1 Legal framework

1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?

Federal and provincial privacy laws in Canada do not expressly distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime'.

The Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), Canada's federal private sector privacy law, defines a ‘breach of security safeguards' as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards" (Section 2(1)).

Under Section 26.2(b) of PIPEDA, if a province's legislation has been deemed substantially similar to Part 1 of PIPEDA, then the organisations to which provincial legislation applies may be exempt from the application of Part 1 in respect of the collection, use and disclosure of personal information in that province. The provinces of British Columbia, Alberta and Quebec have private sector privacy laws deemed substantially similar to PIPEDA. Federal works, undertakings or businesses such as banks, telecommunications companies and transportation companies continue to fall under PIPEDA. Please see:

  • Organizations in the Province of Québec Exemption Order (SOR/2003-374);
  • Organizations in the Province of British Columbia Exemption Order (SOR/2004-220); and
  • Organizations in the Province of Alberta Exemption Order (SOR/2004-219).

It is still possible for an organisation to be subject to more than one privacy law, such that one part of its operations taking place within the province is governed by provincial law and another part of its operations – which might involve the transfer of information across provincial borders – is subject to PIPEDA.

Alberta's Personal Information Protection Act (SA 2003, c P-6.5) (PIPA) defines a ‘data breach' as "a loss, or unauthorized access to or disclosure of personal or individually identifying health information (PIPA, Section 34.1; Health Information Act, Section 60.1).

British Columbia's Personal Information Protection Act (SBC 2003, c 63) (PIPA) defines a ‘data breach' as "unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks" (PIPA, Section 34; Freedom of Information and Protection of Privacy Act, Part 3).

Quebec's Act to amend the Act respecting Access to Documents held by Public Bodies and the Protection of Personal Information and other Legislative Provisions (SQ 2006, c 22) does not separately define a ‘data breach'. However, the legislature is actively considering amendments to Quebec's privacy laws to incorporate such aspects of data protection.

While not statutory, the Canadian Centre for Cyber Security – Canada's authority on cybersecurity – defines a ‘cyber threat' as "an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains" (see www.cyber.gc.ca).

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

The Digital Privacy Act (SC 2015, c 32) was passed in 2015 "to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act". Among other things, the Digital Privacy Act amended PIPEDA to provide for several new security safeguard obligations. These obligations were incorporated into Division 1.1 of PIPEDA and came into force on 1 November 2019.

In addition, PIPEDA's Breach of Security Safeguards Regulations (SOR/2018-64) provide reporting and procedural requirements in breach situations.

The public sector data protection law is the Privacy Act (RSC 1985, c P-21), which covers the use, disclosure and collection of personal information by government institutions.

There are also sector-specific privacy laws. The Canadian privacy regulatory landscape is summarised in Table 1 (see Office of the Privacy Commissioner of Canada (OPC) guide, Summary of Privacy Laws in Canada).

Table 1: Privacy laws in Canada: personal information

Private sector Federal Health Employment Sector-specific

PIPEDA applies to private sector organisations. It also applies to the personal information of employees of federally regulated businesses such as banks, airlines and telecommunications service providers.

British Columbia, Alberta and Quebec have legislation that is substantially similar to PIPEDA.

The Privacy Act governs a person's right to access and correct personal information held by the government of Canada.

The following provinces have health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information:

Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia.

Some provinces have passed privacy laws that apply to employee information, such as Alberta and British Columbia.

Several federal and provincial sector-specific laws include provisions dealing with personal information. For example:

  • the Federal Bank Act;
  • provincial laws governing credit unions; and
  • provincial laws governing consumer credit reporting.

Canada's Anti-Spam Law – An Act to promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (SC 2010, c 23) (CASL) – is also relevant to cyber. Its provisions include a prohibition against sending commercial electronic messages to recipients in Canada without express or implied consent (with some exceptions). It also restricts the installation of computer programs on another person's device (Section 8). Section 9 further prohibits aiding, inducing, procuring or causing to be procured any of such acts.

The Canadian Criminal Code (RSC, 1985, c C-46) also includes provisions that address a variety of cybercrimes which, among other offences, can be prosecuted as:

  • mischief (Section 430);
  • knowing interception of private communication (Section 184);
  • fraud – unauthorised use of a computer (Section 342); and
  • defrauding the public or any person of any property, money or valuable security or any service (Section 380).

