b) the confidentiality, integrity, and availability of the critical cyber system.” The designated operator must also notify the appropriate regulator of the incident and provide the report to the regulator if requested. The CSE will investigate the incident and provide mitigation advice, which the designated operator must follow.
Maintenance of Cyber Security Records
Designated operators will be required to keep records with respect to the following:
- Any steps taken to implement designated operator’s cyber security program;
- Every cyber security incident that the designated operator reported per the requirements identified above;
- Any steps taken by the designated operator to mitigate any supply-chain or third-party risks;
- Any measures taken by the designated operator to implement a cyber security direction; and
- Any matter prescribed by the regulations.
In addition to maintaining these records, designated operators will be required to keep records in Canada “at any place prescribed by the regulations – or, if no place is prescribed, at the ‘designated operators’ place of business.” Designated operators will also be required to keep records in the manner and for the period determined by the appropriate regulator unless another form or period is prescribed by regulation.
Administrative Monetary Penalties
Suppose a designated operator violates any of the above provisions. In that case, the Act allows regulators to prescribe administrative monetary penalties of no more than $1 million in the case of an individual and up to $15 million in any other case. The Act also allows regulators to initiate regulatory proceedings leading to fines and possible imprisonment for non-compliance with the above provisions.
Contact Milosevic & Associates in Toronto for Trusted Advice on Cyber Security Regulations
At Milosevic & Associates, our regulatory lawyers have extensive experience assisting clients in navigating new cybersecurity legislation and regulations. Our lawyers utilize their broad expertise to ensure that our client’s business needs are met and creative solutions are considered. We aim to mitigate legal and financial risks so clients can focus on running their businesses smoothly.
Located in Toronto, our firm assists clients throughout the Greater Toronto Area and across Ontario on a variety of matters, including complex corporate commercial litigation, commercial real estate litigation, civil fraud, investment loss, and more. Call us at 416-916-1387 or contact us online for a consultation.