Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy

On June 14 and 16, 2022, the federal government tabled Bills C-26 and C-27 aimed at protecting the privacy and cybersecurity of citizens in addition to regulating artificial intelligence in Canada.

More specifically, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (the “Bill”) provides new cybersecurity obligations of which businesses under federal jurisdiction should be aware.

Telecommunications: Securing the System Against External Threats

On the one hand, the Bill modifies the Telecommunications Act to further protect the Canadian telecommunications system and prevent interference from threats. The Canadian Telecommunications Policy is amended to “promote the security of the Canadian telecommunications system.”

In practice, this results in the granting of various powers to the Governor in Council when of the view that it is necessary to secure the Canadian telecommunications system against threats of interference, manipulation, or disruption. More specifically, the Governor in Council could issue various orders to:

• prohibit telecommunications service providers from using in or in connection with all or any part of their telecommunications networks or facilities any products and services provided by any person it specifies;
• order such suppliers to remove from all or part of their telecommunications networks or facilities all products supplied by any person it specifies;
• prohibit or order the suspension of the provision of the Services to any person it specifies;
• impose different terms of use;
• prohibit or require the termination of certain service agreements;
• require the development of security plans; and
• require assessments to identify vulnerabilities in networks or facilities and take action to mitigate any vulnerabilities.

The foregoing is over and above the general obligation to provide information. As for the Minister of Industry, he or she may require any relevant information concerning the issuance of an order or its modification or revocation.

Administrative and pecuniary sanctions are included to ensure compliance with the various decrees that may be adopted by the Governor in Council. They range from $25,000 to $50,000 for a repeat offence for a natural person, but they are much larger in other cases, ranging from $10 million to $15 million for a subsequent offence.

Cybersecurity: Complying with New Obligations 

The Bill also enacts the Critical Cyber Systems Protection Act (hereinafter “CCSPA”) which aims to ensure the security and resilience of critical cyber systems under the federally regulated private sector. "Cybersystem” means a technological infrastructure system used to receive, transmit, process, or collect data.

The CCSPA essentially has the following four objectives:

• identify and manage risks to the cybersecurity of critical cyber systems, including risks associated with supply chains and the use of third-party products and services;
• protect critical cyber systems from compromise;
• detect cyber security incidents that affect or could affect critical cyber systems; and
• minimize the consequences of cyber security incidents that affect critical cyber systems.

According to the CCPSA, a “critical cyber system” is “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.” The various services and systems currently considered to be critical are:

• telecommunications;
• interprovincial or international pipeline and power line;
• nuclear energy;
• transportation systems under the legislative jurisdiction of the Federal Parliament;
• banking; and
• clearing and settlement

To achieve its goals, the CCPSA requires the categories of operators listed in Schedule II to comply with the provisions of the law through four main obligations and to keep records concerning their implementation.

Setting Up of a Cybersecurity Program

First, within 90 days of becoming a member of a designated operator category, the operator will be required to set up a cybersecurity program for its critical cyber systems.

This cybersecurity program will have to meet the various regulatory requirements that will eventually be adopted, but especially in connection with the four main objectives of the statute mentioned above. This cybersecurity program must be submitted to the competent regulatory body, determined according to the category of designated operator. The program will be subject to notification in the event of a change in ownership or control of the designated operator or a material change to the supply chain.

Protect Supply Chains

Second, the CCPSA aims to protect the supply chains of critical services and systems. Consequently, designated operators must take all reasonable measures, including those provided for by regulation as soon as risks to the supply chain are identified.

Note that the Communications Security Establishment (the “CSE”) could help any designated operator to mitigate the risks associated with a supply chain by providing various advice.

Report Any Security Incident 

Third, designated operators will be required to promptly report any security incident involving one of its critical cyber systems to the CSE to obtain assistance. The designated operator must also notify its competent regulatory body and provide it with a copy of the incident report.

Recall that a cybersecurity incident is defined as an incident that could harm the continuity or security of the system or its confidentiality and integrity.

Comply with Governor in Council’s Directives

Finally, the Governor in Council may, to protect a critical cyber system, issue various cyber security directives that require the compliance of a designated operator.

The federal government advocates a robust approach to the application of the CCSPA by providing for monetary administrative penalties that are capped at $1 million in the case of a natural person and $15 million in other cases.

At present, there are no categories of operators that are provided for in Schedule II, but we can expect them to fall under the legislative jurisdiction of the federal Parliament and affect the various critical services mentioned above.

The BCF team remains on the lookout for developments affecting the Bill. We will keep you informed of any changes, clarifications, or regulations made by the legislator, if applicable.

If you have any questions about the impacts the Bill could have on your business, do not hesitate to contact our team, who will be happy to advise you.