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

There are industry or sector-specific statutes or regulations that apply to cybersecurity in Canada. Examples of industry or sector specific statutes, regulations and guidelines include the following.

Provincial health legislation: Specific data protection legislation also applies to health information custodians in provinces deemed by regulation to have substantially similar legislation to PIPEDA:

  • Ontario: The Personal Health Information Protection Act, 2004 (SO 2004, c 3) Schedule A is deemed substantially similar and exempted from the application of Part 1 of PIPEDA by Health Information Custodians in the Province of Ontario Exemption Order SOR/2005-399.
  • Nova Scotia: The Personal Health Information Act (SNS 2010, c 41) is deemed substantially similar and exempted from the application of Part 1 of PIPEDA by Personal Health Information Custodians in Nova Scotia Exemption Order SOR/2016-62.
  • Newfoundland and Labrador: The Personal Health Information Act (SNL 2008, c P-7.01) is deemed substantially similar and exempted from the application of Part 1 of PIPEDA by Personal Health Information Custodians in Newfoundland and Labrador Exemption Order, SI/2012-72.
  • New Brunswick: The Personal Health Information Privacy and Access Act (SNB 2009, c P-7.05) is deemed substantially similar and exempted from the application of Part 1 of PIPEDA by Personal Health Information Custodians in New Brunswick Exemption Order SOR/2011-265.

The provincial health privacy legislation sets out high level duties to safeguard information – for example, Ontario's Personal Health Information Protection Act requires that physical, administrative and technical safeguards be employed to protect personal health information. These are part of the health information custodian's ‘information practices'. A health information custodian must also take "steps that are reasonable in the circumstances to ensure that personal health information in the custodian's custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal" (Section 12(1)).

Office of the Superintendent of Financial Institutions (OSFI): OSFI has issued guidelines on cybersecurity that it deems to be ‘best' or ‘prudent' practices for federally regulated financial institutions (FRFIs). The guidelines set standards for industry activities and behaviour, and include the following:

  • the Technology and Cyber Security Incident Reporting Advisory (2019), which sets out OSFI's expectations for FRFIs with respect to the reporting of technology and cybersecurity incidents affecting FRFI operations. It describes the characteristics of incidents that should be reported to OSFI, in addition to initial notification and subsequent reporting requirements;
  • Guideline B-10 (Outsourcing of Business Activities, Functions and Processes) for FRFIs; and
  • Guideline E-12 (Operational Risk Management), which states that FRFIs should develop frameworks for operational risk management tools. The "three lines of defence" approach is provided as an example of such framework.

In 2013 OSFI released a Cybersecurity Self-Assessment Guidance memorandum for FRFIs. This memorandum provides a detailed checklist and is intended to assist FRFIs in assessing their cyber preparedness and developing and maintaining effective cybersecurity practices. The memorandum states that OSFI expects senior management to review cybersecurity related policies and practices and ensure their efficacy and appropriateness relevant to risks and circumstances.

Canadian Securities Administrators (CSA): The CSA oversees the securities and capital markets regulation and has issued several staff notices pertaining to cybersecurity. The relevant staff notices generally state CSA expectations on cyber-related practices and include:

  • CSA Staff Notice 51-347, "Disclosure of cyber security risks and incidents", which provides guidance on risk factor disclosure and incident reporting;
  • Staff Notice 11-338 ("CSA Market Disruption Coordination Plan"), which includes notification requirements to regulators and dissemination of information to the public as it pertain to market disruption, including large-scale cybersecurity incidents; and
  • CSA Staff Notice 11-326, "Cyber Security", which states that security issuers should be aware of cybercrime and take steps to safeguard themselves, clients and stakeholders. This notice was updated by CSA Staff Notice 11-332 with the same title, which requires issuers to provide risk disclosures specific for their entity; there should be cyberattack remediation plans and explanations as to how the issuer would assess the materiality of a cyberattack.

Ontario Energy Board: The Ontario Energy Board requires licensed electricity transmitters and distributers to abide by the Ontario Cybersecurity Framework and to provide cybersecurity and privacy information. This is specific to the electricity industry and was created by the Ontario Energy Board. It requires licensed distributors and transmitters to report on the level of the entity's cybersecurity maturity, which must be self-certified and signed by the CEO.

