Cybersecurity 2020

Last Updated March 16, 2020

Canada

Law and Practice

Authors



Blake, Cassels & Graydon LLP is a multidisciplinary team of lawyers with significant technology, regulatory, privacy, employment, financial services, crisis management and litigation expertise. The firm understands the complex, interrelated legal, technical and compliance issues involved in cybersecurity. Its experienced team advises clients at all points along the cyber-risk spectrum: from risk mitigation to incident response and dispute resolution. Blakes works with clients across a wide range of industries to proactively develop measures and controls for mitigating the risk of a data breach. It has particular expertise advising on compliance requirements in highly regulated industries. In the immediate aftermath of a cyber-attack, it works with subject-matter experts within the firm and other external advisers to provide strategic and expedient counsel. Blakes has the expertise and experience to defend class actions and other litigation resulting from data breaches. It offers true cross-border experience: members of the team have acted in the USA as counsel to major retailers and service providers in responding to litigation and US government investigations arising from their data breaches.

In Canada, cybersecurity, data breach notification and incident response requirements are governed by several legal frameworks, including privacy legislation, anti-spam legislation, criminal offences, common law torts, as well as by industry standards.

Several Canadian data privacy laws impose mandatory data breach reporting and notification requirements, including the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is federal private sector privacy legislation that applies to organisations in the course of conducting commercial activities. As of November 2018, PIPEDA includes mandatory breach reporting, notification, and record-keeping requirements.

In addition, three Canadian provinces, Alberta, British Columbia and Québec, have enacted provincial-level private sector privacy legislation, that apply to the collection, use and disclosure of personal information by private sector organisations within those provinces. These are Alberta’s Personal Information Protection Act (the Alberta PIPA) British Columbia’s Personal Information Protection Act (the BC PIPA), and Québec’s Act respecting the protection of personal information in the private sector (the Québec PPIPS). There are also several jurisdictions which require health information custodians to report breaches and notify individuals of breaches involving personal health information.

Certain provinces have also created statutory torts, pursuant to which individuals can bring a claim for breach of their privacy (without proof of damages).

Additionally, federal legislation of general application addressing certain aspects of cybersecurity includes:

  • Canada’s Anti-Spam Legislation (CASL) – in addition to establishing strict consent and unsubscribe requirements for electronic marketing and the installation of computer programs, the law governs the harvesting of electronic addresses, in which bulk lists of email addresses are compiled through mechanisms that include the use of computer programs to mine the internet for addresses automatically, and the collection of personal information through illicit access to other people’s computer systems, primarily through means such as spyware;
  • the Protecting Canadians from Online Crime Act (PCOCA), which has been in force since 10 March 2015, protects against various forms of cybercrime, including non-consensual distribution of intimate images; and
  • Canada's Criminal Code makes it an offence to use a device wilfully to intercept a private communication without the express or implied consent of the originators or intended recipient, or to intercept fraudulently and without colour of right any function of a computer system.

Canada’s federal privacy legislation is enforced by the Office of the Privacy Commissioner of Canada (OPC). The Privacy Commissioner is an officer of Parliament who is appointed under the Privacy Act. The OPC’s jurisdiction under PIPEDA includes:

  • investigating complaints brought by individuals against an organisation for contravening PIPEDA;
  • initiating a Commissioner-led complaint if there are reasonable grounds to believe that a contravention of PIPEDA may have occurred;
  • seeking orders in the Federal Court that an organisation corrects its practices or to enforce a compliance agreement that the OPC has entered with the organisation;
  • auditing the personal information management practices of an organisation if there are reasonable grounds to believe that the organisation has contravened PIPEDA or is not following a recommendation in Schedule 1 to the Act;
  • conducting research relating to the protection of personal information;
  • engaging in awareness programmes to foster public understanding of the purposes of PIPEDA

Financial regulators within Canada have issued framework documents, notices, guidance and memoranda to address cybersecurity requirements to be addressed by the entities whom they regulate. The Office of the Superintendent of Financial Institutions (OSFI) and the Canadian Securities Administrators (CSA) each provide guidance to address the cybersecurity risks for organisations subject to their regulation.

Other regulators have also released guidance documents, for example: the Investment Industry Regulatory Organization of Canada released a Cybersecurity Best Practices Guide and a Cyber Incident Management Planning Guide and requires investment firms to report cybersecurity incidents; the Mutual Fund Dealers Association of Canada released a compliance bulletin regarding development and implementation of cybersecurity procedures and controls.

The OPC is an ombudsman. It can only investigate, make recommendations, and apply to the Federal Court for a hearing. The OPC cannot order compliance with PIPEDA, assess monetary penalties, or issue a notice of violation.

