The Lawyer's Daily is now Law360 Canada. Click here to learn more.

Marco Mendicino

Cybersecurity bill features offences, gags, AMPs and broad ‘compliance orders’ for businesses

Wednesday, June 15, 2022 @ 1:20 PM | By Cristin Schmitz

Ottawa has introduced sweeping cybersecurity legislation with novel features aimed at defending critical infrastructure in the federally regulated sectors of finance, telecommunications, energy and transportation from the rising tide of electronic espionage, ransomware and other “malicious cyber activity.”

Bill C-26, introduced by Public Safety Minister Marco Mendicino in the Commons June 14, would create new reporting and performance obligations for telecommunications and other designated federal-sector businesses — imposed, in part, via open-ended cabinet and ministerial authorities to make “compliance-orders” and “directions”, including gags on affected businesses — and enforced by audits; hybrid offences punishable by jail; up to $15 million per day in administrative money penalties (AMPs); and fines whose amount is left up to “the discretion of the court.”

“The Act will do two things,” Mendicino told reporters after introducing Bill C-26. “First, it will amend the Telecommunications Act to add security as a fundamental policy objective. This will give our government the legal authority to compel any action necessary to secure our telecommunications system. Most significantly, this includes prohibiting Canadian companies from using products, equipment and services from high-risk suppliers” — such as Huawei and ZTE which Ottawa has banned from Canadian telecommunications networks.

Public Safety Minister Marco Mendicino

Public Safety Minister Marco Mendicino

Second, Mendicino said the Act will help organizations better prepare, prevent and respond to cyber incidents across the finance, telecommunications, energy and transport sectors that are federally regulated. “Cyber incidents above a certain threshold will be required to be reported, and the government will be able to compel companies to respond to cyber threats to protect their customers and employees, Mendicino said, citing recent attacks, including on major hospitals and large factories hit by ransomware and other cyberattacks.

The 90-page, two-part proposed legislation is titled An Act Respecting Cyber Security (ARCS).

Bill C-26 is essentially two bills in one, with both directed at enhancing Canada’s cybersecurity.

Part 1 would amend the Telecommunications Act by providing the government with the legal authority to mandate any necessary action to secure Canada’s telecommunications networks, including by imposing obligations on telecommunications service providers, such as Bell and Rogers, and their equipment suppliers, and prohibiting Canadian companies from using products and services from suppliers deemed by federal authorities to be a risk to national security.

Expansive security-related order-making authority under an amended Telecommunications Act would rest with the governor in council and the Minister of Industry, who could direct a telecommunications service provider (TSP) “to do anything or refrain from doing anything” considered necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.

The proposed open-ended order-making power includes a dozen actions specified in the Act such as: prohibiting a TSP from using a specified product or service, or ordering its removal; prohibiting a TSP from entering a service agreement; and requiring a TSP to implement certain standards; and to “mitigate any vulnerability” in its telecommunication services, networks, facilities or its security plan.

Under Part 1 of Bill C-26, the industry minister or cabinet can impose a gag on the TSP, “prohibiting the disclosure of [the order’s] existence, or some or all of its contents, by any person.”

A court is also authorized to grant an injunction ordering any person to cease or refrain from any activity in cases where a contravention of an order or a regulation is being, or is likely to be, committed.

The proposed law includes expansive enforcement powers. A person who commits a “violation” of a provision in an order under ss. 15.1 and 15.2 of the Act, or a regulation made under para. 15.8(1)(a), is liable to an AMP, in the case of an individual, not exceeding $25,000 for a first contravention, and for a subsequent contravention, not more than $50,000.

In any other case, the AMP is up to $10 million for a contravention, or $15 million for a subsequent contravention — but the sky is the limit since “a violation that is continued on more than one day constitutes a separate violation in respect of each day during which it is continued.”

The bill authorizes compliance agreements.

It also stipulates that due diligence is a defence to most violations, and to regulatory offences.  

The bill creates regulatory offences, with the possibility of open-ended fines whose amount is left to the court’s discretion. “Every person who contravenes an order” under ss. 15.1 or 15.2, or a regulation made under para. 15.8(1)(a), is guilty of an offence punishable on summary conviction and is liable, in the case of an individual, “to a fine in an amount that is at the discretion of the court,” or to imprisonment for not more than two years less a day, or to both; and, in the case of a corporation, “to a fine in an amount that is at the discretion of the court.”

Officers, directors, agents, and mandatories are all liable to prosecution in respect of an individual’s actions “if they directed, authorized, assented to, acquiesced in, or participated in, the commission of the offence,” whether or not the individual has been prosecuted or convicted.

In a prosecution, “it is sufficient proof of the offence” to establish it was committed by an employee, acting within the scope of their employment, or by an agent or a mandatory of the accused, acting within the scope of their authority, whether or not the employee or agent or mandatory is identified or proceeded against.

The proposed Act stipulates “no one is entitled to any compensation” from the Crown “for any financial losses resulting from the making of an order.”

