Multifactor authentication (MFA): Safeguarding personal data in Canada's evolving privacy landscape

8 minute read
27 October 2023

Safeguarding personal information in the digital age is paramount. Cyber security threats and data breaches are on the rise, with hackers growing more sophisticated every day.

Canada's federal privacy law requires protection for personal information that is "appropriate" considering the sensitivity of the information. Such protection should include each of physical, organizational, and importantly in respect of cyber security threats, technological protection.

Multifactor Authentication (MFA) can thus play a pivotal role in safeguarding personal information.



What is MFA?

MFA adds an extra layer of security beyond just a username and password. It introduces multiple layers of authentication and requires users to provide at least two or more of the following:

  • Something the user knows, such as a password.
  • Something the user has, such as a smartphone or hardware token.
  • Something the user is, such as fingerprint or facial recognition.

MFA helps reduce the risk of phishing, keylogging and credential stuffing by increasing the difficulty unauthorized individuals experience in attempting to gain access to an account or a system. Even if a hacker has managed to obtain one authentication factor – such as a password – they would still need one of the other factors to gain access.

As a result, if properly implemented, MFA may be an important risk-mitigating factor in situations where an organization experiences a security breach that compromises one of the access factors it has implemented.

MFA best practices: Learning from internationally-backed guidelines

Earlier this year, a collaboration between the Canadian Centre for Cyber Security with the Cybersecurity and Infrastructure Security Agency, the US Federal Bureau of Investigation and a number of international cyber security authorities[1] produced guidelines titled Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and –Default (Guidelines).[2]

The Guidelines advocate for the adoption of security-by-design and security-by-default practices in developing IT products. One of the key secure-by-default strategies highlighted is the mandatory implementation of MFA for all privileged users.

Notably, numerous cloud service providers are now following suit, making MFA a requirement for users with the highest level of privileges, a change set to take effect as early as the end of this year.[3]

Mandating MFA is not a novel concept. The Payment Card Industry Data Security Standard (PCI DSS) already mandates MFA for remote access to a cardholder data environment. Furthermore, many insurance companies recently began mandating the implementation of MFA as a prerequisite to qualify for cyber security coverage.

The impact of Canadian legislation on MFA policies

Organizations implementing MFA may gain further traction as the current privacy landscape in Canada changes. The costs associated with privacy breaches are increasing, with organizations potentially facing hefty fines.

At the provincial level, the adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Law 25) has significantly transformed personal information protection in Quebec.

Under Law 25, organizations could incur penal offenses, administrative penalties and a private right of action for failing to implement adequate security measures to protect personal information. Law 25 outlines punitive fines of up to $25 million, or, if greater, an amount equivalent to four percent of worldwide turnover for the previous fiscal year, as well as monetary administrative penalties of up to $10 million, or, if greater, two percent of worldwide turnover for the previous fiscal year.

Meanwhile at the federal level, Bill C-27 if adopted, will overhaul federal privacy legislation to introduce substantial fines as well.

Currently under review by the House of Commons Standing Committee on Industry and Technology, Bill C-27, known as the "Digital Charter Implementation Act, 2022," proposes:

  • The repeal of Part I of the current federal private sector privacy law.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA).
  • The enactment of the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA) and the Artificial Intelligence and Data Act (AIDA).

The CPPA grants the Privacy Commissioner of Canada expanded powers and introduces steeper penalties for violations of the law. These penalties include administrative monetary penalties of up to the higher of three percent of gross global revenue or $10 million, as well as fines for certain severe breaches of the law, with a maximum fine of the higher of five percent of gross global revenue or $25 million.

The CCPA and Law 25 treat organizations that exercise due diligence to prevent breaches and make reasonable efforts to mitigate the effects of breaches as having a due diligence defence in respect of imposition of a penalty, or treat such measures as a factor to be considered in imposition of a penalty.

While the standard for establishing a due diligence defence has not been established under either law, implementing best practices to create a robust security program that includes MFA where appropriate can be an important element for organizations aiming to demonstrate due diligence in their defence against privacy breaches.

However, in implementing an MFA approach, organizations must be careful to balance their obligation to provide security with their obligation to securing sensitive personal information appropriately. To do so, organizations must remember these two principles:

  • Data minimization, the practice of collecting and retaining only the necessary amount of personal information needed to provide a service or fulfill a purpose.
  • The prohibition on tied consent, the practice of not requiring individuals to consent to the use of their personal information for unrelated purposes as a condition for accessing a good or service beyond what is necessary to provide that good or service.

The implementation of MFA, and in particular the factors used for it, must thus be considered in context for appropriateness.

For example, the use of highly sensitive personal information for authentication, such as fingerprints or facial recognition, may raise further privacy considerations based on context, or implicate further legal regimes, such as the requirement to register biometric databases in some jurisdictions.

To learn more about implementing MFA policies and how they might impact your privacy policies, please contact either the authors or a member of our Cyber Security & Data Protection Law team.


[1] The National Security Agency, Australian Cyber Security Centre, New Zealand: Computer Emergency Response Team New Zealand, New Zealand National Cyber Security Centre, United Kingdom's National Cyber Security Centre, Germany's Federal Office for Information Security, and Netherlands National Cyber.


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.