As many of you know, the US National Institute on Standards and Technology (NIST) recently published its Framework on Critical Infrastructure Security. Here is one of many articles about it that gives a good summary.
Does Canada need something similar? If so, who would be the appropriate authority to issue it? Will the US framework spill over in any event to Canada, to set a civil standard of care for cybersecurity practices?
A number of American lawyers are advising that boards of directors of ‘critical infrastructure’ operations — a very broad class — have to be aware of these guidelines, because they will set the scope of what is considered foreseeable in the event of an incident. In other words, once you have seen the NIST material, you may be negligent if you don’t respond — even though the guidelines have no formal legal effect.
Do Canadian companies (and law firms) ‘get’ cybersecurity? Is anyone here doing anything because of the NIST standard or other events? Should they be?