Do you run a business in Canada, or are considering opening a business in Canada in the near future? If so, it’s important to be aware of Canadian cybersecurity laws that could impact your company. Every single business, regardless of industry or geographic location, uses IT technology to bring in customers, keep track of sales and appointments, collect and manage data, and communicate with suppliers, employees, contractors, and the general public. Failure to protect your IT set-up from cybercriminals can result in not only the loss of customer trust but also legal action.
Sadly, cybercrime is on the rise throughout Canada. More than one in three Canadian organizations have lost money due to a cyberattack while 34% of small to mid-size enterprises report they were locked out of company devices and/or networks as a result of a hack. From 2017 to 2019, cyber crime police reports soared from 15,000 to 24,000. As cybercrime grows worldwide in the wake of the COVID-19 pandemic, it’s imperative to know not only how to protect your business but also how to deal with the fallout of an attack.
Troy Drever provides Managed IT Services in Calgary and shares insights into the Canadian cybersecurity laws that all business owners must comply with.
Understanding How Canadian Law Works
To understand Canadian cybercrime laws, you have to know how the Canadian legal system works. Canada, like the United States, has a legislative branch, executive branch, and judicial branch. The legislative branch is responsible for creating legislation that impacts the entire nation; however, cybercrime laws vary as each province can make its own cybersecurity laws as long as these laws do not contravene federal laws.
At the same time, Canada also has what is known as “Common Law”, or “stare decisis”. Put in simple terms, this means that the decision of a court related to a cybercrime case can be viewed as binding in its local area. If, for instance, a judge in British Columbia decides that certain types of information should be categorized as personal information, this decision would be binding in British Columbia and lawyers would refer to it when arguing similar cases in local courts. However, it would not be considered binding in other provinces unless judges in these provinces reached the same conclusions. Decisions by the nation’s Supreme Court are binding nation-wide; however, to date, there have been no Supreme Court decisions related to cybersecurity law. Ironically, cybersecurity-related court rulings in the UK and the United States are often successfully referenced in Canadian courts when no reference can be made to legal precedents in Canada that would affect cybersecurity rulings.
There are two types of criminal offences in Canada. These are summary offences and indictable offences. Summary offences are similar to misdemeanors in the United States. If convicted, an offender has to pay a fine of no more than $5,000 and/or spend up to six months in jail. Indictable offences naturally have more serious penalties; these may include large fines, long jail sentences, and conditions that must be adhered to upon release.
Most forms of cybercrime can be prosecuted as indictable offenses. These include:
- DDoS attacks
- Phishing (which constituted fraud under Canadian law)
- Deliberately injecting a computer system with any form of malware
- Possession of hardware, software or any other tools used for the primary purposes of committing a cybercrime
- Identity theft
- Electronic theft
- Engaging in any activity that negatively affects the security or integrity of a computer or network at the behest of a terrorist organization
Jail terms for engaging in these activities typically range from five to ten years. Fines can be as high as $1 million. However, any type of cybercrime involving cooperation with a terrorist entity can result in imprisonment for life, while cybercrime involving sums of money less than $5,000 may only result in a two-year jail term. Prosecutors have to prove that the accused intended to commit the crime in question.
Tort Law also impacts cybersecurity as those affected by a data breach can sue a business for failing to keep their data secure. A business owner (and/or his employees) would be required to pay compensation if found guilty of failing to take adequate measures to protect personal data.
There are two types of Torts: intentional torts and unintentional torts. Intentional torts, as the name implies, involves cases in which a business is knowingly careless with personal data. For instance, companies that recognize a data breach is in process but fail to take measures to address it could be charged under this type of tort. Similarly, companies that fail to take basic cybersecurity precautions such as using password protection could be accused of intentional recklessness. However, most cybersecurity-related cases would likely fall under the unintentional torts category. Failing to update a software program in time, inadvertently clicking on a malicious email or pop-up, or having a laptop or cellphone stolen and later misused are not intentional crimes.
A company can be charged with one or more criminal offences and later sued under tort law; however, it’s not easy for those filing charges to win compensation from a business that has already been found guilty of one or more cybercrime-related criminal offences. What’s more, one’s geographic location in Canada will have a large bearing on the outcome of the case. Ontario, for instance, recognizes the invasion of privacy as a tort offence; on the other hand, British Columbia won’t even acknowledge tort as part of common law.
The Personal Information Protection and Electronic Documents Act
PIPEDA covers the collection, storage, and use of personal information collected in the course of regular business activities. It mandates that companies protect personal information from theft, loss unauthorized access, public disclosure, use, copying, or modification. Requirements for safeguarding data vary depending on the sensitivity of the data in question, the quantity of data a business has in its possession, how data is distributed and stored, etc.
PIPEDA, which was passed in 2000, was a good start but widely criticized for lacking an enforcement mechanism. The law was later amended with the Digital Privacy Act.
The Canadian Digital Privacy Act
The Digital Privacy Act was passed in 2015 and made important changes to PIPEDA that affect business in just about every single industry. Perhaps the most important change is that, unlike PIPEDA, the Digital Privacy Act mandates that companies report data breaches. Furthermore, companies cannot obstruct local law enforcement investigating a breach. Failure to comply with an investigation can result in a fine ranging from $10,000 to $100,000.
Companies are also required to keep records of every single breach, no matter how small. If, for instance, a single client’s records were sent via an unsecured email, this would need to be noted in company records. Furthermore, companies must notify affected individuals if their personal data has been compromised.
A controversial aspect of this law is that law enforcement officials in Canada don’t have to ask a company’s permission to seize personal data; in fact, law enforcement doesn’t even have to have a warrant to gain access to data it wants to see. What’s more, personal information can be requested for the completion of a purchase, after which it is available to any party in the transaction, even if the person conducting the transaction hasn’t given permission to the data to be viewed by all involved.
Health Information Privacy
Companies that work in the medical industry in Canada will want to be aware of health information laws in the state they operate in. British Columbia and Nova Scotia, for instance, forbid companies from storing personal health information in the United States, even if this data is encrypted and stored in a secure location. Ontario law stipulates that individuals must give consent before a company moves their personal health information outside the province. Several states also have classifications and requirements for IT service providers that partner with medical offices and companies to store, safeguard, and manage personal health information.
Payment Card Industry Data Security Standard
Any company in Canada that processes, stores, or transmits credit card information is subject to the Payment Card Industry Data Security Standards (PCI DSS). There are four levels of compliance; the higher the level, the more stringent the requirements. Companies that suffer data breaches are held to higher standards than companies that successfully prevent hacks from occurring.
In short, PCI DSS requires that companies:
- Use a firewall to protect customer data
- Protect data in transit to and from a secure server
- Use risk management to identify and deal with potential vulnerabilities that could lead to a future data breach
- Restrict access to card data so only those who absolutely need access for work purposes can gain access to it
- Monitor their IT systems to identify and deal with potential breaches as soon as they occur
- Maintain a policy that addresses cybersecurity
Canada, like other developed nations, has taken measures to mandate the protection of personal data and punish those who steal and misuse this data for their own ends. If your company is based in Canada or has a branch office in the nation, you’ll need to be aware of Canada’s cybersecurity laws and adhere to them. PIPEDA is the nationwide standard but some states have additional requirements, especially for personal health information. What’s more, you’ll also want to check all applicable industry requirements and stay in step with them. Adhering to local, state, and federal Canadian laws will not only help you avoid legal problems but also keep your business safe from attacks that could permanently damage your reputation and even force the permanent closure of your business.
You may be interested in: “8 Important Cybersecurity Tips for Small Businesses“