(b) Certain types of information (personal data, health information, financial information, classified information)?

There are no special cybersecurity statutes in Canada. Cybersecurity-related regulations, as described in question 1.2(a), apply to the personal information or personal health information of their corresponding statute.

In addition, the Canadian Centre for Cybersecurity has issued directives that apply to the government of Canada's communications networks, national security systems and government end users that process, handle or retain classified government information and data, or other sensitive information.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

Where there is a real and substantial connection between Canada and the collection, use and disclosure of personal information in the course of the organisation's commercial activities, PIPEDA applies (see Lawson v Accusearch Inc [2007] FCJ 164, 2007 FC 125 (FC)).

An example of the application of the ‘real and substantial' test is found in PIPEDA Case Summary 2011-002. In this case, a complaint was filed with the OPC against KLM Royal Dutch Airlines on the grounds that KLM had failed to provide the complainant with sufficient information about its management of personal information and had failed to respond properly to an access request made under PIPEDA.

In assessing jurisdiction, the OPC considered the following factors to decide whether there was a real and substantial connection to Canada:

  • The complainant and his family were Canadian residents who were seeking access to their personal information;
  • KLM offered services in Canada, with employees at several international airports in Canada;
  • KLM had a Canadian version of a website that actively targeted Canadians, that was accessible by Canadians and from which Canadians could reserve flights with KLM;
  • KLM regularly operated scheduled non-stop flights to and from Canadian destinations;
  • The complainant originally booked a flight from Toronto operated by KLM; and
  • KLM needed to collect personal information from Canadian passengers in order to offer its services to Canadian passengers.

The OPC decided in favour of jurisdiction to investigate the complaint, despite KLM being headquartered in the Netherlands, and required KLM to comply with PIPEDA.

According to the Criminal Code, "no person shall be convicted or discharged of an offence committed outside Canada" (Section 6(2)). However, under Sections 7(3.74) and 7(3.75), certain terrorism offences and indictable offences considered to be terrorist activities in Canada may be deemed to have been committed in Canada if, for example, the offence is committed by a Canadian citizen or against a Canadian government body.

Additionally, under the right circumstances and where it is reasonable to assert jurisdiction, it is possible for certain offences to be brought under Canadian jurisdiction. In the Supreme Court case R v Libman, [1985] 2 SCR 178, Justice La Forest, speaking for the court, stated that: "[A]ll that is necessary to make an offence subject to the jurisdiction of our courts is that a significant portion of the activities constituting that offence took place in Canada. As it is put by modern academics, it is sufficient that there be a ‘real and substantial link' between an offence and this country, a test well known in public and private international law…"

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Canada is a signatory to and has ratified the Convention on Cybercrime, an international treaty that aims to protect society against cybercrime, promote the adoption of appropriate legislation and encourage international cooperation.

According to Public Safety Canada's National Cyber Security Action Plan (2019–2024), Global Affairs Canada (GAC) is establishing an International Cyber Engagement Working Group to:

enhance information sharing and coordination between government organizations working on international cyber issues. This initiative supports GAC's mandate to enhance and promote Canada's leadership in an evolving global context, including by advancing efforts to more effectively fulfil Canada's commitments within the North Atlantic Treaty Organization (NATO) and other regional organizations, such as the Organization for Security Cooperation in Europe (OSCE), the Organization of American States (OAS), and the ASEAN Regional Forum (ARF).

In June 2004 Canada also signed a bilateral cooperation agreement with the United States, titled "Agreement Between the Government of Canada and the Government of the United States of America for Cooperation in Science and Technology for Critical Infrastructure Projection and Border Security", which is related to, although not focused on, cybersecurity. The objectives include the encouragement, facilitation and development of technology for critical infrastructure protection and border security. This treaty is listed in the United States Department of State publication: "Treaties in Force: A List of Treaties and Other International Agreements of the United States in Force on January 1, 2019".

GAC is also planning an International Strategic Framework for Cyberspace to allow Canada to enhance its cooperation with the United States as it further implements its cybersecurity strategy (see the National Cyber Security Action Plan (2019–2024)).

