Why Common Vulnerability Scoring Systems (CVSS) Suck
Learn how to effectively understand and weight a vulnerability's severity, and how to use CVSS with other scoring systems for best accuracy.
By
Warren Moynihan
・
Cybersecurity Laws & Regulations in Canada
Although Canada has made significant progress in the laws and regulations since the Digital Privacy Act went into effect in 2018, there is still room for improvement.
By
Cate Callegari
・
For a 2021 version of "Cybersecurity Laws & Regulations in Canada", click here.
Comparing Cybersecurity Laws and Regulations
Do Canadians and Americans approach cyber security the same way? The answer is a clear and definite no. The resulting differences might surprise you. Although Canada has made significant progress in the cybersecurity laws and regulations since the Digital Privacy Act went into effect in 2018, there is still room for improvement.
The Digital Privacy Act is an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the storage and protection of personal data. While not as restrictive as the European Union’s General Data Protection Regulation (GDPR), regulations under the Digital Privacy Act open Canadian businesses up to significant penalties if they do not safeguard personal data and properly report any breaches that occur to the affected individuals.
Recently, A Centrify study found that 65 percent of data breach victims lost trust in an organization as a result of a security breach. Furthermore, IDC found that 80 percent of consumers in developed nations will defect from a business if their information is compromised in a security breach. These financial and reputational repercussions are one of the many reasons why these laws and regulations are in place, to protect consumers and businesses with sensitive data.
Canada’s Cybersecurity Landscape
Compared to 51 regions requiring mandatory disclosure in the US, Canada has three provinces that have similar legislative requirements (Alberta, British Columbia, and Quebec) with various levels of security requirements. In Canada, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand this framework and take active steps to reduce risks (or the impact of such risks when they materialize) can have serious legal and financial consequences for any organization working within Canada. Therefore, it is crucial for organizations that operate or work within Canada to understand this rapidly evolving area of law and governance. These sources of law and governance would impact Canadian organizational decision-making with respect to the development of a plan to address cybersecurity risks.
Relevant Laws and Regulations in Canada
Within Canada, there are three general (and broad) forms of law that regulate security and privacy in Canada:
- The federal PIPEDA.
2. The provincial variation of PIPEDA in Alberta.
3. Various health information acts, such as the Health Information Protection Act.
Below are the three different forms of legal regulations that are summarized in point form.
PIPEDA
- The acronym PIPEDA stands for Personal Information Protection and Electronic Documents Act.
- A federal law that regulates and enforces privacy policy on both public and private organizations, except in cases where there is a provincial equivalent that meets the same minimum standard as PIPEDA (such as PIPA in Alberta).
- Criticized for a lack of enforceability, as there is a lack of mandatory disclosure or any penalty for offending parties.
- Possible amendment with Bill S-4, Digital Privacy Act, which would introduce mandatory disclosures of data breaches and information leaks.
Albertan PIPA
- While there are other forms of PIPEDA in other provinces, the Albertan Personal Information Protection Act (PIPA) is different from the rest, including PIPEDA, in that it goes beyond the minimum standard by mandating organizations to take measures to protect data and introducing mandatory disclosure of data breaches and information leaks.
- PIPEDA applies to employee information only in connection with a FWUB (federal works, undertakings or businesses), whereas the provincial PIPA applies to provincially regulated private sector organizations.
Health Information Protection Act
- Legislations that protect private health information. Only three provinces have privacy legislations that are similar to PIPEDA in regards to health information (Ontario, New Brunswick, Newfoundland).
- These legislations require mandatory reporting of data breaches.
PCI and Ecommerce
Aside from legal obligations, businesses need to also focus on industry regulations that affect privacy and data security requirements. The most common and well known of these regulations are the standards set by Payment Card Industry Data Security Standard (PCI DSS). This PCI compliance standard applies to all merchants that processes, stores, or transmits credit card information, and sets a security standard for businesses and their virtual environment.
There are four distinct levels, with each level having progressively more stringent requirements. For each successful data breach, the compromised merchant is escalated to a higher validation standard and will be required to adhere to the new minimum requirement.
Conclusion
Organizations should regularly conduct an audit of their existing cybersecurity status, including an evaluation of the following:
- Who and what is connected to their systems and networks;
- What is running on their systems and networks
- Whether they have technology in place to prevent most breaches, rapidly detect breaches that do occur, and minimize the damage of such breaches (e.g., automatic shutdown when data leaks are detected)
Cybersecurity in Canada is an area that requires a multi-disciplinary approach, with input from a variety of experts. Although this will require an initial investment of time and resources, organizations that fail to actively address cyber risk may be exposed to serious reputational, financial and legal repercussions if and when a data breach occurs.
That being said, the main difference that arises between the US and Canada, when it comes to cybersecurity, is the proactive stance on consumer protection and information security. Although Canada has made immense strides in recent years, there are other countries that are more proactive, like the US and European Union’s General Data Protection Regulation (GDPR).
References
[2] https://mcmillan.ca/insights/publications/cybersecurity-the-legal-landscape-in-canada/
About the author
Cate Callegari
@Table(name = "CUSTOMER",
uniqueConstraints=
@UniqueConstraint (columnNames={"MERCHANT_ID", "CUSTOMER"}))
public class Customer extends
uniqueConstraints=
@UniqueConstraint (columnNames={"MERCHANT_ID", "CUSTOMER"}))
public class Customer extends
Cookies
JWTs
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
Get security insights straight to your inbox
Additional resources
Here to get you started
Security Strategy
15 Risks & Rewards of Pentesting in a Production Environment
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Read more
View report
The State of Penetration Testing as a Service- 2022 Edition
Say goodbye to 300+ page penetration test reports
Providing the quality of the biggest names in security without the price tag and complications.
Book a 30 min consultation
Manual penetration testing
Full time Canadian hackers
Remediation support