The powers of the Commissioner in the conduct of an investigation include:

  • summoning and enforcing appearances of persons before the OPC and compelling them to give oral or written evidence on oath and to produce any records or item necessary;
  • administering oaths;
  • receiving and accepting evidence entering any premise, other than a dwelling-house, occupied by an organisation at any reasonable time;
  • conversing in private with any person in any premises entered;
  • examining or obtaining copies or extracts from records in any premises entered.

The OPC must prepare a report of findings from the investigation within one year of the initiation of a complaint that sets out, among other things, all findings and recommendations in the matter or any settlement that was reached by the parties. The report must be sent promptly to the organisation and the complainant and include notice of any possible recourse to the Federal Court. The report of findings is made public and may name the organisation.

A complainant has no right to apply to Federal Court until the OPC issues a report of findings or is notified that the investigation has been discontinued. A complainant is entitled to apply to court for a hearing even if the OPC has responded favourably to their complaint. The Federal Court may, in addition to any other remedies it may give, order an organisation to correct its practices, order an organisation to publish a notice of any action taken or proposed to be taken to correct its practices, award damages to the complainant, including damages for any humiliation complainant has suffered.

PIPEDA provides for a number of offences, punishable on summary conviction and as indictable offences with fines up to CAD10,000 and CAD100,000, respectively, which are generally limited to more egregious breaches of the statute, such as failing to record or report a data breach or punishing a whistle-blower. These offences are not prosecuted by the OPC, but the OPC can disclose to the Attorney General of Canada or of a province information relating to the commission of an offence.

An organisation in Canada may be bound by provincial and federal legislation, as well as legislation from other jurisdictions, such as the GDPR. For instance, PIPEDA provides that organisations or classes of activities that are subject to “substantially similar” provincial legislation may be exempted from the application of PIPEDA. Each of the Alberta PIPA, the BC PIPA and the Quebec Act has been designated by the federal government as “substantially similar” for the purposes of the exemption in PIPEDA, and so PIPEDA will not apply to collection, use or disclosure of personal information that takes place wholly within those provinces. However, PIPEDA will apply (in addition to the relevant provincial statute) if the collection, use or disclosure of personal information takes place across a provincial (or international) border, including where personal information is collected in one province and stored in another.

The Canadian Centre for Cyber Security (CCCS) is the federal government’s technical authority for expert advice, guidance, services and support on cybersecurity for government, critical infrastructure owners and operations, the private sector and the Canadian public. Its mandate includes providing advice, guidance and services to ensure the protection of computer networks and electronic information. The CCCS offers advice, guidance and information for the public. Sharing of cybersecurity information with the government is encouraged in Canada. The Canadian Centre for Cyber Security (CCCS) collaborates with private-sector organisations and shares threat information with private organisations through the Canadian Cyber Threat Exchange (CCTX).

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security. Citizen Lab’s research includes: investigating digital espionage against civil society, documenting internet filtering and other technologies and practices that impact freedom of expression online, analysing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.

Canada’s privacy legislation generally reflects the OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. These guidelines embody the “fair information practices” common in European data protection laws. However, enforcement of privacy rights in Canada is generally less aggressive than in other jurisdictions.

In April 2019, the OPC, jointly with the Information and Privacy Commissioner for British Columbia, released its report of findings into Facebook’s sharing of personal information with third party applications. The investigation was triggered by the Cambridge Analytica revelations. 

The report identified several deficiencies in Facebook’s personal information handling practices including failure to obtain meaningful consent for the sharing of personal information with third-party applications, and failing to meet accountability obligations (in particular, relying on third-party applications to obtain consent on its behalf without exercising due diligence to ensure that such consents were actually being obtained). The OPC and BC IPC made a number of recommendations to Facebook to improve its practices, but Facebook refused. The OPC filed a Notice of Application in the Federal Court in February 2020 seeking a declaration that Facebook contravened PIPEDA and an order requiring Facebook to take certain steps to come into compliance. 

A recent decision of the Ontario Superior Court suggests that judges are increasingly willing to certify class actions brought in respect of data breaches. That willingness, when combined with the nearly Canada-wide statutory obligations to report privacy breaches whenever there is a “real risk of significant harm”, means that companies that suffer a data breach involving sensitive information belonging to a large group of individuals should expect to be the subject of a class action.

Based on the decision in Stewart v Demme, a class action is likely to be certified if the type of sensitive information accessed is the same for all affected individuals. In the interests of avoiding the significant costs of defending class proceedings (not to mention the liability risk), organisations would be well-advised to devote additional resources to improving privacy protection.