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

Most criminal offences can be found in the Criminal Code of Canada. Cybercrime, based on the particulars of the activity, can be prosecuted through various sections of the code. For example, ‘unauthorised use of a computer' set out in Section 342.1 covers hacking and most other types of cybercrime; anyone found guilty thereunder is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction.

Hacking may also fall under mischief outlined in Sections 430–432 of the Criminal Code. Anyone who commits mischief that causes actual danger to life is guilty of an indictable offence and liable to imprisonment for life.

The penalties for specific types of mischief as set out in Section 430 of the Criminal Code include the following:

Punishment

(3) Every one who commits mischief in relation to property that is a testamentary instrument or the value of which exceeds five thousand dollars

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.

Idem

(4) Every one who commits mischief in relation to property, other than property described in subsection (3),

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.

Mischief in relation to computer data

(5) Everyone who commits mischief in relation to computer data

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.

Under Section 402, identity theft and trafficking in identity information are punishable by imprisonment for a term of not more than five years; or guilty of an offence punishable on summary conviction. The punishment for identity fraud is imprisonment for a term of not more than 10 years; or guilty of an offence punishable on summary conviction (Section 403).

Interception is also punishable as per Section 184 of the Criminal Code, which states that "Every one who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years".

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

The Office of the Privacy Commissioner of Canada (OPC) handles Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act complaints. The OPC has the power to resolve through investigation, persuasion, mediation and conciliations. While the OPC can make recommendations, these recommendations are not binding, although the OPC can apply to the federal court for a hearing.

Complaints regarding the private sector in provinces where provincial legislation applies, as it has been deemed substantially similar to PIPEDA, will be heard through the provincial commissioner or ombudsman office, although recently there has been an increase in the number of cases in which the OPC and provincial commissioners have cooperated on investigations. The OPC has also shared enforcement responsibility for Canada's Anti-Spam legislation with the Canadian Radio-television and Telecommunications Commission and the Competition Bureau.

With respect to industry-specific guidelines, generally each issuing entity enforces its own guidelines – for example, OFSI guidelines are enforced by OFSI and the CSA regulations are enforced by the CSA enforcement personnel of the securities tribunals.

For extraterritorial applicability, please see question 1.3.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Yes, there is a private right of action under PIPEDA. For example, Section 14.1 of PIPEDA allows for individuals to pursue court action in Federal Court, but only after the OPC has issued a report on the investigation of the complaint or has discontinued the investigation as per Section12.2 of PIPEDA. Also, the Privacy Acts of four provinces contain a statutory tort for individuals to bring a claim, without proof of damages, for breach of their privacy, as set out in Table 2.

Table 2: Statutory causes of action in provincial legislation

Province Name of statute Citation Relevant provisions include:
British Columbia Privacy Act RSBC 1996, c 373 1(1)-(4), 3(2), 5

Manitoba Privacy Act RSM 1987, c P125 2(1), 2(2), 6

Newfoundland and Labrador Privacy Act RSN 1990, c. P-22 3(1), 4(a), 6, 7(1), 11
Saskatchewan Privacy Act RSS 1978, c. P-24 2, 8(1), 8(2), 10

The remedies with respect to the Privacy Acts of these provinces will be remedies appropriate to the action. For example, in Manitoba's Privacy Act, remedies can include:

  • an award of damages;
  • an injunction if it appears just and reasonable; and
  • an order to return documents that have come into the plaintiff's possession as a result of the violation (Section 4(1)).

2.3 What defences are available to companies in response to governmental or private enforcement?

There are no statutory defences under PIPEDA. Demonstration of an acceptable level of due diligence is a defence. For example, in Lozanski v The Home Depot [2016 ONSC 5447], a class action was filed after breach of a payment card system gave hackers access to personal information such as customer credit card numbers and their expiration dates. However, due to Home Depot's timely and proper response to the breach, Justice Perell stated that "(a) Home Depot apparently did nothing wrong; (b) it responded in a responsible, prompt, generous, and exemplary fashion to the criminal acts perpetrated on it by the computer hackers; (c) Home Depot needed no behaviour management" (at para 74). He concluded that Home Depot's liability in the totality of the circumstances was in the range of negligible to remote, and that Home Depot could not be blamed for the breach.

