Bill C-26: Introduction of New Mandatory Breach Reporting Requirements in Canada

Bill C-26^[1] aims to enact the Critical Cyber Systems Protection Act (“CCSPA”), which provides a framework for the protection of cyber systems that are vital to Canada’s national security or public safety. CCSPA will require designated organizations known as “vital services” or “vital systems” – including federally regulated banks and clearing systems, telecommunication services, transportation services, and nuclear or other energy systems^[2] – to, among other things:

• establish and implement cyber security programs;
• mitigate supply-chain and third-party risks;
• report cyber security incidents; and
• comply with cyber security directions.

As its Senate sponsor expressed,^[3] once the bill has passed:

The bottom line is this: If you are operating in finance, telecommunications, energy or transportation, you need a cybersecurity program in place and to report any cybersecurity incidents to the Canadian Centre for Cyber Security.

This development is unprecedented in the world of Canadian cyber security statutory obligations which, until today, were drafted exclusively through the lens of privacy and the protection of personal information. Instead, CCSPA borrows language that appears to be inspired by the regulatory guidelines of the Office of the Superintendent of Financial Institutions (“OSFI”)^[4] and expands its scope to other critical sectors of the Canadian economy regardless of whether personal information is involved or not.

The objective of CCSPA is to support the continuity and security of vital services and vital systems of the Canadian economy against disruptive cyberattacks. As such, CCSPA is unique in that it does not require for any personal information to be involved in a cyber breach in order to trigger mandatory incident reporting requirements. The mere presence of a “cyber security incident” (as defined by CCSPA) on any “vital service” or “vital system” is sufficient to trigger reporting obligations without the need for a “real risk of significant harm” (i.e. RRoSH), “a risk of serious injury” (the Québec standard) or other similar threshold tests.

CCSPA defines a “cyber security incident” as any act, omission, or circumstance that interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity, or availability of a critical cyber system.^[5] Again, this definition appears to be inspired by that of OSFI and is expanded to include a two-step mandatory breach notification process outlined below. Importantly, while there is no RRoSH standard, judgment may be exercised as to whether an incident carries any risk of impacting the “continuity” or “security” of a vital service or system either directly or through undermining a “critical cyber system”.

First, CCSPA requires that organizations affected by a cyber security incident must, within 72 hours of discovering a cyber security incident,^[6] report the occurrence to the Communications Security Establishment (“CSE”) for the purpose of enabling CSE to exercise its powers or perform its duties and functions. CSE’s mandate includes:

• defending Government of Canada networks;
• advising and assisting other levels of government and the operators of Canada’s critical infrastructure, such as banks, telecommunications companies and other companies that are essential for the functioning of our society and economy;
• offering simple and effective tips that all Canadians can use to help keep themselves safer online;
• gathering of foreign intelligence;
• conducting defensive or active cyber operations; and
• assisting other federal organizations.^[7]

Second, immediately after reporting an in-scope cyber security incident to CSE, CCSPA requires organizations to report the incident to any appropriate regulator of their particular industry (e.g. an energy or financial industry regulator).^[8] The relevant regulators are named in section 2 of CCSPA. The vital services and systems currently within CCSPA’s scope include:

• Telecommunications services (overseen by the Minister of Industry);
• Interprovincial or international pipeline and power line systems (overseen by the Canadian Energy Regulator);
• Nuclear energy systems (overseen by the Canadian Nuclear Safety Commission);
• Transportation systems that are within the legislative authority of Parliament (overseen by the Minister of Transport);
• Banking systems (overseen by OSFI); and
• Clearing and settlement systems (overseen by the Bank of Canada).

CCSPA grants significant enforcement powers to the regulatory authorities of the sectors listed above, including the power to order internal audits, issue compliance orders, and enter into compliance agreements. CCSPA also accelerates order-making powers by providing for exemptions from the Statutory Instruments Act and provides each regulatory authority with the power to issue administrative monetary penalties of up to $15,000,000 for each violation.^[9]

CCSPA may also be the harbinger of broader changes to come in Canada. As its Senate sponsor alluded at third reading:

Part 2 of Bill C-26 also aims to serve as a model for our provincial, territorial and municipal partners to protect critical cyberinfrastructure in sectors under their respective jurisdictions, like health care. It’s my understanding that two provinces, Ontario and Quebec, are currently using Bill C-26 as a model.

Stay tuned for more McCarthy Tétrault publications on this topic as Bill C-26 continues its journey before Parliament.

To learn more about how our Cyber/Data group can help you understand your obligations and demonstrate your compliance with Bill C-26, please contact national co-leaders Charles Morgan and Daniel Glover.

__

^[1] C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, 1st Sess, 44th Parl, 2022, 70-71 (Third Reading, December 2024).

^[2] Section 6 of CCSPA permits the government to add to its list of vital services and systems.

^[3] At third reading debates, the Senate sponsor, Hon. John M. McNair, indicated that the Canadian government is targeted by malicious actors 2.3 trillion times a year and warned that “State-sponsored cyber threat actors are very likely targeting critical infrastructure networks in Canada and allied countries to pre-position for possible future disruptive or destructive cyber operations”.

^[4] See the OSFI Technology and Cyber Incident Reporting Advisory.

^[5] Critical Cyber Systems Protection Act, s. 2.

^[6] Critical Cyber Systems Protection Act, s. 17.

^[7] Government of Canada, Communications Security Establishment : Mandate, available online at: https://www.cse-cst.gc.ca/en/corporate-information/mandate

^[8] Critical Cyber Systems Protection Act, s. 18.

^[9] Ibid., s. 91.