In the spring of 2019, the federal government announced Canada’s new Digital Charter and its intention to modernise PIPEDA. While no specific amendments have been proposed, the government has identified several potential enhancements including:

  • more prescriptive informed consent requirements;
  • additional exceptions from the consent requirement to allow for personal information processing for standard business purposes basis;
  • a right to data portability and erasure in certain circumstances;
  • incorporating a requirement for demonstrable accountability, including in the context of transborder data flows;
  • introducing algorithmic transparency requirements for automated decision-making;
  • adding a definition of de-identified data and an exception from the consent requirement for certain prescribed purposes;
  • introducing provisions to facilitate and promote innovation, such as the use of data trusts and the creation of codes of practice, certifications and standards; and
  • enhancing the OPC’s enforcement powers.

Federal Private Sector Privacy Law

Canadian privacy laws regulate the collection, use and disclosure of “personal information”, which is generally defined as any information about an identifiable individual. According to case law, information will be about an identifiable individual if there is a serious possibility that the individual could be identified from the information alone or in combination with other information.

For constitutional reasons, PIPEDA will not apply in respect to the processing of employee personal information for employment purposes unless the organisation is a federal work, undertaking or business. An organisation collecting, using or disclosing personal information within a province may be exempted by the federal government from compliance with PIPEDA on the basis that the province has enacted legislation that is “substantially similar” to PIPEDA. Québec, Alberta and British Columbia are currently the only provinces with in-force comprehensive private sector privacy legislation and each of these provincial statutes have been declared to be “substantially similar” to PIPEDA. It is important to note, however, that even if an exemption has been granted, PIPEDA will apply (in addition to the provincial statute) to a collection, use or disclosure of personal information that takes place across an international or provincial border.

PIPEDA reflects the Organisation for Economic Co-operation and Development (OECD) privacy framework, and is structured around ten "fair information practice" principles, namely:

  • accountability;
  • identifying purposes;
  • consent;
  • limiting collection;
  • limiting use, disclosure and retention;
  • accuracy;
  • safeguards;
  • openness;
  • individual access; and
  • challenging compliance.

PIPEDA contains several provisions relevant to data protection and cybersecurity, including the following. 

  • Organisations to which PIPEDA applies are responsible for personal information under their control and must designate an individual or individuals who are accountable for compliance with the principles established in Schedule 1 of the Act.
  • Personal information must be protected by security safeguards appropriate to the sensitivity of the information.
  • Security safeguards must protect personal information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification, regardless of the format in which it is held. The nature of the safeguards will vary depending on: the sensitivity of the information that has been collected; the amount, distribution and format of the information; and the method of storage.
  • Organisations must be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organisation’s policies and practices without unreasonable effort.
  • Organisations must notify the Office of the Privacy Commissioner of Canada (OPC), affected individuals, and certain other organisations or government institutions, if it is reasonable to believe that a breach of the security safeguards protecting personal information poses a “real risk of significant harm” to affected individuals. Knowingly failing to meet the notification requirement is an offence punishable by fines up to CAD100,000.
  • Organisations must keep a record of every breach of security safeguards involving personal information under its control. Knowingly failing to record every breach is an offence punishable by fines up to CAD100,000.

It may be helpful to note that PIPEDA has been held to apply to organisations located outside of Canada where there is a “real and substantial connection” between the organisation’s activities and Canada. A.T. v Globe24h.com, is considered the leading case on this issue. Whether or not a real and substantial connection exists is to be determined taking into account all relevant factors including, for internet operations in particular, the location of the target audience and where the organisation’s marketing efforts are directed, the source of the content, the location of the operator, the location of the host server, the location of the contract, the location of preparatory activities and the location to which information and profits flow.

Provincial Private Sector Privacy Laws

As indicated above, Québec, Alberta and British Columbia are currently the only provinces with comprehensive private sector privacy statutes that have been declared to be “substantially similar” to PIPEDA. These are British Columbia’s Personal Information Protection Act (the B.C. PIPA), Alberta’s Personal Information Protection Act (the Alberta PIPA) and Québec’s Act respecting the protection of personal information in the private sector (the Québec Act).

The provincial statutes are largely based on the same principles as PIPEDA, but contain some notable differences which may relate to cybersecurity, as listed below.

Under the Québec Act, a Québec enterprise may not communicate personal information outside Québec, nor entrust a person outside Québec with the task of holding, using or communicating such information, unless certain steps are taken to ensure compliance with the Act. If the person considers the personal information being communicated outside Québec will not receive the protection required, the person must refuse to communicate the information outside Québec.

Under the Alberta PIPA, where an organisation uses a service provider outside of Canada to collect, use or disclose personal information, the organisation must, at the time personal information is collected, notify individuals as to how they can obtain information about the organisation’s policies and practices with respect to the use of service providers outside of Canada, including the name, position or title of a person who is able to answer questions on behalf of the organisation. The foregoing requirement only applies when personal information is collected with consent, but the circumstances in which personal information may be collected without consent are limited. The organisation is also required to include in its privacy policy or in a separate document, the countries outside of Canada in which the collection, use or disclosure of personal information may occur and the purposes for which the service provider outside of Canada has been authorised to collect, use or disclose personal information on behalf of the organisation.

