Publication
AI-adoption in Australia under the privacy spotlight
AI-adoption must now be on every board room and executive team’s agenda as an emerging area of risk and regulatory focus.
Canada | Publication | June 22, 2022
On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts:
Under both Acts, the Governor in Council (governor) and the Minister of Industry (minister) will be afforded additional powers. While it appears that the general application of Bill C-26 and the powers granted thereunder will be undertaken by the minister, the governor will also have powers to directly intervene to secure systems and services vital to Canada. This may prove useful when a situation warrants a rapid response.
The Canadian government has predicted that ransomware will continue to pose a threat to Canada’s security and economic prosperity. To protect against these threats, and balance the integration of new technologies with the ongoing need for cybersecurity, the Telecommunications Act will be amended to promote the security of the Canadian telecommunications system as a policy objective. The amendments will impact any transmission facility of a Canadian carrier, including but not limited to, local voice service providers, voice-over-IP service providers, internet service providers, long distance service providers, and wireless and payphone service providers.
Security of the Canadian Telecommunications System
These amendments grant the governor specific powers to secure the Canadian telecommunications system. If the governor believes the security of the telecommunication systems is threatened, either by interference, manipulation or disruption, the governor may prohibit a telecommunications service provider from using or providing certain products and/or services, regardless whether the other party in question is an individual or a service provider. Similarly, the governor may prohibit a telecommunications service provider from providing services to a specific person, including a telecommunications service provider, or suspend services for a specified time.
The minister may similarly order a telecommunications service provider to:
Additionally, the governor will have the power to make regulations relating to the above orders.
To promote compliance, telecommunication service providers may be subject to administrative monetary penalties (AMPs) of up to C$10 million for each day of non-compliance, and up to C$15 million for subsequent contraventions.
Notably, the CCSPA introduces the protection of critical cyber systems in the federally regulated private sector. A “critical cyber system” means a cyber system that, if compromised, could affect the continuity or security of a vital service or system. Schedule 1 to the Act outlines that these vital services or systems are: (i) telecommunications services; (ii) interprovincial or international pipeline and power line systems; (iii) nuclear energy systems; (iv) transportation systems that are within Parliament’s legislative authority (under federal jurisdiction); (v) banking systems; and (vi) clearing and settlement systems.
The purpose of the CCSPA is to:
If passed, the CCSPA will apply to a class of operators who carry on work subject to federal jurisdiction, and the regulator for this class. Subject to any extensions granted by the regulator, all operators under this definition will have 90 days to establish a cybersecurity program that meets the four purposes outlined above, and to notify and provide the regulator with its program. The CCSPA requires operators to annually review their programs, or as otherwise prescribed by the regulations, and to notify the regulator of any changes to their programs.
The CCSPA gives the governor the authority to direct operators to comply with any measure for the purpose of protecting a critical cyber system. Operators are prohibited from disclosing the contents of the direction with limited exceptions.
If any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services are identified, the operator must take reasonable steps to mitigate those risks. While the Act doesn’t give any indication of what kind of steps will be required from operators, such steps may be prescribed by the regulations later.
In order to request advice, guidance or services from the Communications Security Establishment (CSE), or in respect of the exercise of a regulator’s duties, an appropriate regulator may provide the CSE with any information, including confidential information, regarding an operator’s cybersecurity program.
The Act also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems touching upon these vital services and systems. No indication is given as to what would constitute interference under the Act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the Act does not prescribe any timeline or give other indication as to how “immediately” should be interpreted.
The landscape of Canadian cybersecurity is ever-changing, and Bill C-26’s introduction addresses this rapidly evolving industry. As Bill C-26 goes through subsequent stages, it will be interesting to see how changes to both Acts will shape Canada’s cybersecurity landscape.
While it’s evident Canada’s appetite for cybersecurity risk is low, in the absence of regulations, some uncertainty remains on how detailed the cybersecurity programs must be, or how industries will need to alter their existing agreements and policies to accommodate these amendments. Nevertheless, the Canadian government’s introduction of Bill C-26 follows on some initiatives brought forward by the US and other jurisdictions regarding cybersecurity awareness and response with regard to critical infrastructure, and mirrors many of the requirements introduced in these other jurisdictions.
For the time being, Bill C-26 has passed the first reading in the House of Commons. As it makes its way through the legislative process, we will continue to provide updates on its implementation.
Publication
AI-adoption must now be on every board room and executive team’s agenda as an emerging area of risk and regulatory focus.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023