Apr 30, 15 10:52 pm

Was this post helpful?

Cyber Security Laws & Regulations in Canada

Apr 30, 2015
| by:
Sherif Koussa

Cybersecurity Laws & Regulations Canada

For a 2021 version of this article, click here.

Pop quiz, do Canadians and Americans approach cyber security the same way? The answer is a clear and definite no. With the recent passage of HB 1078 in Washington State (see: here), it seemed appropriate to compare the legal attitudes between Canada’s Parliament and the American Senate. The resulting difference might surprise you.To start, Canada still lags legislatively when it comes to information security. To date, 47 different states, D.C., Guam, Puerto Rico and the Virgin Islands have legislations requiring mandatory notifications of data breaches involving personally identifiable information (for the full list, see here).

Compared to 51 regions requiring mandatory disclosure in the US, Canada has 3 provinces that has similar legislative requirement (Alberta, British Columbia, Quebec), with various levels of security requirements for different industries throughout the Confederation. Altogether, Canada lacks the same legal framework when it comes to information security.

So, what does this mean if you’re a business operating in Canada? To answer exactly how Canadian law impacts security and privacy this post will briefly look at the Canadian legal landscape.

Laws to Lookout For:

Within Canada there are three general (and broad) forms of law that regulate security and privacy in Canada:

1. The federal PIPEDA.

2.The provincial variation of PIPEDA in Alberta.

3.Various health information acts.

Below the three different forms of legal regulations are summarized in point form.


  • A federal law that regulates and enforces privacy policy on both public and private organizations, except in cases where there is a provincial equivalent that meets the same minimum standard as PIPEDA.
  • The acronym PIPEDA stands for Personal Information Protection and Electronic Documents Act.
  • Criticized for a lack of enforceability as there is a lack of mandatory disclosure or any penalty for offending parties.
  • Possible amendment with Bill S-4, Digital Privacy Act, which would introduce mandatory disclosures of data breaches and information leaks.

Albertan PIPA

  • While there are other provincial forms of PIPEDA, the Albertan Personal Information Protection Act (PIPA) is different from the rest, including PIPEDA, in that it goes beyond the minimum standard by mandating organizations to take measures to protect data and introducing mandatory disclosure of data breaches and information leaks.

Health Information Protection Act

  • Legislations that protect private health information. Only three provinces have privacy legislations that are similar to PIPEDA in regards to health information (Ontario, New Brunswick, Newfoundland).
  • These legislations require mandatory reporting of data breaches. Learn more about preventing data breaches.

PCI and Ecommerce

[For a detailed updated version of PCI standards visit this article.]

Aside from legal obligations, businesses need to also focus on industry regulations that affect privacy and data security requirements. The most common and well known of these regulations are the standards set by Payment Card Industry Data Security Standard (PCI DSS). This PCI compliance standard applies to all merchants that processes, stores, or transmits credit card information, and sets a security standard for businesses and their virtual environment.

There are four distinct levels, with each level having progressively more stringent requirements. For a table of requirements please see here. For each successful data breach, the compromised merchant is escalated to a higher validation standard and will be required to adhere to the new minimum requirement. Want to know if you application is secure, learn more about our penetration testing.

Last Words

For businesses operating in Canada, information security is a must, like any other businesses operating elsewhere. While data breach notifications are not mandatory (except in Alberta and Ontario, New Brunswick, Newfoundland for health information), this may change with the possible passing of Digital Privacy Act, and with PCI compliance being a must to conduct business online, information security is vital, especially in the US.

That being said, the main difference that arises between the US and Canada, when it comes to cyber security, is the proactive stance on consumer protection and information security. Wait for part 2 for a quick scan of America’s legal landscape.

Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2022
Software Secured