Many examples of best practices and recommendations can be found on the website of the OPC and in OPC reports of findings. For example, OPC Investigation Report PIPEDA #2018-001 addressed the reasonableness standard as it pertains to accountability for security safeguards. In this global data breach case involving sensitive data of 316,000 Canadian children, VTech Holdings Limited (headquartered in Hong Kong) was found by the OPC to have significant security deficiencies. In its report, the OPC listed the factors that can mitigate the risk of a future breach (at para 24):

a) Testing/maintenance: implement (i) a regular, multifaceted testing protocol to identify potential system vulnerabilities; and (ii) an update/patch management program to mitigate the risk of known vulnerabilities.

b) Administrative access controls: Limit the number of individuals with administrative access, and limit the scope of access via individual accounts (e.g. to limit cross-network access of local administrators). Strengthen authentication controls (e.g. strong passwords) and put in place organizational measures to more strictly control the use of administrative controls.

c) Cryptography: implement enhanced cryptography for stored information, as well as encryption for user information in transit via websites and apps.

d) Logging and monitoring: increase and centralize log event retention to assist with detecting and investigating unauthorized activities on the network. Restrict and monitor outgoing traffic to the internet.

e) Security management framework: implement comprehensive data security policy, which provides for the creation of a Data Security Governance Board to ensure, among other things: (i) staff awareness via annual training regarding the policy and data security; (ii) policy compliance; and (iii) annual risk assessments, best-practice benchmarking and reviews so that the policy and associated data security measures remain adequate.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

Yes, there have been landmark cyber cases. They include the Lozanski v The Home Depot class action case [2016 ONSC 5447], in which the Ontario Superior Court approved a settlement agreement. This case is considered exemplary in handling data breaches. As mentioned in question 2.3, this was a class action filed after breach of a payment card system gave hackers access to personal information such as customer credit card numbers and expiration dates. However, due to Home Depot's timely and proper response to the breach, Justice Perell stated that "(a) Home Depot apparently did nothing wrong; (b) it responded in a responsible, prompt, generous, and exemplary fashion to the criminal acts perpetrated on it by the computer hackers; (c) Home Depot needed no behaviour management" (at para 74). He concluded that Home Depot's liability in the totality of the circumstances was in the range of negligible to remote, and that Home Depot could not be blamed for the breach.

In contrast to Home Depot's exemplary behaviour, in 2017 Equifax reported that the personal information of approximately 145 million Americans and 100,000 Canadians had been breached. In this case, Canadian customers of Equifax Canada did not know that their information would be shared with Equifax Inc in the United States. Equifax was found to be ‘white labelling' its product without adequate notice to Canadian customers.

In 2019 the OPC issued its Personal Information Protection and Electronic Documents Act (PIPEDA) Report #2019-001, "Investigation into Equifax Inc. and Equifax Canada Co.'s compliance with PIPEDA in light of the 2017 breach of personal information". It found that Equifax had contravened PIPEDA for not having express consent for the cross-border transfer and issued a series of recommendations. While not considered a landmark case, this remains noteworthy as it changed the direction of OPC policy for a short while. Up until the Equifax case, the OPC had taken the position that sharing of information with a third-party service provider constituted a ‘use'. However, the OPC findings in the Equifax case stated that the transfer of information constituted a ‘disclosure' requiring express consent.

After the Equifax case and a consultation announced on 9 April 2019 (followed by a reframed discussion paper in June 2019), the OPC reverted to its position that the activities described above constituted a use, but emphasised the importance of being transparent in information handling practices.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

The 2019 cyberattack on medical test laboratory LifeLabs is one of the most significant security incidents in Canadian history. The personal health information of 15 million people in Ontario and British Columbia was compromised. This information included patient names, dates of birth, addresses, health card numbers and in some cases lab test results. On 17 December 2019 the Information and Privacy Commissioner of Ontario and the Office of the Information & Privacy Commissioner for British Columbia issued a statement of joint investigation into the cyberattack on the computer systems of LifeLabs. This case is also significant because in February 2020, LifeLabs' counsel filed a petition in the British Columbia Supreme Court asserting solicitor-client privilege over a report prepared by cybersecurity firm CrowdStrike and related documents. A March 2020 interim order of the Information and Privacy Commissioner of Ontario also canvassed the matter and ordered LifeLabs to produce the documents in question, finding that LifeLabs had not provided sufficient evidence to support the claim for legal privilege (https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/468594/index.do).

