Lawyers call for national cybersecurity standards

Technology lawyers say they’re hopeful the federal government’s public consultation on cybersecurity will result in a set of national standards for digital safety in Canada.

Technology lawyer Lisa Abe-Oldenburg says that, currently, it’s difficult to advise clients who ask about the level of security standards they should be following to protect their systems.

“There’s really not a lot of legislation we can point to to give them any kind of guidance and comfort,” she says. “It often becomes a negotiation between the customer and the supplier.”

Ira Nishisato, partner at Borden Ladner Gervais LLP, complains of the same issue.

“There are essentially no national standards,” Nishisato says. “From a legal perspective, the issue is always the question of standard of care — to what standard of care could an organization be held to in terms of ensuring the integrity and the security of its system?

“Right now, if you look for what you should be doing, it’s really not a question that avails itself of a straightforward answer,” he adds. “It would be extraordinarily helpful to have some sort of direction in terms of national guidelines or national standards for cybersecurity and cyber-risk management.”

Last week, the federal government announced it would be launching a public consultation “on the evolving cybersecurity landscape” with the goal of strengthening digital safety.

“The government’s cybersecurity review is an opportunity to build Canadian strength and expertise. Canadians spend more time online than people in any other country,” said Ralph Goodale, minister of Public Safety and Emergency Preparedness.

“We need to get really good at cybersecurity — across our personal, business, infrastructure and government sectors — so we can take full advantage of the digital economy, while protecting the safety and security of Canadians, and selling our valuable cyberskills and products into a booming market throughout the rest of the world,” Goodale added.

Current legislation and regulations around cybersecurity lack rigour, according to Abe-Oldenburg.

“We haven’t created any robust security regulations,” she says, noting that even recent legislation such as the Personal Information Protection and Electronic Documents Act falls short of specifying details such as the level of encryption required on personal information collected for commercial purposes.

Abe-Oldenburg also says the government should look at the various risks to which the public is exposed in the age of the Internet of Things, including vulnerabilities that may come with self-driving cars. She adds she’s hopeful the consultation will result in better regulations for products and services.

Lack of software safety standards for autonomous vehicles, for example, could jeopardize personal safety and data, Abe-Oldenburg continues. “If somebody hacks into a system that’s controlling a device, a machine or an automobile, there could be serious repercussions.”