‘Vital systems’ cybersecurity law’ will expand information sharing, protect organizations: lawyer

Proposed bill would require certain organizations to immediately report cybersecurity incidents

‘Vital systems’ cybersecurity law’ will expand information sharing, protect organizations: lawyer
Daniel Michaluk, David Krebs

A recently tabled federal cybersecurity law which applies to critical sectors such as banking and transportation systems would require organizations to immediately report security breaches, develop and implement cyber-security programs, and follow government cyber-security directions.

On June 14, Minister of Public Safety Marco Mendicino introduced Bill C-26, a two-part piece of proposed legislation which includes the Critical Cyber Systems Protection Act. The law would create duties for organizations operating within “vital” services or systems such as banking, telecommunications, interprovincial or international pipelines and powerlines, nuclear energy, transportation systems under parliament’s legislative authority, and clearing and settlement systems. Public Safety Canada said the law is intended to protect Canadians from malicious cyber activity such as electronic espionage, ransomware and other cyberattacks affecting the “cyber systems and infrastructure that everyone relies on.”

The bill’s introduction preceded that of the Liberal government’s new private sector privacy regime, the Digital Charter Implementation Act, 2022, which came two days later.

Bill C-26’s cyber security incident reporting requirement will engender information sharing that will benefit organizations, including those outside of the legislation’s scope, says Daniel Michaluk, a cybersecurity, privacy and information management lawyer at Borden Ladner Gervais in Toronto.

“That information base may be useful to law enforcement in protecting everybody,” he says. “That's the direct, potentially positive impact of the bill, that law enforcement will be better at helping others and fighting cybercrime.”

Read more: What does a cybercrime lawyer do?

The bill would require Designated operators to immediately report cyber-incidents to their regulator and the Communications Security Establishment. Designated operators would also need to keep records of cyber security incidents, steps they took to implement their cyber security program, steps they took to mitigate supply-chain and third-party risks, and any measure taken to implement a cyber security direction.

The proposed law would take requirements which already exist for banks under the Office of the Superintendent of Financial Institutions’ (OSFI) cyber breach notification guidelines, and extend them to other critical infrastructure, says David Krebs, national co-leader of Miller Thomson LLP’s privacy and cybersecurity practice.

“It will also align the Canadian framework with some of the developments in in the U.S., and, to a certain extent, the European Union as well,” says Krebs, who is based in Saskatoon.

Outside of certain sector-specific rules like OSFI’s, there is no requirement for an organization to notify anyone about a cyber security incident if the incident does not affect personal information, he says. Much of Canada’s privacy law is focused on protecting personal information, rather than systems, and Krebs says that is what the feds are trying to address with Bill C-26.

The security incident reporting requirements will also change how organizations communicate, which could potentially alter their entire incident response strategy, he says.

“I've seen in incidents where if you are forced to communicate something, that changes your strategy. That changes your resource allocation. That changes what workstreams you initiate. And it has a real impact on your response. So, that's significant.”

According to the bill, an incident qualifies as a cyber-security incident if it “interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity or availability of the critical cyber system.”

Including the wording: “or may interfere” means that organizations will need to report “at such a low level,” says Michaluk, that they will almost be “in a form of security-related partnership” with the government.

“That's to the benefit of everybody in Canada, and that's a good thing,” he says. “Most businesses in Canada won't be subject to those onerous obligations and will essentially be able to free ride on the effective benefit that is being derived from this small sliver of the Canadian private sector.”

With Bill C-26, the federal government is “taking the lead within its own jurisdiction. What’s next is an interesting question.”

The proposed law would also require designated operators within vital services and systems to create and file with their respective regulators a cyber security program. The program is supposed to identify cyber security risks and that of the organization’s supply chain and third parties, protect “critical cyber systems,” detect security incidents, and minimize the impact of cyber security incidents.

The Act also states it would authorize the Governor in Council to issue cyber security directions “for the purpose of protecting a critical cyber system.” Failure to report a cyber security incident or to comply with a cyber security direction could result in a penalty of up-to-$15 million.