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

Some industries, in addition to those mentioned in question 1.2(a), have issued guidance documents and frameworks, including the Investment Industry Regulation Organization, which provided its members with a Cybersecurity Best Practices Guide comprising industry standards and best practices. The Mutual Fund Dealers Association of Canada has also provided guidance on creating cybersecurity frameworks through issuing a Cybersecurity Bulletin (#0690- C). The Canadian Security Telecommunications Advisory Committee has created Security Best Practices for Canadian Telecommunications Service Providers, which include guidance on network security, monitoring and detection capabilities and incident response plans.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

Some industries, in addition to those mentioned in question 1.2(a), have issued guidance documents and frameworks, including the Investment Industry Regulation Organization, which provided its members with a Cybersecurity Best Practices Guide comprising industry standards and best practices. The Mutual Fund Dealers Association of Canada has also provided guidance on creating cybersecurity frameworks through issuing a Cybersecurity Bulletin (#0690- C). The Canadian Security Telecommunications Advisory Committee has created Security Best Practices for Canadian Telecommunications Service Providers, which include guidance on network security, monitoring and detection capabilities and incident response plans.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

The Canadian Security Telecommunications Advisory Committee has Security Best Practices for Canadian Telecommunications Service Providers, which include guidance on network security, monitoring and detection capabilities and incident response plans.

The G7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector encourage a risk-based approach to cybersecurity and provide best practices. The aim is to provide for greater financial system resilience through the design and implementation of cybersecurity policies and frameworks. This guidance was endorsed in 2017 by the finance minister.

The Canadian Centre for Cyber Security is Canada's authority on cybersecurity. It unites existing operational cybersecurity expertise from Public Safety Canada, Shared Services Canada and the Communications Security Establishment. These are the operational authorities for cybersecurity on certain projects – primarily within the government of Canada. For such cases, their clients must follow the Cyber Centre Directives.

The Harmonized Threat and Risk Assessment Methodology is also an unclassified publication that was produced before the creation of the Cyber Centre; however, it still remains relevant.

The government of Canada has also published a "Get Cyber Safe" guide for small and medium-sized businesses.

Finally, the Canadian Cyber Threat Exchange is an important resource in Canada: https://cctx.ca/about-cctx/.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

Clause 4.7 of the Personal Information Protection and Electronic Documents Act states that an organisation must establish safeguards that are appropriate for the sensitivity of the information, including:

  • physical measures such as locked cabinets and restricted access to offices;
  • organisational measures such as security clearances and limiting access on a need-to-know basis; and
  • technological measures such as the use of passwords and encryption.

Under Section 31 of Canada's Anti-Spam Law, "An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against".

In addition, directors have fiduciary duties to the organisations they serve and can be liable if they breach their duties. Under Section 122(1) of the Canada Business Corporations Act, directors must act honestly, in good faith and in the best interests of the organisation, and must "exercise the case, diligence and skill that a reasonably prudent person would exercise in comparable circumstances." As such, failure to address security risk could lead to director liability. This duty is owed to the corporation.

See question 1.2(a) for industry-specific requirements.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

Yes, there are specific rules for certain industries including public entities. For example, the Office of the Superintendent of Financial Institutions expects senior management of federally regulated financial institutions to review cyber risk management policies and practices, to ensure that they remain appropriate and effective in light of changing circumstances and risks. For other examples, please see question 1.2(a).

There are also directives issued by the Cyber Centre to be followed by its clients, which include public organisations.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

Yes, this can be done through the Cyber Centre, which also issues industry security advisories intended for the respective organisation's IT professionals.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

A breach includes the loss of, unauthorised access to or unauthorised disclosure of personal information resulting from the failure to put into place the physical, organisational and technical measures that the Personal Information Protection and Electronic Documents Act (PIPEDA) requires. Where there is a ‘real risk of significant harm' to individuals, PIPEDA requires notification to the Office of the Privacy Commissioner of Canada (OPC) and the individuals at issue. Even if there is no real risk of significant harm, a record of the breach must be kept by the organisation for two years from the date on which the breach became known to the organisation.

Under PIPEDA, a breach of security safeguards involving personal information includes all personal information and is not specific to any type of personal information.

