June 14, 2022 marked a watershed moment in Canadian data protection history: the first reading of a federal cyber security law of general application aimed at protecting critical infrastructure. Until now, Canada has had an adequate (if not exemplary) privacy law regime, but little in the way of legislation of general application addressing cyber security outside of the privacy law regime. Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, takes two important steps beyond the requirements of existing privacy laws:
- It amends portions of the federal Telecommunications Act to authorize the government to impose obligations on telecommunications service providers to "secure the Canadian telecommunications system," and more broadly,
- It implements the Critical Cyber Systems Protection Act (the CCSPA), which empowers the government to designate services or systems as vital and to impose data protection obligations on their operators, require mandatory reporting of cyber security incidents, and facilitate threat information exchange "between relevant parties."
Schedule 1 to the CCSPA designates several services and systems as vital, namely:
- Telecommunications services
- Interprovincial or international pipeline and power line systems
- Nuclear energy systems
- Transportation systems that are within the legislative authority of Parliament
- Banking systems
- Clearing and settlement systems
The CCSPA features robust enforcement mechanisms, including:
- The power to issue compliance orders;
- The power to order an operator to conduct internal audits to assist the regulator in determining the extent of an operator's compliance with the CCSPA and regulations;
- The power to conduct searches of premises (evidently without warrants, except where the search is to be conducted at a "dwelling-house," i.e. private residence) to verify compliance or prevent non-compliance with the CCSPA and regulations, and in the process of such a search, to access any "cyber system" located and to access information contained on it, to copy and / or remove documents or records located;
- The ability to obtain ex parte warrants to conduct searches of dwelling-houses;
- Where authorized by warrant, to power use force to carry out searches of dwelling-houses;
- The ability to impose administrative monetary penalties of up to:
- $1 million per individual (i.e. an officer or director who "directed, authorized, assented to, acquiesced in or participated in the commission of [a] violation"), or
- $15 million per organization.
The exact amount of any penalty imposed is to be determined in accordance with the CCSPA and regulations, suggesting further guidance as to the size of the penalty in a given circumstance is forthcoming.
The CCSPA also establishes summary and indictable criminal offences for violations of provisions of the CCSPA. (For example, failure to respond to requests for information is a summary offence, while failure to establish, implement and maintain a cyber security program may be an indictable offence.) The CCSPA confers such powers on existing regulators of the systems and services listed as "vital" in Schedule 1, i.e.:
- The Superintendent of Financial Institutions;
- The Minister of Industry;
- The Bank of Canada;
- The Canadian Nuclear Safety Commission;
- The Canadian Energy Regulator; and
- The Minister of Transport.
Officers and directors of the operators of vital systems and services will be relieved to learn that the CCSPA provides an exemption from liability for the good faith performance of their duties under the CCSPA, and that a defence of due diligence is available for violations of the CCSPA.
The CCSPA does not appear to impose obligations directly on vendors or suppliers servicing vital services and systems. However, it does seek to address "risks associated with supply chains and the use of third-party products and services" by holding the operators of vital services and systems responsible for supplier/vendor vulnerabilities by requiring operators to:
- Establish cyber security programs to "identify and manage" risks "associated with the designated operator's supply chain and its use of third-party products and services";
- Provide regulators with notice of material changes in operators supply chains or use of third-party products and services;
- Take "reasonable steps" to mitigate risks associated with supply chains and use of third-party products and services; and
- Keep records of such steps taken.
While not made explicit by the statute, it seems reasonable to expect that management of supplier and vendor-associated risks will include imposing contractual obligations on suppliers and vendors in respect of cyber security preparedness, and the granting of audit rights to operators to ensure compliance. Such steps are common tools in privacy statutes. If passed in a form substantially similar to the proposed bill, Bill C-26 will take Canada a step further into the sphere of countries taking serious legislative measures to protect critical infrastructure from cyber attacks.
More may be on the way in Canada with respect to legislative measures to address cyber security. The federal government also expressed the wish, in its press release accompanying the introduction of Bill C-26, that, if passed, Bill C-26 "could also serve as a model for provinces, territories, and municipalities to help secure their critical infrastructure in collaboration with the federal government."