The topic of cyber security is at the juxtaposition of various issues, including computer studies, information technology, privacy studies, and policy design. At the same time, our society has become dependent on cyber systems, including in human activities related to commerce, finance and even health care. Canadians are particularly vulnerable to cyber insecurity.
According to the Canadian Securities Administrators (2017), the following frequently identified potential impacts of a cyber security incident were common to a variety of issuers across different industries:
- compromising of confidential customer or employee information;
- unauthorized access to proprietary or sensitive information;
- destruction or corruption of data;
- lost revenues due to a disruption of activities, incurring of remediation costs;
- litigation, fines and liability for failure to comply with privacy and information security laws;
- regulatory investigations and heightened regulatory scrutiny;
- higher insurance premiums;
- reputational harm affecting customer and investor confidence;
- diminished competitive advantage and negative impacts on future opportunities;
- effectiveness of internal control over financial reporting.
Some industry and business-specific potential impacts identified by issuers included:
- operational delays, such as production downtimes or plant and utility outages;
- inability to manage the supply chain; • inability to process customer transactions or otherwise service customers;
- disruptions to inventory management;
- loss of data from research and development activities; and • devaluation of intellectual property.
The Canadian privacy laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor or public would consider important to their privacy risk. In Canada, data protection and cybersecurity are governed by a complex legal charter. The Personal Information Protection and Electronic Documents Act (“PIPEDA“), contains implicit or explicit accountability and security obligations similar to the PIPEDA obligations outlined above (although only the Alberta legislation contains breach reporting requirements).
PIPEDA contains a number of provisions applicable to data protection and cybersecurity, including:
- Organizations are responsible for personal information under their control and must designate an individual or individuals who are accountable for compliance with the principles set out in Schedule of PIPEDA.
- Personal information must be protected by security safeguards appropriate to the sensitivity of the information.
- Security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.
- The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
- The methods of protection should include (a) physical measures– e.g., locked filing cabinets and restricted access to offices; (b) organizational measures – e.g., security clearances and limiting access on a “need-to-know” basis; and (c) technological measures – e.g., the use of passwords and encryption.
(PIPEDA Schedule 1, Article 4.1, Article 4.7).