Organisations should also notify other organisations, including government organisations, if they can reduce the risk of harm resulting from the breach.

The breach notification timeline is ‘as soon as feasible' after the breach is discovered.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

A breach includes the loss of, unauthorised access to or unauthorised disclosure of personal information resulting from the failure to put into place the physical, organisational and technical measures and security safeguards are referred to in Clause 4.7 of Schedule 1 of PIPEDA.

Organisations must keep a record of every breach of security safeguard involving personal information and must provide access to or copies to the OPC when requested. These records must be sufficient for the OPC to determine whether the organisation is fulfilling its breach obligations and must be kept for two years following the date on which the organisation became aware of the breach (Sections 6.1 and 6.2 of the Breach of Security Safeguards Regulations (SOR/2018-64)).

As set out in Section 2(1) of the Breach of Security Safeguards Regulations, the report should contain the following:

(a) a description of the circumstances of the breach and, if known, the cause;

(b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;

(c) a description of the personal information that is the subject of the breach to the extent that the information is known;

(d) the number of individuals affected by the breach or, if unknown, the approximate number;

(e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;

(f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and

(g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner's questions about the breach.

If the organisation needs to notify the affected parties, the notification as per Section 3 of the Breach of Security Safeguards Regulations should include:

(a) a description of the circumstances of the breach;

(b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;

(c) a description of the personal information that is the subject of the breach to the extent that the information is known;

(d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;

(e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and

(f) contact information that the affected individual can use to obtain further information about the breach.

This notification can be in person, by phone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances (Section 4 of the Breach of Security Safeguards Regulations).

Whether a breach of security safeguards affects one person or thousands, it will still need to be reported if the organisation determines that there is a real risk of significant harm resulting from the breach.

In addition, PIPEDA requires organisations to notify other organisations, including government organisations, if they can reduce the risk of harm resulting from the breach.

The notification timeline is "as soon as feasible" after the breach is discovered.

Alberta's Personal Information Protection Act also has similar mandatory breach notification requirements, and both Alberta and British Columbia have issued helpful guidelines for breach scenarios under their respective Personal Information Protection Acts. Quebec is anticipated to follow with similar mandatory notifications to maintain its ‘substantially similar' designation with respect to PIPEDA. The Quebec privacy commission has also recently been more active in issuing guidelines.

Ontario's Personal Health Information Protection Act (PHIPA) also has specific breach notification requirements. In addition to notice to the affected individual (Section 12(2)), Section 12(3) requires mandatory notice to the Information and Privacy Commissioner of Ontario where there is a theft, loss, unauthorised use or disclosure of personal health information in seven circumstances set out in Section 6.3(1) of O Reg 329/04. In the event of a breach under the PHIPA, individuals must be notified at the first reasonable opportunity and be provided with a statement informing them that they are entitled to make a complaint to the IPC. There are also specific requirements for health information custodians to notify a healthcare practitioner's regulatory college within 30 days in any of the following situations (Responding to a Health Privacy Breach: Guidelines for the Health Sector, IPC, October 2018):

  • The practitioner was an employee or agent of the custodian and was terminated, suspended or subject to disciplinary action as a result of a breach;
  • The practitioner's privileges or affiliation has been revoked, suspended or restricted as a result of a breach;
  • The practitioner resigns and the custodian has reason to believe that the resignation is related to an investigation or other action carried out as a result of an alleged breach; or
  • The practitioner relinquishes or voluntarily restricts his or her privileges or affiliation and the custodian has reasonable grounds to believe that it is related to an investigation or other action carried out as a result of an alleged breach.

5.3 What steps are companies legally required to take in response to cyber incidents?

  • Keep a record of the incident as prescribed by Section 6(1) and 6(2) of the Breach of Security Safeguards Regulations under PIPEDA.
  • Assess the real risk of significant harm and, where it is determined that notification is not required, keep a record of the reasons why the organisation did not think the incident posed a real risk of significant harm (Breach of Security Safeguards Regulations, Regulation 6(2)).
  • If there is a real risk of significant harm, notify the OPC and the affected individuals (PIPEDA, Sections 10.1(1) and (3)).

For detailed requirements please see question 5.2.

