Privacy espresso seriesResourcesSeptember 15, 2022An Overview of Canada’s Bill C-26: “An Act Respecting Cybersecurity.”

As the Russia-Ukraine crisis has demonstrated, modern warfare is fought both on the ground and over the internet, and cyber security is increasingly a matter of national security. Against this background, Canada has introduced Bill C-26, “an Act Respecting Cybersecurity.” The Act would impose cyber security obligations upon companies in Canada’s vital sectors (finance, transportation, energy and telecom) as well as enhanced government oversight and enforcement measures. In this privacyespresso, we sat down with Robbie Grant from McMillan LLP in Toronto to discuss the Bill and how companies can prepare for it.

In summary, the Bill aims to provide a framework for protecting critical infrastructures. It specifically gathers towards four vital sectors, namely:
–    finance
–    energy
–    transportation and
–    telecoms.

Cybersecurity standards in these sectors come from privacy laws and the regulator’s guidance. However, they both lack enforcement and investigatory capabilities at the moment.

On the privacy law side, the PIPEDA has some cybersecurity requirements, but there are also gaps that the new Bill aims to address. For example:
–    PIPEDA focuses on personal information only and is not aimed at preserving companies’ operation
–    The compliance is managed by the privacy authority that has a vast oversight and not enough resources to investigate players and push them towards a higher level of security

So, in general, there are no significant enforcement powers over the privacy authority. This may be solved thanks to another upcoming bill (separated by the C-26), which has been proposed exactly to provide more powers to it.

Additionally, the other regulators that may be involved under the mentioned sectors also lack enforcement powers. For this reason, the new proposed Bill C-26 will empower them with additional capacities to ensure a good level of protection. So, we are not speaking about a privacy law bill but a national security bill that will also enforce privacy rights.

Such a Bill is the outcome of a higher awareness at the national level of the need for a more robust cybersecurity system.

Looking more specifically into the contents of the Bill, we can observe two main components into it:

–    The first one is more focused on telecoms and gives significant oversight power to the related authority so that it can force telecom companies to do anything necessary to secure the Canadian telecom system. These powers would also be endowed with a new capability of issuing quite hefty fines in case of non-compliance.

–    The second one would enact the Critical Cybers System Protection Act (CCSPA), which will create new obligations for designated operators managing vital services. It will require security steps such as establishing a cybersecurity program, taking any steps to mitigate supply chain risks, reporting security breaches and incidents, and complying with any direction imposed by the government and providing more powers to Ministers and Regulators for them to investigate and issue fines where the mentioned measures are not implemented.

What should companies do then?
At the actual stage, we know the involved industries but not the designated operators cut up by the Bill. However, big national companies associated with these sectors should already consider themselves hit by the Bill and, if not already prepared to face similar vulnerabilities, they should start to do so with high priority. Additionally, potentially involved companies should start investing resources in security and stay updated with regulators’ guidance as the next decisions of the authorities will be based on them.

To know more about the new Bill and to get an indication of how to prepare for it, watch this privacyespresso and contact our experts at McMillan for a tailored analysis of what you should be doing.