Organisations must notify Alberta’s Information and Privacy Commissioner (Alberta IPC), without delay, of a loss of or unauthorised access to or disclosure of personal information if a reasonable person would consider there exists a real risk of significant harm to an individual as a result of the loss, access or disclosure. The Alberta IPC can then direct the organisation to notify individuals of the loss, access or disclosure. Organisations are also able to notify individuals on their own initiative.

Provincial Personal Health Information Law

Several Canadian provinces have enacted health-sector specific privacy legislation. These statutes apply to the collection, use and disclosure of personal health information by doctors, nurses, hospitals, pharmacies and similar healthcare providers or entities (generally referred to as “health information custodians”). While these statutes do not generally apply outside of the health sector, certain provisions do apply to organisations that provide services to organisations in the health sector.

It may be helpful to note that these statutes generally require health information custodians to implement security safeguards for the handling of personal information. Some of these statutes also include mandatory breach reporting requirements similar to the requirements under PIPEDA. However, unlike the OPC, most provincial privacy commissioners are able to make orders resulting from non-compliance. 

Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation (CASL) establishes rules for sending commercial electronic messages and installing computer programs. CASL is relevant for cybersecurity because it contains provisions aimed at viruses and spyware. CASL prohibits:

  • the alteration of the transmission data in an electronic message so that the message is delivered somewhere other than, or in addition to, the destination specified by the sender;
  • the installation of a computer program on another’s computer system in the course of commercial activity without consent; and
  • the aiding, inducing, procuring or causing any of the above.

The prohibitions apply if the installer (or the party directing the installer) is located in Canada, or if the target computer system is located in Canada. It may be helpful to note that CASL deems consent to exist for the installation of a cookie, HTML code or JavaScript unless the conduct of the user suggests otherwise (eg, the user has disabled cookies). Violations of CASL can result in administrative monetary penalties of up to CAD1 million per violation by an individual and CAD10 million per violation by an organisation.

Criminal Offences

In Canada, it is not a criminal offence for an organisation to fail to implement cybersecurity measures. However, there are several Canadian Criminal Code offences which could apply in a situation involving the exploitation of a security vulnerability. For instance, the Criminal Code prohibits:

  • wilfully intercepting private communications, with a maximum sentence of five years’ imprisonment;
  • fraudulently obtaining, or attempting to fraudulently obtain, any computer service or intercepting any function of a computer system, with a maximum sentence of ten years’ imprisonment;
  • mischief, which includes obstructing, interrupting or interfering with the lawful use of computer data and denying access to computer data to a person who is entitled to such access, with a maximum sentence of ten years’ imprisonment;
  • making, possessing, selling, offering for sale, importing, obtaining for use, distributing or making available a decide that is designed or adapted primarily to commit an offence under Section 342 (hacking) or Section 430 (mischief), knowing that the device has been used or is intended to be used to commit such an offence, with a maximum penalty of up to two years’ imprisonment;
  • phishing, which constitutes fraud.

Certain criminal offences require proof of criminal intent and may not apply where undertaken with consent.

It may also be helpful to note that Section 6(2) of the Criminal Code provides that “no person shall be convicted of an offence that takes place outside of Canada”. According to Supreme Court of Canada jurisprudence, a Canadian court may assume jurisdiction where a significant portion of the activities constituting the offence took place in Canada.

The Criminal Code also provides the Canadian state with broad powers to investigate criminal activities, including permitting the searches of computer systems, generation and seizure of data, and allows a court to order perseveration of data and non-disclosure orders in some circumstances.

Other Relevant Statutes

The Copyright Act prohibits circumvention of a “technological protection measure” including any technology, device or component that controls access to a work or sound recording or restricts violations of certain copyright provisions. Circumventing a technological protection measure includes descrambling a scrambled work, decrypting an encrypted work or otherwise avoiding, bypassing, removing, deactivating or impairing the technological protection measure without consent. Violations of Section 41 can lead to fines of up to CAD1 million or imprisonment for up to five years or both.

Export control laws may also have some cybersecurity implications. For instance, Canada’s Export Control List identifies specific goods and technologies, including some computer systems, equipment, components and software designed or modified for the generation, command and control or delivery of “intrusion software”.

Common Law Considerations

In Jones v Tsige, the Ontario Court of Appeal recognised four privacy torts from the American Restatement of Torts, including “intrusion upon seclusion”. This claim is made out where one intentionally (or recklessly) intrude, physically or otherwise, upon the seclusion of another or their private affairs or concerns, if the invasion would be highly offensive to a reasonable person. The court awarded relatively modest damages at CAD10,000 in that case, stating that damages for privacy invasions should be generally limited to a maximum of CAD20,000.

