Canada: Bill C-26: New Cyber Security Obligations For Canadian Businesses Vital To National Security And Public Safety

The COVID-19 pandemic has highlighted the extent to which the Canadian economy is reliant on digital connectivity. With a recent increase in remote-work options being offered in the Canadian business sector, cyber attackers have been developing highly sophisticated techniques to exploit Canadian digital infrastructure. In 2019, nearly 21% of the Canadian businesses reported being impacted by cyber security incidents, the occurrence of which is projected to continue to increase in Canada over the next several years.¹ Cyber attackers often attempt to extract money, demand ransom payments or steal personal and confidential information from Canadian organizations.² Providers of essential services and critical infrastructure are particularly at risk.³

Introduction of Bill C-26

On June 14, 2022, the Honourable Marco Mendicino introduced into Parliament Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts in an effort to combat emerging threats related to cyber security. Bill C-26 amends the existing Telecommunications Act and enacts a regulatory framework for cybersecurity under the new Critical Cyber Systems Protection Act ("CCSPA"). The CCSPA has significant implications for some Canadian businesses.

Designated Operators

The CCSPA will apply to business operators of federally regulated systems and services that are designated under the CCSPA as being "vital to national security or public safety" ("Designated Operators"). Designated Operators include providers of:

• telecommunications services;
• interprovincial or international pipeline and power line systems;
• nuclear energy systems;
• transportation systems that are within the legislative authority of Parliament;
• banking systems; and
• clearing and settlement systems.

New Obligations

If passed, the CCPSA will empower the Governor in Council to direct a Designated Operator to protect a critical cyber system. It also grants certain regulatory bodies the authority to enter private property if they have reasonable grounds to believe that any activity regulated by the CCSPA is being conducted at that location, and issue internal audit and compliance orders. The CCSPA will also impose the following new obligations on Designated Operators:

Cyber Security Program

Under the CCSPA, Designated Operators will be obligated to establish and maintain a "Cyber Security Program" within 90 days and make it available to their industry regulator. This entails identifying and managing cyber security risks and taking action to prevent cyber systems from being compromised. Designated Operators will be required to conduct periodic reviews of their cyber systems to ensure system integrity.

Mitigating Supply-Chain and Cyber Security Risks

Designated Operators will be required to identify and manage any cyber risks associated with their supply chain and use of third-party products and services. Businesses that provide outsourced services to Designated Operators under the CCSPA should be aware that their cyber security systems and practices are likely to become more closely scrutinized for potential vulnerabilities that could be exploited by cyber attackers.

Mandatory Reporting Requirements

The CCSPA creates an obligation for Designated Operators to immediately report any "cyber security incident" to the Communications Security Establishment and the appropriate regulator. A cyber security incident is defined as any circumstance which interferes or may interfere with the continuity or security of a vital service or vital system, or the confidentiality, integrity or availability of a critical cyber system. Unlike existing privacy legislation, a cyber security incident does not have to involve unauthorized access to or disclosure of personal information.

Disclosure and Use of Information

The obligations set out in CCSPA also apply to individuals. Subject to certain exceptions set out in the CCSPA, a person must not knowingly disclose or allow access to confidential information that:

• concerns a vulnerability of any Designated Operator's critical cyber system or the methods used to protect that system;
• if disclosed could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a Designated Operator; or
• if disclosed could reasonably be expected to interfere with contractual or other negotiations of a Designated Operator.

Record Keeping Requirements

Designated Operators will face enhanced record keeping requirements with regard to their cyber systems under the CCSPA. Designated Operators will be obligated to keep records of:

• any steps taken to implement a cyber security program;
• every cyber security incident;
• any steps taken to mitigate risks associated with their supply-chain or third-party products and services; and
• any measures taken to implement a cyber security direction given by the Governor in Council.

All records relating to the cyber security of a Designated Operator must be stored within Canada under the CCSPA. Designated Operators should proactively identify the geographic location of the servers or data centres where they store information, or outsource the storage or processing of such information, in order to avoid breaching the record keeping requirements of the CCSPA.

Liability and Penalties

Canadian businesses must give careful attention to the new CCSPA obligations, as any violation can result in a severe monetary penalty. The amount of the penalty will be fixed by the regulations to be created under the CCSPA, and may be up to:

• $1,000,000 in the case of an individual; or
• $15,000,000 in any other case.

Directors and officers of a Designated Operator can be held personally liable for violations under the CCSPA if it is determined that they directed, authorized, assented, acquiesced in or participated in the commission of a violation. Due diligence may be pleaded as a defence.

As a violation that is committed or continued on more than one day is considered to be a separate violation in respect of each day on which it is committed or continued, there is the potential for the penalty to be applied per day. The applicable penalty will be determined by considering the nature and scope of the violation, mitigation efforts, compliance history and whether any competitive or economic benefit was derived from the violation. Specified regulatory bodies are authorised to enter into compliance agreements with Designated Operators which may reduce the penalty payable.

Contravention of specific provisions of the CCSPA can also amount to a criminal offence, resulting in a maximum of five-years imprisonment for individuals, or a monetary fine for corporations. A director or officer of a Designated Operator that directed, authorized, assented to, acquiesced in or participated in the commission of an offence may be prosecuted or convicted, even if the Designated Operator is not.

Stay Informed

If passed, Bill C-26 will serve as an effective mechanism for the Federal government to respond to modern cyber threats and enhance the security of systems which are vital to Canadian society. Regulations to be created under the CCSPA will provide further details, but it can be assumed that this new legislation will create additional burdens for Designated Operators to overcome and increase liability risks for directors and officers.

Bill C-26 may also serve as a legislative framework for Provincial governments to adopt their own cyber security legislation. Therefore, all Canadian businesses should be aware of the developments in Canadian cyber security law, as the scope of industries to which these new obligations apply is likely to expand over time.

Footnotes

1. Statistics Canada, About one-fifth of Canadian businesses were impacted by cyber security incidents in 2019, Catalogue No 11-001-X (Ottawa: Statistics Canada, 2020) <https://www150.statcan.gc.ca/n1/en/daily-quotidien/201020/dq201020a-eng.pdf?st=siNHZgA7>.

2. Public Safety Canada, National Cyber Security Action Plan 2019-2024, (Ottawa: Public Safety Canada, 2019)

3. Canadian Centre for Cyber Security, National cyber threat assessment 2020, (Ottawa: Communications Security Establishment, 2020) <https://cyber.gc.ca/sites/default/files/cyber/publications/ncta-2020-e-web.pdf>

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.