Brand New Cyber Security Laws – Secret orders & hefty fines
Updated: Jun 22, 2022
Canada’s federal government is turning its focus to cyber security and privacy this June. On June 14, 2022 the Minister of Public Safety announced Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. Bill C-26 is aimed at protecting against cyber incidents across the financial, telecommunications, energy, and transportation sectors.
An Act Respecting Cyber Security (ARCS)
If passed, ARCS would amend Telecommunications Act to include the promotion of security in the Canadian telecommunications system as a policy objective. The amendments would give the government the authority to make any necessary orders for the security of Canada’s telecommunication system.
The order making power enables the government to take many actions to prevent interference, manipulation or disruption of telecommunication systems including, bar or suspend Canadian companies from:
using products or services from a certain provider, or
providing services to a specified person
The order making powers are broad: “the Minister may, by order, direct a telecommunications service provider to do anything or refrain from doing anything,” other than a thing already included in a previous order.
Once an order is made, no one is entitled to any financial compensation for losses stemming from an order; accordingly companies would be wise to ramp up due diligence to ensure they are not engaging with anyone who may be the target of an order
While drafts of these orders may be pre-published in the Canada Gazette, and generally must be published there, an order “may also include a provision prohibiting the disclosure of its existence, or some or all of its contents, by any person.”
Violating a provision of an order has an individual and organization liable for an administrative monetary penalty of up to $25,000 and $10,000,000 respectively for a first contravention, and up to $50,000 and $15,000,000 for subsequent contraventions.
Critical Cyber Systems Protection Act (CCSPA)
This proposed legislation is intended to help secure Canada’s critical cyber systems in the federally regulated private sector which includes financial, telecommunications, energy, and transportation sectors. A key component of this bill is the requirement for designated operators of critical cyber systems, in CCSPA’s section 9(1), to establish a cyber security program, which includes:
identification and management of organizational cyber security risks, including those related to supply-chain and third party products or services
implementing steps to prevent and protect critical cyber systems from compromise
detection of security incidents which affect or may affect critical cyber systems;
implement mechanisms to minimize the impact of cyber security incidents affecting critical cyber systems, and
do anything that is prescribed by regulation
This legislation drives home the need for organizational preparedness, specifically in critical sectors.
Reporting - cyber security incidents related to an operator’s critical cyber systems would need to be reported to the Communications Security Establishment to enable the performance of their duties
Notification – immediately after reporting to the Communications Security Establishment, the appropriate regulator would need to be notified
Record keeping – Several new requirements related to records keeping would be established, including information related to the establishment of the cyber security program, documenting cyber security incidents, mitigation activities, and implementing cyber security directions
Violations – a designated operator or other person who fails to comply with the CCSPA or its regulations commits a violation, and may be subject to a penalty which could be up to $1,000,000 or $15,000,000 for individuals or any other person respectively
The Ministers of National Defence, Public Safety and Innovation, Science and Industry each lauded the proposed legislation for bolstering national security, protecting critical infrastructure and overall safeguarding Canada’s security, including data security. Cybersecurity is a critical investment for organizations processing confidential and personal information. INQ can help with cyber readiness, tabletop exercises and incident response. Contact me to find out more.
Join our Think INQ community to receive updates on upcoming courses & events and valuable information on privacy, health, data & business law - all in one convenient place.