One motivation for recognising this tort in Canadian law was the unprecedented power of organisations to capture and store vast amounts of personal information using modern technology. This claim, however, does not turn on the use of any particular technology, but on the intention or reckless action of the intruder.

It may be helpful to note that it is not yet settled in Canadian law whether intrusion upon seclusion can be made out through vicarious liability. However, in 2019 the Ontario Superior Court of Justice certified a class proceeding regarding a data breach which included a claim for vicarious liability for intrusion upon seclusion. The court left the question of whether the subsequent misuse of personal information obtained without authorisation from a data controller is enough to escape vicarious liability to trial.

In 2016, the Ontario Superior Court of Justice introduce the tort of “publicity given to private life” in Jane Doe 464533 v N.D. The elements of this tort include the public disclosure of private facts of matters which would be offensive and objectionable to a reasonable man of ordinary sensibilities. In this case the judge awarded the plaintiff CAD100,000 for breach of dignity and personal autonomy.

The expanding basis of liability for breach related claims is not limited to privacy torts. In recent years, Canadian courts have also broadly interpreted the scope of certified class actions by allowing claims in negligence, breach of confidence, breach of fiduciary duty and breach of contract.

For example, in Condon v Canada, the appellants were students of the Canada Student Loans Program whose information was lost on a misplaced hard drive. The Federal Court judge granted a partial certification of the class for breach of contract.

Despite the low bar to certify class proceedings in Canada, class actions based on third party hacking may be rejected when the “type and amount” of personal information affected by a breach varies between different categories of class members. In Kaplan v Casino Rama, a class certification motion, which arose out of a cyber-attack on a casino’s computer systems, was declined because the action “collapses in its entirety at the requirement of commonality”.

While the common law in this area continues to evolve, it is now generally accepted that while companies are also victims of criminal hacking efforts, organisations could be liable for the harm to affected individuals if their inaction or insufficient security measures facilitate an intrusion into their systems. Courts continue to favourably consider an organisation’s prompt and effective management of a cyber-incident, including co-operation with regulators and timely notice to affected individuals.

In the event of a cyber-incident, shareholders could bring a claim against an organisation’s directors and officers for breaching their fiduciary duty. It is noteworthy that such claims usually seek damages for mismanagement, not for breach of privacy. No such claim has been filed in Canada to date, however it may be useful for companies to remain aware of similar developments in the USA.

Compliance with PIPEDA or provincial privacy laws is generally enforced by the Information and Privacy Commissioner of that jurisdiction; however, certain offences can be prosecuted by the Attorney General.

CASL is enforced by the Canadian Radio-television and Telecommunications Commission (the CRTC), the OPC and the Competition Bureau.

The Canadian Centre for Cyber Security (CCCS) is the federal government’s technical authority for expert advice, guidance, services and support on cybersecurity for government, critical infrastructure owners and operations, the private sector and the Canadian public. Its mandate includes providing advice, guidance and services to ensure the protection of computer networks and electronic information. The CCCS offers advice, guidance and information for the public. Sharing of cybersecurity information with the government is encouraged in Canada. The Canadian Centre for Cyber Security (CCCS) collaborates with private-sector organisations and shares threat information with private organisations through the Canadian Cyber Threat Exchange (CCTX).

See 1.3 Administration and Enforcement Process.

The Office of the Superintendent of Financial Institutions (OSFI), an independent federal government agency that regulates and supervises federal regulated financial institutions, including all banks in Canada as well as various trust and loan companies, insurance companies and pension plans, issued a memorandum in October 2013 that provided "cyber-security self-assessment guidance". The OFSI may review the cybersecurity practices of institutions subject to its regulation during its supervisory assessments.

Other financial services self-regulatory entities, including the Canadian Securities Administrators (CSA), the Investment Industry Regulatory Organization of Canada (IIROC) and the Mutual Fund Dealers Association of Canada (MFDA), have published guidance on cybersecurity and reporting.

The Canadian Energy Sector has taken measures to address cybersecurity. The Ontario Energy Board has mandated licensed electricity transmitters and distributors in Ontario to use an industry-developed Ontario Cyber Security Framework through a Notice of Amendments to the Ontario Transmission System Code and Distribution System Code. As of June 2018, transmitters and distributors were required to report to the OEB on their cybersecurity readiness and to provide self-certification to the OEB on an annual basis.

In 2012, the Canadian Nuclear Safety Commission initiated the development of Canadian Standards Association (CSA) N290.7-14, Cyber Security for Nuclear Power Plants and Small Reactor Facilities. This standard requires Canadian nuclear operators to adopt cybersecurity measures for specifically identified IT systems.

