When is It Okay to Accept Risk?
Learn about the importance of accepting risk in vulnerability management.
Although Canada has made significant progress in the laws and regulations since the Digital Privacy Act went into effect in 2018, there is still room for improvement.
TL;DR:
For a 2021 version of "Cybersecurity Laws & Regulations in Canada", click here.
Do Canadians and Americans approach cyber security the same way? The answer is a clear and definite no. The resulting differences might surprise you. Although Canada has seen significant advancements in cybersecurity laws and regulations since the Digital Privacy Act went into effect in 2018, there is still room for improvement.
The Digital Privacy Act is an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the storage and protection of personal data. While not as restrictive as the European Union’s General Data Protection Regulation (GDPR), regulations under the Digital Privacy Act open Canadian businesses up to significant penalties if they do not safeguard personal data and properly report any breaches that occur to the affected individuals.
Recently, A Centrify study found that 65 percent of data breach victims lost trust in an organization due to a security breach. Furthermore, IDC found that 80 percent of consumers in developed nations will defect from a business if their information is compromised in a security breach. These financial and reputational repercussions are one of the many reasons why these laws and regulations are in place, to protect consumers and businesses with sensitive data.
Compared to 51 regions requiring mandatory disclosure in the US, Canada has three provinces with similar legislative requirements (Alberta, British Columbia, and Quebec) with various security requirements. Data protection and cybersecurity in Canada are governed by a complex legal and regulatory framework. Failure to understand this framework and take active steps to reduce risks (or the impact of such risks when they materialize) can have serious legal and financial consequences for any organization working within Canada. Therefore, it is crucial for organizations that operate or work within Canada to understand this rapidly evolving area of law and governance. These sources of law and governance would impact Canadian organizational decision-making concerning the development of a plan to address cybersecurity risks.
The Critical Cyber Systems Protection Act (CCSPA), introduced as part of Bill C-26, aims to reform Canada's cybersecurity regulation and protect critical infrastructure. This legislation would establish minimum cybersecurity standards for federally regulated private sector industries and require operators of critical cyber systems to implement cybersecurity programs meeting prescribed safeguards. The CCSPA also mandates notification to regulators about these programs and introduces new breach-reporting obligations for incidents that could disrupt vital systems or services. By focusing on securing critical infrastructure and assisting organizations in preparing for, preventing, and responding to cyber incidents, the CCSPA represents a significant step towards enhancing Canada's overall cybersecurity posture. The proposed legislation could potentially serve as a model for provincial, territorial, and municipal governments to collaborate with federal authorities in securing their critical infrastructure.
The Critical Cyber Systems Protection Act (CCSPA) employs a robust enforcement framework to ensure compliance. It authorizes substantial administrative monetary penalties, with maximum fines of C$15 million for designated operators and C$1 million for directors and officers. Certain violations may be prosecuted as criminal offenses, potentially resulting in fines and imprisonment. The Act also empowers industry regulators to conduct inspections, compel information disclosure, and issue non-compliance notices. This multi-faceted approach, combining financial penalties, criminal prosecution, and regulatory oversight, aims to deter violations and promote adherence to the CCSPA's provisions. By implementing these stringent enforcement measures, the Act seeks to enhance cybersecurity practices and protect critical infrastructure in Canada.
Bill C-26 proposes significant amendments to the Telecommunications Act, adding security as a policy objective and granting new authorities to the Canadian government to enhance cybersecurity in the telecommunications sector. The legislation empowers the government to mandate necessary actions to secure Canada's telecommunications system, including prohibiting the use of products from high-risk suppliers. It introduces new order powers for the Governor in Council and Minister of Industry to address potential threats of interference, manipulation, or disruption. These orders can require telecommunications service providers to remove specific products, impose conditions on service usage, perform network reviews, and develop security plans. Additionally, the bill introduces the Critical Cyber Systems Protection Act (CCSPA), which requires operators of critical cyber systems to implement cybersecurity programs and report breaches that could interfere with vital services. While Bill C-26 may not address all the cybersecurity gaps for Canadian telecom providers, it is a significant step towards enhancing cybersecurity in this sector. The bill introduces measures such as mandatory reporting of cybersecurity incidents and increased collaboration between government and industry. These provisions will help improve the overall cybersecurity posture of Canadian telecom providers and better protect the privacy and security of Canadians.
Within Canada, there are three general (and broad) forms of law that regulate security and privacy in Canada:
2. The provincial variation of PIPEDA in Alberta.
3. Various health information acts, such as the Health Information Protection Act.
Below are the three different forms of legal regulations.
PIPEDA
Albertan PIPA
Health Information Protection Act
PCI and E-commerce
Aside from legal obligations, businesses need to also focus on industry regulations that affect privacy and data security requirements. The most common and well-known of these regulations are the standards set by the Payment Card Industry Data Security Standard (PCI DSS). This PCI compliance standard applies to all merchants that process, store, or transmit credit card information, and sets a security standard for businesses and their virtual environment.
There are four distinct levels, with each level having progressively more stringent requirements. For each successful data breach, the compromised merchant is escalated to a higher validation standard and will be required to adhere to the new minimum requirement.
Conclusion
Organizations should regularly conduct an audit of their existing cybersecurity status, including an evaluation of the following:
Cybersecurity in Canada is an area that requires a multi-disciplinary approach, with input from a variety of experts. When it comes to cybersecurity laws and regulations in Canada, organizations must actively address cyber risks to avoid serious repercussions. Although this will require an initial investment of time and resources, organizations that fail to actively address cyber risk may be exposed to serious reputational, financial and legal repercussions if and when a data breach occurs. While the effectiveness of the CCSPA in reforming cybersecurity regulation and securing critical infrastructure may be debated, it is a step in the right direction. The CCSPA provides a framework for addressing cybersecurity risks and promoting compliance among organizations. By implementing this legislation, Canada is sending a strong message that cybersecurity is a priority and that measures are being taken to protect critical infrastructure.
It is important to recognize that laws are constantly evolving to keep pace with emerging threats. The upcoming changes in cybersecurity laws demonstrate the government's commitment to addressing gaps and strengthening protections. Organizations should stay informed about these changes and work towards compliance to ensure they are adequately protected against cyber threats. Canada's data privacy laws may not be comprehensive enough to protect all types of personal information, but they still provide a strong foundation for privacy protection. Organizations should take a proactive approach to data privacy by implementing robust security measures, obtaining consent for data collection and use, and regularly reviewing and updating their privacy policies. By going above and beyond the minimum requirements of the law, organizations can build trust with their customers and demonstrate their commitment to protecting personal information.
That being said, the main difference that arises between the US and Canada, when it comes to cybersecurity, is the proactive stance on consumer protection and information security. Although Canada has made immense strides in recent years, other countries are more proactive, like the US and European Union’s General Data Protection Regulation (GDPR).
References
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support