All Things Newz
Law \ Legal

Bill C-26: Introduction Of New Mandatory Breach Reporting Requirements In Canada – Security

To print this article, all you need is to be registered or login on

On June 14, 2022, the House of Commons of Canada introduced
Bill C-26, a new cybersecurity bill that will require mandatory
reporting of cyberattacks against systems of critical importance to
Canadian interests.

Bill C-261 enacts the Critical Cyber
Systems Protection Act
which provides a framework for the protection of cyber systems that
are vital to Canada’s national security or public safety. CCSPA
will require designated organizations known as “vital
services” or “vital systems” – including federally
regulated banks and clearing systems, telecommunication services,
transportation services, and nuclear or other energy systems2 – to,
among other things:

  • establish and implement cyber security programs;

  • mitigate supply-chain and third-party risks;

  • report cyber security incidents; and

  • comply with cyber security directions.

This development is unprecedented in the world of Canadian cyber
security statutory obligations which, until today, were drafted
exclusively through the lens of privacy and the protection of
personal information. Instead, CCSPA borrows language that appears
to be inspired by the regulatory guidelines of the Office of the
Superintendent of Financial Institutions
(“OSFI“)3 and expands its scope to other
critical sectors of the Canadian economy regardless of whether
personal information is involved or not.

The objective of CCSPA is to support the continuity and security
of vital services and vital systems of the Canadian economy against
disruptive cyberattacks. As such, CCSPA is unique in that it does
not require for any personal information to be involved in a cyber
breach in order to trigger mandatory incident reporting
requirements. The mere presence of a “cyber security
incident” (as defined by CCSPA) on any “vital
service” or “vital system” is sufficient to trigger
reporting obligations without the need for a “real risk of
significant harm” (i.e. RRoSH) or other similar threshold

CCSPA defines a “cyber security incident” as any act,
omission, or circumstance that interferes or may interfere with (a)
the continuity or security of a vital service or vital system; or
(b) the confidentiality, integrity, or availability of a critical
cyber system.4 Again, this definition appears to
be inspired by that of OSFI and is expanded to include a two-step
mandatory breach notification process outlined below. Importantly,
while there is no RRoSH standard, judgment may be exercised as to
whether an incident carries any risk of impacting the
“continuity” or “security” of a vital service
or system either directly or through undermining a “critical
cyber system”.

First, CCSPA requires that organizations affected by a cyber
security incident must immediately report the occurrence to the
Communications Security Establishment
(“CSE“) for the purpose of enabling CSE
to exercise its powers or perform its duties and functions.
CSE’s mandate includes:

  • defending Government of Canada networks;

  • advising and assisting other levels of government and the
    operators of Canada’s critical infrastructure, such as banks,
    telecommunications companies and other companies that are essential
    for the functioning of our society and economy;

  • offering simple and effective tips that all Canadians can use
    to help keep themselves safer online;

  • gathering of foreign intelligence;

  • conducting defensive or active cyber operations; and

  • assisting other federal organizations.5

Second, immediately after reporting an in-scope cyber security
incident to CSE, CCSPA requires organizations to report the
incident to any appropriate regulator of their particular industry
(e.g. an energy or financial industry regulator).6 The relevant
regulators are named in section 2 of CCSPA. The vital services and
systems currently within CCSPA’s scope include:

  • Telecommunications services (overseen by the Minister of

  • Interprovincial or international pipeline and power line
    systems (overseen by the Canadian Energy Regulator);

  • Nuclear energy systems (overseen by the Canadian Nuclear Safety

  • Transportation systems that are within the legislative
    authority of Parliament overseen by the Minister of

  • Banking systems (overseen by OSFI); and

  • Clearing and settlement systems (overseen by the Bank of

CCSPA grants significant enforcement powers to the regulatory
authorities of the sectors listed above, including the power to
order internal audits, issue compliance orders, and enter into
compliance agreements. CCSPA also accelerates order-making powers
by providing for exemptions from the Statutory Instruments
and provides each regulatory authority with the power to
issue administrative monetary penalties of up to $15,000,000 for
each violation.7

Stay tuned for more McCarthy Tétrault publications on
this topic as Bill C-26 continues its journey before Parliament
over the upcoming months.


1. C-26, An Act respecting cyber security,
amending the Telecommunications Act and making consequential
amendments to other Acts
, 1st Sess, 44th Parl, 2022, 70-71
(First Reading, June 2022).

2. Section 6 of CCSPA permits the government to
add to its list of vital services and systems.

3. See the OSFI Technology and Cyber Incident Reporting

4. Ibid., Critical Cyber Systems
Protection Act
, s. 2.

5. Government of Canada, Communications
Security Establishment : Mandate
, available online at:

6. Ibid., s. 18.

7. Ibid., s. 91.

To view original article, please click

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from Canada

Is It Time To Ban The Term ‘Legal Innovation’?

McCarthy Tétrault LLP

Innovation is a term that has been heavily used by lawyers and law firms. It is pervasive in pitches and proposals, hailed as a differentiator when speaking to clients, and used as a hook to attract and retain talent.

Is Code Law?


Cicada 137 LLC v. Medjedovic brings forward a cutting-edge question on cryptocurrency and similar open-source payment technologies.

Source link

Related posts

IFC Law Is Published – Financial Services

Tax Cases Affecting Remote Workers And Their Employers – Tax Authorities

Pişmanlikla Beyanda Mükellef Lehine Yapilan Düzenlemenin Analizi Ve Yapilmasi Gerekenler – Withholding Tax