There are no legally recognised technical standards for cybersecurity in Canada. The Government of Canada has endorsed the NIST framework developed by the United States’ Department of Homeland Security and the National Institute for Standards and Technology. Other commonly used standards are ISO 27001, COBIT and ITIL.

The CCCS recommends using "common criteria" certified products when selecting an IT product for a service or network design in order to mitigate risk within designs for elements such as firewalls, intrusion detection/protection systems, and operating systems. The common criteria is an international program in which accredited laboratories test IT products against standard cybersecurity specifications called "protection profiles" (PPs). These PPs represent the security assurance requirements for technology classes. Vendors of products that implement IT security functionality are encouraged to contact one of the commercial labs operating under the Canadian Common Criteria Program to obtain certification for their products.

There is no consensus or commonly applied framework for “reasonable security”. However, under PIPEDA, it is understood that the nature of the safeguards will vary depending on: the sensitivity of the information that has been collected; the amount, distribution and format of the information; and the method of storage.

Canadian private-sector privacy laws require organisations to provide security for the personal information they hold, and to protect such information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. Security safeguards must be appropriate to the sensitivity of the information, such that highly sensitive information – for example, financial or health information – will require higher security.

While Canada’s private-sector privacy laws impose an obligation to provide appropriate security to personal information, including physical, organisational and technological protection measures, they do not prescribe specific security measures. Rather, organisations must determine the appropriate protection based on the nature of the information they hold. Appropriate security may include the implementation of protection measures such as the use of firewalls, hashing and encryption of sensitive information, and intrusion detection systems. Certain information classes may also require compliance with relevant industry standards, such as the Payment Card Industry Data Security Standard.

The relevant data privacy regulators direct organisations to assess periodically the personal information they hold, their security measures, and potential and emerging threats, to ensure they meet their statutory obligation to provide appropriate security to personal information. Appropriate security measures also require that organisations establish a process to respond to security incidents.

There are no formal legal requirements governing the content of incident-response plans. Various industry regulators and advisory bodies provide advice to members on the content of plans. In general, while the content is not regulated, it is necessary and important for organisations to have incident-response plans.

As discussed above, while Canadian law does not have a concept of the data protection officer per se, PIPEDA and the provincial privacy laws in British Columbia and Alberta deemed substantially similar to PIPEDA, require that organisations designate responsibility for compliance with applicable privacy legislation to one or more individuals.

There are no formal legal requirements requiring or governing board-level involvement in cybersecurity planning or incident response per se. It is generally accepted in the Canadian cybersecurity community that board-level awareness and involvement is necessary and important. The Investment Industry Regulatory Organization of Canada, for example, has advised its members that it views board and senior management-level involvement in members’ cybersecurity programs as critical.

There is no general legal requirement that private-sector organisations to take these steps.

All federal government institutions subject to the federal Privacy Act are required to conduct privacy impact assessments (PIAs). Heads of such institutions are required to establish a PIA development and approval process that:

  • takes into consideration the responsibility within the institution for establishing PIAs;
  • is commensurate with the level of risk related to the privacy invasiveness of the institution's programmes or activities; and
  • ensures the PIA is completed by the senior official or executive holding responsibility within the institution for new or substantially modified programs or activities.

Ontario’s Information and Privacy Commissioner (IPC) provides detailed guidance for institutions subject to the province’s Freedom of Information and Protection of Privacy Act (FIPPA), Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and Personal Health Information Protection Act 2004 (PHIPA). While these institutions are not required to file PIAs with the regulator, the IPC notes that with respect to institutions governed by PHIPA, their PIAs may be used by the IPC as a starting point for investigations into privacy breaches.

Various other provincial statutes (for example, British Columbia’s Freedom of Information and Protection of Privacy Act and Alberta’s Health Information Act) mandate conducting PIAs.

There are no formal legal requirements with respect to insider-threat programmes. Public Safety Canada identifies the insider threat as one of five categories of threats responsible for the majority of cyber-incidents.

There are no formal legally binding requirements with respect to vendor and service-provider due diligence, oversight and monitoring.

There are no formal legally binding requirements with respect to training.

Canada is one of 55 countries (as of May 2017) that have signed and ratified the Budapest Convention (Council of Europe 2017), a multilateral treaty focused specifically on cybercrime. Canada also belongs to the Global Forum on Cyber Expertise, a platform for countries and companies to exchange best practices and expertise in cybersecurity.

Canada is also a member of the Organization for Economic Co-operation and Development (OECD). The development of Canadian privacy law has been heavily influenced by the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Canadian privacy legislation requires organisations to take reasonable steps to safeguard personal information in their custody or control from risks such as unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction.

Canadian privacy law does not contain any requirements specific to material business data, networks or systems.

