This year has seen a number of interesting developments in Canadian cyber security. While the first wave of data breach cases slowly work their way through the court system, guidance for Canadian businesses has come from many other sources, including the federal government and regulators. These offer the clearest views to date on what these regulators consider the acceptable minimum standards businesses should be taking, and consequently may be helping define a standard of care. This article summarizes some of this guidance, which businesses and the lawyers advising them should be mindful of when assessing risk exposure from cybersecurity issues.
A digital charter for Canada
In May 2019, the Minister of Innovation, Science and Economic Development (ISED) announced the arrival of Canada’s Digital Charter. More manifesto than law, the Digital Charter sets out principles intended to establish a “foundation for modernizing the rules that govern the digital sphere in Canada and rebuilding Canadians’ trust in these institutions.” Among the principles most germane to Canadian business are the following:
- Control and consent : Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.
- Transparency, portability and interoperability : Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.
- Strong enforcement and real accountability : There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.
These principles have obvious privacy law implications and, indeed, the government announced its intention to examine and update existing privacy laws and to strengthen the enforcement powers of the Office of the Privacy Commissioner (OPC).
The OPC and third-party data transfers
Also in 2019, the OPC reopened (and then, temporarily, closed) a long-settled debate about consent and data transfers between organizations under Personal Information Protection and Electronic Documents Act (PIPEDA). Up till April of this year, it was understood (and, indeed, it was the OPC’s publicly stated position) that companies transferring data to other companies for the purpose of processing the data could do so without the prior consent of the individuals whose personally identifiable information (PII). In releasing its findings with respect to the Equifax breach, the OPC announced its new view that “organizations must obtain express consent where individuals would not reasonably expect the transfer,” not withstanding that this new interpretation was “a departure from [the OPC’s] previous position which has led to a re-examination of its guidance on cross-border data flows for businesses.”
The OPC initially announced a public consultation on its position on consent, which was subsequently disrupted by the announcement of the Digital Charter, causing the OPC to broaden the consultation process to consider stakeholder views “both on how the current law should be interpreted and applied in these contexts, and on how a future law, which may follow the publication by the federal government of its Digital Charter on May 21, should provide effective privacy protection in the context of transfers for processing.”
Businesses and privacy practitioners expressed concerns about the workability of a requirement of express consent. In the end, the OPC announced that its decade-old guidelines for cross-border processing of personal data—which had enshrined the notion that prior consent was not required—would “remain unchanged under the current law” while OPC instead focuses on reforming PIPEDA. It remains to be seen whether the OPC will recommend that a revised PIPEDA establish a prior consent requirement.
CCCS’s Baseline Cyber Security Controls for Canadian Businesses
In March 2019, the Canadian Centre for Cyber Security (CCCS) released its guidelines for Baseline Cyber Security Controls for Small and Medium Organizations. The guidelines arise from the CCCS’ 2018 National Cyber Threat Assessment, which is itself part of a larger government focus on ensuring Canada is prepared for the surge in cybersecurity issues.
The CCCS, launched in 2018, is part of the federal Communications Security Establishment. It is mandated with emergency response assistance for, among other things, cyber incidents. It also acts as a liaison with the private sector, and serves an educational function for the public at large.
The guidelines are a pragmatic approach recognizing and attempting to reconcile the fact that cyber incidents are almost an inevitability with the truth that robust security plans for cyber incidents can be very resource-heavy, particularly for small and medium-sized entities. While not a complete answer in assisting organizations address their responsibilities, it offers a robust starting point and best practices that can sharply reduce the likelihood and potential damage from a cyber incident.
The guidelines begin with a brief rubric for determining whether the guidelines are appropriate for the circumstances of the organization. This includes consideration of:
- The organization’s size;
- What information technology is utilized by the organization;
- The value of the information systems and the contained assets (with consideration of what a breach on the confidentiality, integrity, or availability of the information might mean);
- The degree to which an organization is threatened by cyber security breaches;
- Whether there is a person in a leadership role with responsibility for IT security; and
- The level of investment in cyber security.
Following the internal assessment, the CCCS recommends an organization:
- Develop a plan to assist with detecting, monitoring, and responding to incidents;
- Develop protocols to automatically install patches for operating systems and applications to address exploits;
- Enable security software on networked devices;
- Secure networked devices by ensuring all default profiles and passwords on devices are changed, and unnecessary functionality is disabled;
- Utilize strong user authentication, such as two-factor authentication;
- Provide training to employees on basic security practices;
- Encrypt and backup data, ideally to a secure external location;
- Secure access and use of mobile networked devices, such as cell phones;
- Establish perimeter defences such as firewalls;
- Ensure outsourced cloud and IT services are secure;
- Ensure any websites controlled by the organization with sensitive information adhere to recognized secure protocols;
- Implement access control and authorization protocols for user access; and
- Secure portable media and control use and access.
Many of the recommended steps may appear to be simple common-sense, but the guidelines are a notable attempt at incorporating disparate elements involving IT, HR, and management into a cohesive strategy encompassing both obvious and less-obvious areas of vulnerability an organization may have.
Cyber security for medical devices
Canada’s approach to both cyber security and privacy tends to principles-based rather than prescriptive. Consequently, it tends to be short on technology-specific guidance. Health Canada bucked this trend in June by releasing a guidance document to assist medical device manufacturers in making their products more cyber secure. The document cites the National Institute of Standards and Technology (NIST) document “Framework for Improving Critical Infrastructure Cybersecurity” and establishes a number of design principles for medical devices, including “secure communications,” “data integrity and confidentiality,” and “user access”; it also sets out license application requirements to allow Health Canada to assess whether devices are sufficiently secure. While guidance documents do not have the force of law, they may provide a yardstick against which to measure the extent to which manufacturers of compromised devices observed their standard of care.
More input from OSFI
The Office of the Superintendent of Financial Institutions (OSFI) has been among the more proactive of Canadian regulators in providing cyber security guidance to its constituents. In January, OSFI released an advisory (which came into force March 31, 2019). The Advisory establishes a mandatory reporting requirement (to OSFI, not to the OPC) for federally regulated financial institutions that requires them to report technology or cyber security incidents (defined to include incidents that “have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”) to their Lead Supervisors where such incidents are deemed by the institution to “be of a high or critical severity level.” The advisory sets out characteristics and examples of reportable incidents to assist institutions in determining whether incidents must be reported. Notably, the advisory requires incidents be reported as quickly as possible but no later than 72 hours after an incident is determined to be reportable. This is more prescriptive and arguably shorter deadline than those imposed under federal and provincial privacy statutes.
Canadian businesses are finishing 2019 with a better understanding of what is expected of them by the government and regulators with respect to their cyber security position. This will assist proactive businesses in addressing their exposure to cybersecurity risks, and also may assist in articulating the standard of care if and when a breach leads to litigation. It will be interesting to watch this trend further develop in 2020, and how businesses respond.
By Brent J. Arnold and Kavi Sivasothy, Gowling WLG
 OPC, “Guidelines for processing personal data across borders” (January 2009).
 OPC, “Commissioner concludes consultation on transfers for processing” (September 23, 2019).
 Defined as having fewer than 500 employees.