The bill provides for keeping confidential business information secret. Persons who are required to provide “any information that the Minister believes on reasonable grounds is relevant for the purpose of making, amending or revoking an order,” or for verifying compliance, or preventing non-compliance, with an order or regulation, can designate information as confidential for several reasons, including that the information is a trade secret, or that its disclosure “could reasonably be expected to result” in material financial loss to “any person,” or prejudice the competitive position of any person, or affect contractual or other negotiations of any person.  

The proposed Act would prohibit knowingly disclosing, or permitting to be disclosed, any information designated as confidential.

The bill also provides for exchanging information, including confidential information, among many people, such as several ministers including the minister of public safety, as well as the Chief of the Defence Staff, the Canadian Security Intelligence Service, and “any other prescribed person or entity.”

Orders or regulations are subject to judicial review, but the bill provides that the designated Federal Court judge must keep secret from the public, the applicant and their counsel, any evidence and other information provided by the minister if in the judge’s opinion, its disclosure would be injurious to international relations, national defence or national security, or endanger the safety of any person.

A judicial review applicant is entitled to a summary of the evidence and other government information made available to the judge “that enables the applicant to be reasonably informed” of the government’s case, excluding the aforementioned secret information.

Inspectors will be designated to verify compliance or prevent non-compliance with orders and the Act’s provisions or regulations, including being empowered to enter premises and, only if armed with a warrant, dwellings.

According to backgrounders supplied by the government, Part 2 of Bill C-26, the proposed Critical Cyber Systems Protection Act (CCSPA) is novel framework legislation that creates a regulatory regime requiring “designated operators” in the finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems by: establishing a cybersecurity program; mitigating supply chain/third-party service or product risks; reporting cybersecurity incidents to the Canadian Centre for Cyber Security; and implementing “cybersecurity directions.”

Schedule 1 of the Act, would establish the vital services and systems in each of the four sectors, including telecommunication services; interprovincial or international pipeline and power line systems; nuclear energy systems; transportation systems within federal jurisdiction; banking systems and clearing and settlement systems.

The governor-in-council has the authority to add or remove sector-specific services and systems from the schedule.

The government said that it will “consult widely” with stakeholders to determine the designation of “classes of operators” under the Act. “Provided an operator is captured under a class of operators, they are deemed ‘designated’” and subject to the Act’s obligations, the government says.

The government also said it will consult with the sectors on the additional regulations needed for implementing the CCSPA, including the process for reporting cyberincidents.

Notably Part 2 of the Act gives the governor-in-council (cabinet) new authority to issue binding “cybersecurity directions” to designated federally regulated entities.

This is of note to provincially regulated private industry too, as Ottawa is planning to encourage provinces, territories and municipalities to implement, in their own jurisdictions, similar and complementary regulations and rules “to help secure their critical infrastructure in collaboration with the federal government.”

Part 2 of the proposed Act specifies six regulators under the CCSPA: the federal department of Innovation, Science and Economic Development Canada (ISEC); the Office of the Superintendent of Financial Institutions; the Bank of Canada; Transport Canada; the Canada Energy Regulator; and the Canadian Nuclear Safety Commission.

According to the summary in Bill C-26, the CCSPA would “provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament.”

 Among other things, Bill C-26:
  • authorizes the governor-in-council to designate any service or system as a vital service or vital system;
  • authorizes the governor-in-council to establish classes of operators in respect of a vital service or vital system;
  • requires designated operators to, among other things, establish and implement cybersecurity programs, mitigate supply-chain and third-party risks, report cybersecurity incidents and comply with cybersecurity directions;
  • provides for the exchange of cyberthreat information between relevant parties; and
  • authorizes the enforcement of the obligations under the Act and imposes consequences for non-compliance.

The governor-in-council’s cybersecurity directions to designated operators or classes of operators will require the latter to act, based on the measures identified in the direction, for the purpose of protecting a critical cyber system, within a specified time.

Designated operators would be required to establish a “cybersecurity program” documenting how they will ensure the protection and resilience of their critical cyber systems.

The government said the Act requires reasonable measures be put in place to detect cybersecurity incidents and to minimize the impact of such incidents on critical cyber systems.

Obligations also include reporting cybersecurity incidents to the Cyber Security Centre.

The threshold defining the reporting obligation will be set by regulation, the government said.

Regulators would have the power to enforce the Act, via audits and AMPs, for example, and there are hybrid regulatory offences punishable by fines and imprisonment.

Government inspectors enforcing the Act could enter premises (except dwelling houses) without a warrant.

There are hybrid offences, which on summary conviction for an individual, are subject to a fine in an amount at the discretion of the court or to jail for not more than two years less a day, or to both, and in the case of a corporation, to a fine “in an amount that is in the discretion of the court.”

For conviction on indictment an individual would be subject to a similar fine, or imprisonment for up to five years, or to both, and, in the case of a corporation, to a fine in an amount set in the discretion of the court.

If you have any information, story ideas or news tips for The Lawyer’s Dailyplease contact Cristin Schmitz at or call 613 820-2794.