Public Safety Canada identifies as integral to the protection of critical infrastructure federal statutes, including the following:

  • Access to Information Act;
  • Department of Public Safety and Emergency Preparedness Act;
  • Emergency Management Act;
  • Privacy Act; and
  • Personal Information Protection and Electronic Documents Act.

None of these Acts contains provisions unique or specific to critical infrastructure.

Canadian laws relevant to cybersecurity do not contain any specific requirements in respect of denial of service attacks. It may be helpful to note that denial-of-service attacks could be considered “mischief” under Section 430 (1.1) of the Criminal Code, which includes obstructing, interrupting or interfering with the lawful use of computer data and denying access to computer data to a person who is entitled to such access. The maximum penalty is ten years’ imprisonment.

Canadian laws relevant to cybersecurity do not contain any specific requirements in respect of other data or systems.

Under PIPEDA, a breach of security safeguards means “the loss of, unauthorised access to or unauthorised disclosure of personal information resulting from a breach of an organisation’s security safeguards [...] or from a failure to establish those safeguards”. A breach of security safeguards will trigger a notification obligation if it involves personal information (ie, any information about an identifiable individual) and if there is a risk that it could create significant harm to an individual, including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.

Canadian privacy laws protect personal information in any shape or form (ie, digital, written, etc).

Canadian privacy laws cover all systems utilising personal information.

There are no specific security requirements that apply to medical devices in Canada. Canadian privacy laws require organisations utilise security safeguards which are appropriate to the sensitivity of the information involved.

There are no specific security requirements that apply to industrial control systems in Canada.

Canadian privacy law does not deal specifically with security requirements for IoT.

As stated in 5.1 Definition of Data Security Incident or Breach, cybersecurity incidents involving personal information where there is a real risk of significant harm to an individual will trigger a reporting and notification requirement under applicable privacy laws. Further, organisations are required to notify any third parties if doing so could potentially mitigate that risk of harm (eg, law enforcement, credit card companied). Lastly, organisations operating in highly regulated business sectors may have additional regulatory reporting obligations.

Under PIPEDA, “significant harm” is broadly defined and includes:

  • bodily harm;
  • humiliation;
  • reputational damage;
  • loss of employment, business, or professional opportunities;
  • financial loss;
  • identify theft;
  • negative effects on a credit report;
  • property damage or loss.

In determining whether there is a real risk of significant harm, organisations must consider factors such as the sensitivity of the information involved and the probability it will be misused.

The are no absolute prohibitions on the decryption or monitoring of web traffic in any jurisdiction in Canada. However, policing powers of general application have been invoked to compel data decryption in the country.

Privacy laws may also be implicated if the interception or monitoring of web traffic involves the collection, use (including access) or disclosure (collectively, “processing”) of personal information. Personal information is defined as information about an identifiable individual. According to case law, information will be about an identifiable individual if there is a serious possibility that the individual could be identified from the information, whether alone or in combination with other information.

While there is some variation in the tests adopted by the various Privacy Commissioners in Canada, the general test to assess the reasonableness of employee monitoring is as follows: (i) is the monitoring demonstrably necessary to meet a specific need; (ii) is the measure likely to be effective in meeting that need; (iii) is the loss of privacy proportional to the benefit gained; and (iv) is there a less privacy-invasive way of achieving the same end?

In Québec, the conditions that must be met are: (i) the surveillance is necessary to manage the workplace; (ii) the surveillance must not be carried out in an arbitrary way; (iii) the surveillance must be based on other evidence that already exists against the worker and (iv) the surveillance must be conducted in the least intrusive manner possible.

Having regard to the above, it is unlikely that Canadian Privacy Commissioners would permit the collection of personal information in the context of web traffic monitoring activity unrelated to the purposes established in 1.1 Laws, including the collection of personal password protected or web-based email and social media as the personal information gathered would be significantly broader than what would be necessary for business-related purposes.

Further, ongoing, continuous and routine monitoring of employee behaviour will seldom be permitted by applicable privacy legislation in Canada.

New mandatory breach reporting requirements have resulted in an increase in breach reports to privacy regulators and a corresponding increase in litigation. Courts have not yet streamlined their approach to assessing privacy harms in breach related matters. As the common law in this area continues to develop, cybersecurity and data protection requirements or best practices will likely continue to evolve.

Globally there continues to be increasing attention on the development of new technologies such as facial recognition, which is being deployed in policing and immigration capacities among others. These new applications of technology which rely on algorithmic decision-making will likely challenge existing privacy and data protection legal frameworks. Further, as these applications target program areas where information is highly sensitive (ie, immigration), they may be at an increased risk of harm from cyberthreats.

