Bill C-26: Canada’s New Critical Infrastructure Cybersecurity Act

June 14, 2022 marked a turning point in the history of data protection in Canada: the first reading of a federal cybersecurity law of general application aimed at protecting critical infrastructure. Until now, Canada had an adequate (if not exemplary) legal regime for privacy, but few laws of general application dealing with cybersecurity outside the legal regime for privacy . Bill C-26, Cybersecurity Act, amending the Telecommunications Act and other laws accordinglytakes two important steps beyond the requirements of existing privacy laws:

  1. It changes parts of federal law Telecommunications Law to authorize the government to impose obligations on telecommunications service providers to “secure the Canadian telecommunications system” and, more generally,
  2. It implements the Critical Computer Systems Protection Act (the CCSPA), which empowers the government to designate services or systems as vital and to impose data protection obligations on their operators, to require mandatory reporting of cybersecurity incidents and to facilitate the exchange of information on threats “between the parties concerned”.

CCSPA Schedule 1 designates several services and systems as critical, namely:

  1. Telecommunications services
  2. Interprovincial or international pipeline and power line systems
  3. Nuclear energy systems
  4. Transportation systems that fall under the legislative authority of Parliament
  5. Banking systems
  6. Clearing and settlement systems

CCSPA has strong enforcement mechanisms, including:

  1. The power to issue compliance orders;
  2. Authority to order an operator to conduct internal audits to assist the regulator in determining an operator’s level of compliance with the CCSPA and the regulations;
  3. The power to carry out searches of premises (obviously without a warrant, except where the search is to be carried out in a “dwelling house”, i.e. a private residence) to verify compliance or prevent non-compliance. compliance with the CCSPA and the regulations, and in the process of such research, to access any located “cybersystem” and to access the information therein, to copy and/or delete located documents or records ;
  4. The ability to get ex parte warrants to search dwelling houses;
  5. When authorized by warrant, be able to use force to search dwelling houses;
  6. The possibility of imposing administrative monetary penalties of up to:
    1. $1,000,000 per person (i.e. an officer or director who “directed, authorized, consented to, acquiesced in or participated in the commission of [a] violation”), or
    2. $15 million per organization.

The exact amount of any penalty imposed must be determined in accordance with the CCSPA and the regulations, which suggests that further guidance as to the size of the penalty in a given circumstance is forthcoming.

The CCSPA also establishes summary criminal offenses and indictable offenses for violations of CCSPA provisions. (For example, failure to respond to requests for information is a summary offense, while failure to establish, implement and maintain a cybersecurity program may be a criminal offence.) The CCSPA grants these powers to existing regulators of systems and services listed as “vital” in Annex 1, i.e.:

  • The Superintendent of Financial Institutions;
  • The Minister of Industry;
  • The Bank of Canada;
  • Canadian Nuclear Safety Commission;
  • Canada Energy Regulator; and
  • The Minister of Transport.

Officers and directors of operators of vital systems and services will be relieved to learn that the CCSPA provides an exemption from liability for the good faith performance of their duties under the CCSPA, and that a defense of due diligence is available for CCSPA violations. .

The CCSPA does not appear to impose obligations directly on vendors or providers of critical services and systems. However, he Is seek to address “risks associated with supply chains and the use of third-party products and services” by holding operators of vital services and systems accountable for vendor/vendor vulnerabilities by requiring operators to:

  1. Establish cybersecurity programs to “identify and manage” risks “associated with the designated operator’s supply chain and its use of third-party products and services”;
  2. Inform regulators of significant changes in operators’ supply chains or the use of third-party products and services;
  3. Take “reasonable steps” to mitigate the risks associated with supply chains and the use of third-party products and services; and
  4. Keep records of these actions taken.

Although the law does not specify it, it seems reasonable to expect that the management of risks associated with suppliers and vendors will include the imposition of contractual obligations on suppliers and vendors with regard to cybersecurity readiness and granting audit rights to operators to ensure compliance. These measures are common tools in privacy laws. If passed in substantially similar form to the proposed Bill, Bill C-26 will move Canada a step further into the sphere of countries taking serious legislative action to protect critical infrastructure from cyberattacks.[1]

Others may be underway in Canada with respect to legislative measures to address cybersecurity. The federal government also expressed the wish, in its press release accompanying the introduction of Bill C-26, that, if passed, Bill C-26 “would also serve as a model for the provinces, territories and municipalities to help secure their critical infrastructure in collaboration with the federal government.[2]

About Donald J. Beadle

Check Also

Cyber ​​Security Today, July 11, 2022 – Mandatory 2FA for PyPI registry, beware of fake Google software updates and wrong password leads to huge data hack

Mandatory 2FA for PyPI registry, beware of fake Google software updates and wrong password leads …