Bill C-26: Introduction of New Mandatory Breach Reporting Requirements in Canada
On June 14, 2022, the House of Commons of Canada introduced Bill C-26, a new cybersecurity bill that will require mandatory reporting of cyberattacks against systems of critical importance to Canadian interests.
Bill C-26 enacts the Critical Cyber Systems Protection Act (“CCSPA”), which provides a framework for the protection of cyber systems that are vital to Canada’s national security or public safety. CCSPA will require designated organizations known as “vital services” or “vital systems” – including federally regulated banks and clearing systems, telecommunication services, transportation services, and nuclear or other energy systems – to, among other things:
- establish and implement cyber security programs;
- mitigate supply-chain and third-party risks;
- report cyber security incidents; and
- comply with cyber security directions.
This development is unprecedented in the world of Canadian cyber security statutory obligations which, until today, were drafted exclusively through the lens of privacy and the protection of personal information. Instead, CCSPA borrows language that appears to be inspired by the regulatory guidelines of the Office of the Superintendent of Financial Institutions (“OSFI”) and expands its scope to other critical sectors of the Canadian economy regardless of whether personal information is involved or not.
The objective of CCSPA is to support the continuity and security of vital services and vital systems of the Canadian economy against disruptive cyberattacks. As such, CCSPA is unique in that it does not require for any personal information to be involved in a cyber breach in order to trigger mandatory incident reporting requirements. The mere presence of a “cyber security incident” (as defined by CCSPA) on any “vital service” or “vital system” is sufficient to trigger reporting obligations without the need for a “real risk of significant harm” (i.e. RRoSH) or other similar threshold tests.
CCSPA defines a “cyber security incident” as any act, omission, or circumstance that interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity, or availability of a critical cyber system. Again, this definition appears to be inspired by that of OSFI and is expanded to include a two-step mandatory breach notification process outlined below. Importantly, while there is no RRoSH standard, judgment may be exercised as to whether an incident carries any risk of impacting the “continuity” or “security” of a vital service or system either directly or through undermining a “critical cyber system”.
First, CCSPA requires that organizations affected by a cyber security incident must immediately report the occurrence to the Communications Security Establishment (“CSE”) for the purpose of enabling CSE to exercise its powers or perform its duties and functions. CSE’s mandate includes:
- defending Government of Canada networks;
- advising and assisting other levels of government and the operators of Canada’s critical infrastructure, such as banks, telecommunications companies and other companies that are essential for the functioning of our society and economy;
- offering simple and effective tips that all Canadians can use to help keep themselves safer online;
- gathering of foreign intelligence;
- conducting defensive or active cyber operations; and
- assisting other federal organizations.
Second, immediately after reporting an in-scope cyber security incident to CSE, CCSPA requires organizations to report the incident to any appropriate regulator of their particular industry (e.g. an energy or financial industry regulator). The relevant regulators are named in section 2 of CCSPA. The vital services and systems currently within CCSPA’s scope include:
- Telecommunications services (overseen by the Minister of Industry);
- Interprovincial or international pipeline and power line systems (overseen by the Canadian Energy Regulator);
- Nuclear energy systems (overseen by the Canadian Nuclear Safety Commission);
- Transportation systems that are within the legislative authority of Parliament overseen by the Minister of Transport);
- Banking systems (overseen by OSFI); and
- Clearing and settlement systems (overseen by the Bank of Canada).
CCSPA grants significant enforcement powers to the regulatory authorities of the sectors listed above, including the power to order internal audits, issue compliance orders, and enter into compliance agreements. CCSPA also accelerates order-making powers by providing for exemptions from the Statutory Instruments Act and provides each regulatory authority with the power to issue administrative monetary penalties of up to $15,000,000 for each violation.
Stay tuned for more McCarthy Tétrault publications on this topic as Bill C-26 continues its journey before Parliament over the upcoming months.
To learn more about how our Cyber/Data group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.
 C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, 1st Sess, 44th Parl, 2022, 70-71 (First Reading, June 2022).
 Section 6 of CCSPA permits the government to add to its list of vital services and systems.
 See the OSFI Technology and Cyber Incident Reporting Advisory.
Ibid., Critical Cyber Systems Protection Act, s. 2.
 Government of Canada, Communications Security Establishment : Mandate, available online at: https://www.cse-cst.gc.ca/en/corporate-information/mandate
Ibid., s. 18.
Ibid., s. 91.