Jasmine Samra
Counsel
Article
Bill C-26, An Act Respecting Cyber Security, has made ponderous progress through the legislature; having had its first reading in the House of Commons in June 2022, took over two years to reach first reading in the Senate. Along the way, it has been altered to address the newly topically concern of foreign interference in Canadian affairs.
From the start, Bill C-26 has proposed amendments to the Telecommunications Act (with an eye to ensuring the security of Canada's telecommunications infrastructure) and tabled the Critical Cyber Systems Protection Act (the CCSPA, aimed at requiring operators of critical infrastructure in certain key sectors to reach a base level of cyber security preparedness).
The CCSPA in particular faced criticisms from many sides for imposing compliance costs considered high for small operators and unnecessary for larger, more mature organizations, and for a lack of transparency in the manner and fairness in which the law would be enforced.
While the Bill has made its slow journey through the legislative process, new security concerns have emerged following revelations about attempts by foreign governments to interfere with Canadian policy and lawmaking.
The federal government responded by tabling Bill C-70, the Countering Foreign Interference Act. C-70 was rushed through Parliament, having been tabled in early May 2024 and come into force in less than two months. One of the less reported effects of C-70 has been its amendments to the still-in-Senate Bill C-26. Among other things, Bill C-70 introduces the new Secure Administrative Review Proceedings (SARP) regime under the Canada Evidence Act, replacing the current judicial review process under the Telecommunications Act.
This new regime, which will also apply to compliance orders under the CCSPA, introduces special counsel to handle sensitive information during judicial reviews or appeals. These changes address due process concerns raised by critics of Bill C-26.
In sum, this change increases transparency for organizations affected by orders under the CCSPA, and allows for legal challenges to orders while at the same time protecting the sensitive information organizations are required to disclose to government under the CCSPA.
The core goals and requirements implemented by the CCSPA remain unchanged.
In brief, the law aims to strengthen the resilience of Canada's critical infrastructure by ensuring that cyber security risks are effectively identified and managed. This includes addressing risks associated with supply chains and the use of third-party products and services. The CCSPA mandates that critical cyber systems be safeguarded against potential compromises, with mechanisms in place to detect cyber security incidents that could affect or threaten these systems.
Additionally, the CCSPA emphasizes minimizing the impacts of any cyber security incidents. The CCSPA is designed to strengthen cyber security within 'vital services and vital systems' listed in Schedule 1:
Bill C-26 impacts Canadian businesses designated as operators of critical cyber systems. These operators must comply with new obligations, which are detailed below, and will pass on many of these obligations to their supply chains and third-party suppliers.
Cyber security program
Designated operators under the CCSPA are required to establish a cyber security program within 90 days of being designated. In compliance with applicable regulations, this program must include measures to:
Designated operators must submit cyber security programs to their regulator, conduct annual reviews, and notify the regulator of any amendments. They are also required to report material changes, including changes in ownership, control, supply chain, or the use of third-party products and services.
Mitigation of third-party risk
Designated operators must assess and mitigate risks from in its supply chain and third-party products and services. Operators must conduct risk assessments, ensure compliance with cyber security standards through contractual obligations and monitoring third-party practices.
Cyber security incident reporting
Operators must report cyber security incidents to the Communications Security Establishment (CSE) within 72 hours, and notify the appropriate regulator after reporting to the CSE including:
The CCSPA defines a cyber security incident as an incident, including an act, omission or circumstance, that interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity or availability of the critical cyber system.
These reporting obligations are on top of other reporting requirements. For example, the Office of the Privacy Commissioner of Canada requires regulated organizations to notify them as soon as feasible if a breach involving personal information poses a real risk of significant harm. The Office of the Superintendent of Financial Institutions mandates that federally regulated financial institutions report any technology or cyber security incidents within 24 hours or sooner if possible.
Cyber security direction
The CCSPA allows for the issuance of cyber security directions, which mandate operators or groups of operators to implement measures that protect critical cyber systems. These directions may compel designated operators to take specific measures and conditions for the purpose of protecting critical cyber systems.
Additionally, the CCSPA permits information sharing between government agencies, regulators, and law enforcement for purposes related to issuing, amending, or revoking a cyber security direction for a designated operator.
Maintaining records
Designated operators must keep the following records:
Enforcement and penalties
Regulators will oversee compliance, reviewing organizations' cyber security practices and issuing penalties for non-compliance, including administrative monetary penalties of up to C$15 million for operators and C$1 million for directors. Regulators are also empowered to compel information and conduct inspections. Regulators may also order an operator to stop contravening the CCSPA or take any measure necessary to comply with requirements or mitigate the effects of non-compliance.
Breach of certain provisions of the CCSPA is punishable offense. Both individuals and corporations may face fines determined at the court's discretion. Additionally, individuals may be sentenced to up to two years for a summary conviction or up to five years for a conviction on indictment.
Having been slow-walked through Parliament despites its ostensible (and, obviously, actual) importance to national security in an age of increasing threats and vulnerabilities, Bill C-26 may be shelved, at least in its current form, as opposition parties seek to bring down the Trudeau government and to prevent it from achieving any legislative "wins" before an election is called.
It is difficult to overstate how unfortunate this is, given how vulnerable Canada's critical infrastructure remains to cyber attacks from criminals and hostile nations alike. One can only hope the next government, however constituted, makes this law or one like it a legislative priority.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.