Last review date: 18 December 2024

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒         obligation to take specific security measures e.g., encryption

PIPEDA requires organizations to protect personal information through security safeguards that are appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The methods of protection should include physical measures (e.g., locked filing cabinets and restricted access to offices), organizational measures (e.g., security clearances and limiting access on an as needed basis), and technological measures (e.g., use of passwords and encryption).

The Alberta PIPA requires that an organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.

The BC PIPA requires that an organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

The Quebec Act requires that an organization must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.

Last review date: 18 December 2024

☒       public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒       health regulatory requirements

☒       financial services requirements

☒       telecommunication requirements

☒       providers of critical infrastructure

☒       digital or connected (IoT) products

☒       other

The Office of the Superintendent of Financial Institutions (OSFI) issued an updated Technology and Cyber Security Incident Reporting Advisory document, which supports a coordinated and integrated approach to OSFI’s awareness of, and response to, technology and cybersecurity incidents at Federally Regulated Financial Institutions (FRFIs). OSFI also issued Guideline B-13 – Technology and Cyber Risk Management, effective 1 January 2024, which outlines expectations for the sound management of technology and cyber risk for federally regulated financial institutions (FRFIs). In April 2023, OSFI published the Intelligence Led Cyber Resilience Test (I-CRT), a framework for identifying areas of vulnerability to sophisticated cyber-attacks among FRFIs. Currently, OSFI expects systemically important banks and internationally active insurance groups to complete an I-CRT assessment at least once every three years, beginning in 2023. Consistent with guideline B-13, FRFIs will manage overall testing, while OSFI expects FRFIs to establish measures to respond to vulnerabilities by enhancing resilience against cyber-attacks and disruptions. The Canadian Securities Administrators (CSA) issues cybersecurity-related staff notices, including (i) CSA Staff Notice 11-326 (Cyber Security) to inform issuers, registrants and regulated entities on risks of cybercrime and steps to address these risks; (ii) CSA Staff Notice 33-321 (Cyber Security and Social Media) to inform firms on cybersecurity risks associated with social media use; and (iii) CSA Staff Notice 11-332 (Cyber Security) to advance cyber-security awareness, preparedness and resilience in Canadian capital markets. Organizations regulated by the CSA are expected to conduct a cybersecurity risk assessment annually.

Alberta, Ontario, New Brunswick, Newfoundland and Labrador, Nova Scotia, Northwest Territories and the Yukon have data privacy and cybersecurity laws that require health information custodians to take reasonable measures to protect the security and integrity of personal health information within their control against unauthorized use, disclosure, and modification. The Information and Privacy Commissioner of Ontario (IPC) has published guidelines regarding privacy and security considerations for virtual healthcare visits. Virtual healthcare can include secure messaging, telephone consultations, and videoconferencing, all of which rely on various technologies. The IPC recommends several technical, physical, and administrative safeguards to ensure virtual visits are as private and secure as possible. These safeguards include, but are not limited to, using only organization-approved services, software, and related equipment, keeping all technology containing personal health information in a secure location, and ensuring employees and other agents are properly trained to use secure email, messaging, and videoconferencing platforms.

The CCSPA, if passed, would establish a cybersecurity compliance regime for federally regulated critical cyber infrastructure. The compliance regime would require designated operators that own, control or operate a critical cyber system to comply with the requirements of CCSPA. These vital services and systems include operators in telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems under federal jurisdiction, banking systems, and clearing and settlement systems. A compliant cybersecurity program will identify and manage organizational cybersecurity risks, including those related to the supply chain and third-party products and services; protect critical cyber systems from compromise; detect cybersecurity incidents that affect or could affect these systems; minimize the impact of such incidents; and comply with any additional regulations.

☒      Data privacy

Last review date: 18 December 2024

Yes.

In Canada, mandatory private-sector breach notification requirements for breaches of personal data other than personal health data exist both at the federal level under the PIPEDA and at the provincial level under the Alberta PIPA and the Quebec Act.

Under PIPEDA, a personal data breach (breach of security safeguards) is generally defined as the loss of, unauthorized access to, or unauthorized disclosure of personal data resulting from a breach of an organization's security safeguards that are referred to in PIPEDA or from a failure to establish those safeguards.

Under Alberta PIPA, a personal data breach is generally defined as any incident involving the loss of or unauthorized access to or disclosure of personal data.

