I have been asked (by an American colleague) if I know of any synopsis of “Canadian cybersecurity laws”. I am told that this expression means some mix analogous to the US Computer Fraud and Abuse Act, covering as well wiretaps, crimes, specific requirements for securing data. Core is private sector rather than critical infrastructure or national security.
It is conceivable that there is a chapter or more in the various collections of learning on IT or e-com law on the topic, which Canadian members of this blog are familiar with. Care to name them? Is there a book in Sunny Handa’s series on IT law? Something in Barry Sookman’s looseleaf collection? Or elsewhere (not to be prejudicial by omission…)? (I suspect my correspondent would limit himself to English-language texts, but readers of this blog may be interested in French texts too.)
I think of the Criminal Code provisions on unauthorized access to computers, and related topics. Also PIPEDA and provincial equivalents generally require personal information to be kept secure, though without a lot of detail about the standards of security to be applied. (I am aware of directives or advisory publications by privacy commissioners, notably in Ontario, about securing data on mobile devices, but not a general standard for data in motion or at rest.) So far the one statute and one bill on data breach notification in Canada do not prescribe standards of care for secure storage.
Law societies have advised lawyers (and in Ontario, paralegals) that they should ensure that their client communications are appropriately secure, but without attempting any standard of security. The CBA’s guidelines on IT security for lawyers could be relevant for practice questions, but they do not constitute ‘laws’ as requested.
- What laws exist in Canada that might be considered ‘cybersecurity’ laws, besides the few I have mentioned?
- Does case law make up for a paucity of statute, via findings of negligent or non-negligent handling of data or IT systems?
- Are there audit standards that might reach the level of a law, or at least be worth mentioning in this context? I think I recall a publication of the Canadian Institute of Chartered Accountants on cybersecurity. Has anyone got a reference to that, and an idea if it might be relevant?
- Is there a useful synopsis of them somewhere? Where?
With thanks in advance.