Brent J. Arnold
Partner
Article
7
June 14, 2022 marked a watershed moment in Canadian data protection history: the first reading of a federal cyber security law of general application aimed at protecting critical infrastructure. Until now, Canada has had an adequate (if not exemplary) privacy law regime, but little in the way of legislation of general application addressing cyber security outside of the privacy law regime. Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, takes two important steps beyond the requirements of existing privacy laws:
Schedule 1 to the CCSPA designates several services and systems as vital, namely:
The CCSPA features robust enforcement mechanisms, including:
The exact amount of any penalty imposed is to be determined in accordance with the CCSPA and regulations, suggesting further guidance as to the size of the penalty in a given circumstance is forthcoming.
The CCSPA also establishes summary and indictable criminal offences for violations of provisions of the CCSPA. (For example, failure to respond to requests for information is a summary offence, while failure to establish, implement and maintain a cyber security program may be an indictable offence.) The CCSPA confers such powers on existing regulators of the systems and services listed as "vital" in Schedule 1, i.e.:
Officers and directors of the operators of vital systems and services will be relieved to learn that the CCSPA provides an exemption from liability for the good faith performance of their duties under the CCSPA, and that a defence of due diligence is available for violations of the CCSPA.
The CCSPA does not appear to impose obligations directly on vendors or suppliers servicing vital services and systems. However, it does seek to address "risks associated with supply chains and the use of third-party products and services" by holding the operators of vital services and systems responsible for supplier/vendor vulnerabilities by requiring operators to:
While not made explicit by the statute, it seems reasonable to expect that management of supplier and vendor-associated risks will include imposing contractual obligations on suppliers and vendors in respect of cyber security preparedness, and the granting of audit rights to operators to ensure compliance. Such steps are common tools in privacy statutes. If passed in a form substantially similar to the proposed bill, Bill C-26 will take Canada a step further into the sphere of countries taking serious legislative measures to protect critical infrastructure from cyber attacks.[1]
More may be on the way in Canada with respect to legislative measures to address cyber security. The federal government also expressed the wish, in its press release accompanying the introduction of Bill C-26, that, if passed, Bill C-26 "could also serve as a model for provinces, territories, and municipalities to help secure their critical infrastructure in collaboration with the federal government."[2]
[1] We note, for context from a provincial standpoint, that the province of Québec passed legislation on January 1, 2022 establishing the Ministère de la Cybersécurité et du Numérique.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.