The Quebec Act requires mandatory confidentiality incident reporting to the Quebec CAI where there is "risk of serious injury" to an individual and for private sector organizations to maintain a confidentiality incident register.

Under BC PIPA, notification is not required but is a best practice.

Last review date: 18 December 2024

☒        data protection authorities

Under PIPEDA, an organization must notify the OPC and affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. While PIPEDA does not prescribe a specific timeframe for breach notification to the OPC, Section 10.1 (2) of PIPEDA requires that the notification must contain certain prescribed information and must be made in a prescribed form and manner, "as soon as feasible after the organization determines that the breach has occurred."

Under Alberta PIPA, an organization with personal data under its control must provide notice to the Alberta OIPC whenever there is a loss of, unauthorized access to, or disclosure of personal data, such that a reasonable person would consider there to be a real risk of significant harm to an individual. The notification must contain certain prescribed information and must be made in a prescribed form and manner. While Alberta's PIPA does not prescribe a specific timeframe for breach notification to the Alberta OIPC, section 34.1 (1) requires that the organization provide notice "without unreasonable delay."

☒        affected individuals

Under PIPEDA, an organization must notify affected individuals of any breach of security safeguards involving personal data under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. The notification must contain certain prescribed information and must be made in a prescribed form and manner. While PIPEDA does not prescribe a specific timeframe for breach notification to individuals, Section 10.1 (6) requires that the notification be given "as soon as feasible after the organization determines that the breach has occurred."

Alberta PIPA does not require organizations to automatically notify affected individuals when there is a breach; however, the Alberta OIPC has the power to require organizations to notify affected individuals for whom there is a real risk of significant harm.

Under BC PIPA, notification is not required, but is a best practice.

The Quebec Act requires mandatory confidentiality incident reporting, for "risk of serious injury" to an individual, to the Quebec CAI and to the person whose personal information is impacted by the incident.

☒        other

Under PIPEDA, an organization that notifies an individual of a breach of security safeguards must also notify any other organization or government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied. While PIPEDA does not prescribe a specific timeframe for breach notification to such organizations, Section 10.2 (2) requires that the notification "be given as soon as feasible after the organization determines that the breach has occurred."

Last updated: 18 December 2024

☒        others

PIPEDA and Alberta PIPA require an organization to report a breach involving personal data under its control. Therefore, the obligation to report the breach rests with an organization in control of the personal data implicated in the breach. The term control is not defined in PIPEDA or Alberta PIPA. The OPC has published guidance interpreting the requirements under PIPEDA, which suggests that in circumstances where an organization (the "principal organization") has transferred personal data to a third party for processing and a breach occurs while the personal data is with the processor, it is reasonable to interpret the principal organization as having control of the personal data and therefore responsibility for breach reporting in respect of a breach that occurs with the third party processor. However, the OPC acknowledges that business relationships can be very complex and determining who has personal data under its control needs to be assessed on a case-by-case basis.

Last review date: 18 December 2024

Yes.

☒        public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒        health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒        financial services requirements

☒        providers of critical infrastructure

Alberta, Ontario, New Brunswick, Newfoundland and Labrador, Nova Scotia, Northwest Territories and Yukon have each enacted data privacy and cybersecurity laws that apply to "health information custodians" (e.g., hospitals, pharmacies, laboratories, nursing homes, ambulance services, healthcare practitioners, etc.) and include security breach notification requirements. In general, health information privacy laws do not prescribe a specific timeframe for breach notification. Rather, in most of these provinces, health information custodians are required to notify individuals and/or the relevant provincial/territorial regulator, "at the first reasonable opportunity" where personal health data is stolen, lost, disposed of, or disclosed to, or accessed by, unauthorized persons, with the exception of Alberta and the Yukon, where notification must be done "as soon as practicable", and "as soon as reasonably possible", respectively. Organizations that fail to comply with the security breach notification requirements can be subject to fines which vary by province/territory (e.g., in Ontario, organizations may be subject to fines of up to CAD 500,000).

Financial regulators such as the CSA, OSFI, IIROC, and MFDA also require the reporting of incidents. These incident reporting obligations generally pertain to any material systems issues, cybersecurity or technology risks and incidents, security breaches, breaches of client confidentiality or system intrusion. The CCSPA would impose breach reporting obligations on operators of a "critical cyber system" where a breach or suspected breach could impact the continuity of a vital system or service. Schedule 1 defines a "vital system" as a system including federally regulated systems, such as those provided by banks or telecommunications services providers.