In addition, there are industry-specific notification requirements such as the Canadian Securities Administrators' (CSA) Staff Notice 11-338, which pertains to market disruptions including large-scale cybersecurity incidents and includes notification requirements to regulators. According to the notice:

Regulated exchanges are also subject to incident reporting requirements under NI 21-101, and regulated clearing agencies to those found in NI 24-102. Additionally, systemically important clearing agencies are required to inform the Bank of Canada when they experience a market disruption event. Similar to regulated exchanges, alternative trading systems (ATSs) are required to inform the CSA in order to comply with the incident reporting requirements under NI 21-101 for marketplaces. Additionally, ATSs conducting business in Canada are required to inform the Investment Industry Regulation Organization when they experience a material systems incident.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

The Office of the Superintendent of Financial Institutions expects the senior management of federally regulated financial institutions to "review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks" (Cybersecurity Self-Assessment Guidance).

Corporate directors' fiduciary duties also apply to how they handle cybersecurity incidents and directors can be found in breach if they have failed, for example, to act honestly, in the best interests of the organisation and with reasonable care. This could include, for example, failing to create a robust cybersecurity plan (including threat risk assessments) which requires regular reports on cybersecurity, with knowledge that appropriate policies are in place.

Liability under Canada's Anti-Spam Law (CASL) includes liability under Section 31, whereby directors, officers, agents and mandataries of a corporation can also be held liable if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation. Under Section 20(4) of CASL, the maximum penalty for a violation is C$1 million in the case of an individual and $10 million in the case of any other person.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

Yes, many organisations carry such policies. Often, they are required to do so by virtue of commercial contracts; and increasingly, companies are securing cyber insurance in addition to general liability coverage.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA) are anticipated in the near future, but no dates have been set as yet.

Potential privacy reforms for Quebec are also anticipated. Quebec's minister of justice has announced her intention to introduce a bill to modernise the Act respecting the Protection of Information in the Private Sector (CQLR c P-39.1) by drawing on the stringent privacy legislation of the General Data Protection Regulation. If the bill passes, it could become the most onerous privacy law in Canada. Currently, the Quebec privacy reform efforts are on hold due to the COVID-19 pandemic.

Organisations will be additionally mindful of mandatory breach notification requirements now in force, given that there has been an increase in the number of class action lawsuits for breach incidents under PIPEDA, and the number of such cases is expected to rise.

Canada's Digital Charter – which includes 10 guiding principles that resulted from consultations with Canadians – advocates for several digital principles, including strong enforcement and real accountability (Principle 10). Similarly, the Office of the Privacy Commissioner of Canada (OPC) has advocated for strong enforcement measures for the principles that are found in Schedule 1 of PIPEDA. The government's White Paper on Strengthening Privacy for the Digital Age: Proposals to Modernize PIPEDA highlights the need for stronger financial penalties for organisations that do not comply with data protection laws. It further recognises that the federal privacy enforcement model – which is largely based on recommendations and recourse to the Federal Court – is outdated and does not incentivise compliance.

In a 2019 report to Parliament entitled "Privacy Law Reform – A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy", the OPC expressed similar concerns about lack of enforcement powers, including the power to investigate and impose large fines on organisations that do not adequately safeguard personal information.

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

The COVID-19 pandemic has augmented the existing security risks in organisations and has made it even more challenging to secure networks and data assets. Remote working arrangements, in an environment where individuals are already under stress and high levels of anxiety, makes them more vulnerable to phishing attempts; and the sheer volume of remote connections directly increases the chances of successful cyberattacks.

The best way to address these risks is to plan and prepare. This includes having proper policies and response plans in place that are updated regularly, including mobile device and remote working policies and breach response plans, backed by adequate training for employees. From a technical standpoint, best practices include ensuring that the organisation's security measures align with various requirements (eg, ISO 27001 or NIST) and continue to meet the organisation's privacy obligations (ie, to have adequate security safeguards in place). Organisations should also ensure that hardware drives are encrypted, devices are patched and anti-virus malware and software are installed and up to date, and that employees are using two-factor authentication. Other best practices include using tools such as software to draw extra scrutiny to emails and help prevent phishing attempts.

When presented with amendments to agreements or waivers from service providers about previously agreed data management measures, such as prohibition against employees working from home, the consequences should be carefully considered in light of the organisation's obligations before such requests are accepted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.