The Canadian government encourages the sharing of cybersecurity threat information, but doing so is not mandatory. Organisations may submit a report regarding cybersecurity incidents to the Canadian Centre for Cyber Security. The Canadian Cyber Threat Exchange is another information sharing resource, which is a public forum that facilitates the dissemination of cyberthreat-related information to cybersecurity professionals and organisations across Canada.

See 7.1 Required or Authorised Sharing of Cybersecurity Information.

Regulatory Enforcement

The OPC has the power to investigate or audit organisations subject to PIPEDA for failure to take reasonable steps to safeguard personal information, including when such failure results in a data breach. Similarly, the privacy regulators in the provinces of Alberta, British Columba and Québec also have enforcement powers. 

One notable enforcement action taken by the OPC involved Equifax. In September 2017, Equifax announced that an unauthorised individual had accessed the personal information of over 143 million people, including 19,000 Canadians. The information accessed included social insurance numbers as well as other personal identifiers. The investigation by the OPC covered, among other things, the adequacy of the safeguards that Equifax had in place in order to prevent a breach.

Given the sensitivity of the information held by Equifax, it was found that there were unacceptable deficiencies in Equifax’s security systems, including:

  • inadequate vulnerability management to prevent attacks resulting from known vulnerabilities; 
  • inadequate network segregation to reduce the scope of harm in case of a breach;
  • inadequate implementation of basic information security practices; and
  • inadequate oversight, in the sense that there was a disconnect between the policies put in place and the implementation of said policies. 

Litigation

Canada has seen a marked increase in privacy-related litigation and class actions following data breaches, including cases where complainants were awarded monetary damages despite not experiencing any actual harm. To date, the amounts awarded have been relatively modest (between CAD1,500 and CAD20,000).

See 8.1 Regulatory Enforcement or Litigation.

The OPC may conduct investigations or audits upon receiving a complaint or on its own initiative. Upon finding that an organisation is non-compliant with PIPEDA, the OPC may enter into a compliance agreement with the organisation or pursue legal action in front of the Federal Court of Canada if any issues remain unresolved. Further, the findings of such investigations or audits could be made public if doing so is deemed to be in the public interest. Under PIPEDA, the OPC may impose fines of up to CAD100,000 for violations of the mandatory breach reporting and notification requirements. 

Please see 2.1 Key Laws.

Class actions are permitted under Canadian law. See 2.1 Key Laws (Provincial Private Sector Privacy Laws).

Cybersecurity due diligence is increasingly important in the context of corporate transactions and involves a review by the potential purchaser of a target entity’s cybersecurity posture in the context of overall transaction risk. First, the purchaser must have a general understanding of the target’s data handling practices (ie, what data it collects and uses, how it is stored, etc). The due diligence process then turns to conducting an investigation into the target’s operating and data systems, as well as compliance with applicable privacy laws. This should include, among other things, a review of the target entity’s:

  • commercial agreements with third-party vendors – this will help the purchaser understand any technical or organisational requirements that the target may be subject to under the agreements, including any requirements to inform the third-party vendor of cybersecurity incidents.
  • privacy policies and terms of use – the purchaser will want to understand how the target has undertaken to handle data vis-à-vis its customers.
  • cybersecurity policy – the purchaser should look at the type of coverage afforded under the policy and whether the target satisfies any specific security or other requirements laid out therein.

Publicly traded companies are required to disclose all material cybersecurity incidents and risks as part of continuous disclosure obligations under Canadian securities legislation.

Organisations in the financial services sector regulated by OSFI are required to report high-severity cybersecurity incidents within 62 hours of discovering the incident.

All significant issues have already been addressed.

Blake, Cassels & Graydon LLP

199 Bay Street
Suite 4000, Commerce Court West
Toronto, Ontario, M5L 1A9
Canada

+1 416 863 2400

+1 416 863 2653

toronto@blakes.com www.blakes.com
Author Business Card

Law and Practice

Authors



Blake, Cassels & Graydon LLP is a multidisciplinary team of lawyers with significant technology, regulatory, privacy, employment, financial services, crisis management and litigation expertise. The firm understands the complex, interrelated legal, technical and compliance issues involved in cybersecurity. Its experienced team advises clients at all points along the cyber-risk spectrum: from risk mitigation to incident response and dispute resolution. Blakes works with clients across a wide range of industries to proactively develop measures and controls for mitigating the risk of a data breach. It has particular expertise advising on compliance requirements in highly regulated industries. In the immediate aftermath of a cyber-attack, it works with subject-matter experts within the firm and other external advisers to provide strategic and expedient counsel. Blakes has the expertise and experience to defend class actions and other litigation resulting from data breaches. It offers true cross-border experience: members of the team have acted in the USA as counsel to major retailers and service providers in responding to litigation and US government investigations arising from their data breaches.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.