Brent J. Arnold
Partner
Article
This year has seen a number of interesting developments in Canadian cyber security. While the first wave of data breach cases slowly work their way through the court system, guidance for Canadian businesses has come from many other sources, including the federal government and regulators. These offer the clearest views to date on what these regulators consider the acceptable minimum standards businesses should be taking, and consequently may be helping define a standard of care. This article summarizes some of this guidance, which businesses and the lawyers advising them should be mindful of when assessing risk exposure from cybersecurity issues.
In May 2019, the Minister of Innovation, Science and Economic Development (ISED) announced the arrival of Canada's Digital Charter. More manifesto than law, the Digital Charter sets out principles intended to establish a "foundation for modernizing the rules that govern the digital sphere in Canada and rebuilding Canadians' trust in these institutions." [1] Among the principles most germane to Canadian business are the following:[2]
These principles have obvious privacy law implications and, indeed, the government announced its intention to examine and update existing privacy laws and to strengthen the enforcement powers of the Office of the Privacy Commissioner (OPC).
Also in 2019, the OPC reopened (and then, temporarily, closed) a long-settled debate about consent and data transfers between organizations under Personal Information Protection and Electronic Documents Act (PIPEDA). Up till April of this year, it was understood (and, indeed, it was the OPC's publicly stated position) that companies transferring data to other companies for the purpose of processing the data could do so without the prior consent of the individuals whose personally identifiable information (PII). In releasing its findings with respect to the Equifax breach, the OPC announced its new view that "organizations must obtain express consent where individuals would not reasonably expect the transfer," not withstanding that this new interpretation was "a departure from [the OPC's] previous position which has led to a re-examination of its guidance on cross-border data flows for businesses."[3]
The OPC initially announced a public consultation on its position on consent,[4] which was subsequently disrupted by the announcement of the Digital Charter, causing the OPC to broaden the consultation process to consider stakeholder views "both on how the current law should be interpreted and applied in these contexts, and on how a future law, which may follow the publication by the federal government of its Digital Charter on May 21, should provide effective privacy protection in the context of transfers for processing."[5]
Businesses and privacy practitioners expressed concerns about the workability of a requirement of express consent. In the end, the OPC announced that its decade-old guidelines for cross-border processing of personal data[6]—which had enshrined the notion that prior consent was not required—would "remain unchanged under the current law" while OPC instead focuses on reforming PIPEDA.[7] It remains to be seen whether the OPC will recommend that a revised PIPEDA establish a prior consent requirement.
In March 2019, the Canadian Centre for Cyber Security (CCCS) released its guidelines for Baseline Cyber Security Controls for Small and Medium Organizations.[8] The guidelines arise from the CCCS' 2018 National Cyber Threat Assessment,[9] which is itself part of a larger government focus on ensuring Canada is prepared for the surge in cybersecurity issues.
The CCCS, launched in 2018, is part of the federal Communications Security Establishment. It is mandated with emergency response assistance for, among other things, cyber incidents. It also acts as a liaison with the private sector, and serves an educational function for the public at large.
The guidelines are a pragmatic approach recognizing and attempting to reconcile the fact that cyber incidents are almost an inevitability with the truth that robust security plans for cyber incidents can be very resource-heavy, particularly for small and medium-sized entities.[10] While not a complete answer in assisting organizations address their responsibilities, it offers a robust starting point and best practices that can sharply reduce the likelihood and potential damage from a cyber incident.
The guidelines begin with a brief rubric for determining whether the guidelines are appropriate for the circumstances of the organization. This includes consideration of:
Following the internal assessment, the CCCS recommends an organization:
Many of the recommended steps may appear seem to be simple common-sense, but the guidelines are a notable attempt at incorporating disparate elements involving IT, HR, and management into a cohesive strategy encompassing both obvious and less-obvious areas of vulnerability an organization may have.
Canada's approach to both cyber security and privacy tends to principles-based rather than prescriptive. Consequently, it tends to be short on technology-specific guidance. Health Canada bucked this trend in June by releasing a guidance document to assist medical device manufacturers in making their products more cyber secure.[11] The document cites the National Institute of Standards and Technology (NIST) document "Framework for Improving Critical Infrastructure Cybersecurity" and establishes a number of design principles for medical devices, including "secure communications," "data integrity and confidentiality," and "user access"; it also sets out license application requirements to allow Health Canada to assess whether devices are sufficiently secure. While guidance documents do not have the force of law, they may provide a yardstick against which to measure the extent to which manufacturers of compromised devices observed their standard of care.
The Office of the Superintendent of Financial Institutions (OSFI) has been among the more proactive of Canadian regulators in providing cyber security guidance to its constituents. In January, OSFI released an advisory[12] (which came into force March 31, 2019). The Advisory establishes a mandatory reporting requirement (to OSFI, not to the OPC) for federally regulated financial institutions that requires them to report technology or cyber security incidents (defined to include incidents that "have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information") to their Lead Supervisors where such incidents are deemed by the institution to "be of a high or critical severity level."[13] The advisory sets out characteristics and examples of reportable incidents to assist institutions in determining whether incidents must be reported. Notably, the advisory requires incidents be reported as quickly as possible but no later than 72 hours after an incident is determined to be reportable. This is more prescriptive and arguably shorter deadline than those imposed under federal and provincial privacy statutes.
Canadian businesses are finishing 2019 with a better understanding of what is expected of them by the government and regulators with respect to their cyber security position. This will assist proactive businesses in addressing their exposure to cybersecurity risks, and also may assist in articulating the standard of care if and when a breach leads to litigation. It will be interesting to watch this trend further develop in 2020, and how businesses respond.
[3] OPC, "Privacy Commissioner finds Equifax safeguards "unacceptable" and will monitor company for six years following major data breach," April 9, 2019.
[4] OPC, "Consultation on transborder dataflows," April 9, 2019.
[6] OPC, "Guidelines for processing personal data across borders" (January 2009).
[7] OPC, "Commissioner concludes consultation on transfers for processing" (September 23, 2019).
[10] Defined as having fewer than 500 employees.
[11] Health Canada, Guidance Document: Pre-market Requirements for Medical Device Cybersecurity (June 17, 2019).
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.