Cyber Law in North America

United States

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). See CISA Agency information.

Is oversight provided on a centralized or sectoral basis?

Sectoral. Presidential Policy Directive 21 (PPD-21) designated responsibility to various Federal Government departments and agencies to serve as Sector-Specific Agencies (SSAs) for each of the critical infrastructure sectors and established criteria for identifying additional sectors.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

16 Sectors: Chemical, Communications, Dams, Emergency Services, Financial Services, Government Facilities, Information Technology, Transportation Systems, Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Food and Agriculture, Healthcare and Public Health Sector, Nuclear Reactors, Materials and Waste, Water and Wastewater Systems.


See Presidential Policy Directive 21 (PPD-21); see also CISA Critical Infrastructure Sectors.

How do they designate within these sectors?

Whole sector. The sector-specific plans tend to focus on engaging all stakeholders in the sector. Public- and private-sector partners in each of the 16 critical infrastructure sectors and the state, local, tribal, and territorial government community have developed a Sector-Specific Plan that focuses on the unique operating conditions and risk landscape within that sector.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

No. It is a generally a voluntary framework with some narrow exceptions. SSAs are responsible for working with the Department of Homeland Security to implement the NIPP sector partnership model and risk management framework; develop protective programs, resilience strategies and related requirements; and provide sector-level critical infrastructure protection guidance.  See CISA Sector Specific Agencies.

Does it take a risk-based approach?

Yes. The National Risk Management Center (NRMC)  works to identify, analyze, prioritize, and manage high-consequence threats to critical infrastructure through a crosscutting risk management paradigm. See CISA National Risk Management.

Do the security measures enable the use of international standards?

Yes.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Yes.

Do they include prescriptive or technology-based security measures?

No.

Incident Reporting

Are there mandatory incident reporting requirements?

There are no broadly applicable mandatory incident reporting requirements.  However, sector-specific laws may set out mandatory requirements for e.g. Federal Agencies (FISMA), healthcare organizations (HIPPA), and financial institutions (GLBA).  

 

Note, all 50 states also have a breach notification statute that may apply to certain private and public entities. See NCSL Security Breach Notification Laws.

Are there clear thresholds above which an incident should be reported?

It depends on the sector. Again, there are no broadly applicable thresholds, but sector-specific laws may establish thresholds.

How do they determine the timeline within which an incident must be reported?

It depends on the sector.  Many sectors do not have a reporting requirement other than for breaches of personal information.

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The CISA's National Cybersecurity and Communications Integration Center's (NCCIC) .  See CISA National Security Cybersecurity Communications Integration Center

Does this entity share information out to industry, as well as receiving information?

Yes. "By fusing information from all levels of government, the private sector, international partners, and the public, [the NCCIC] help[s] people and organizations take action to protect against cybersecurity risks." See NCCIC Year in Review (2017).

Is threat information sharing mandatory for any private sector entity?

No.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No.

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

There are no generally applicable localization requirements.  However, the CLOUD Act--which applies only to the contents of electronic communications, documents stored in the cloud, and certain types of transmission and account information--enables the U.S. government to compel a covered entity to hand over data regardless of where it is stored if a U.S. court has jurisdiction over the entity whose data is being sought.

 

See The Clarifying Lawful Overseas Use of Data Act or CLOUD Act, PL 115-141 (2018).

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Generally, yes. It depends on which sectoral law applies. 

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Generally, no.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

Canada

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The Canadian Centre for Cyber Security. See About the Canadian Centre for Cyber Security (revised Aug. 6, 2018). While the Centre provides guidance for the public and private companies, it also publishes cybersecurity directives for government projects.

Is oversight provided on a centralized or sectoral basis?

Sectoral. For example, the Office of the Superintendent of Financial Institutions (OSFI) published incident reporting guidance for regulated financial institution. See OSFI Technology and Cyber Security Incident Reporting.  The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all private sector organizations in Canada that "collect, use, or disclose personal information in the course of a commercial activity." Note, however, that Alberta, British Columbia, and Quebec have their own data protection statutes which have been deemed "substantially similar" to PIPEDA and supplant PIPEDA in those territories. See PIPEDA in Brief, Office of the Privacy Commissioner of Canada.

 

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

10 Sectors: Health; Food; Finance; Water; Information and Communication Technology; Safety; Energy and Utilities; Manufacturing; Government; and Transportation. National Strategy for Critical Infrastructure, Public Safety Canada (June 26, 2019). 

How do they designate within these sectors?

Whole sector: At the national level, critical infrastructure is designated at the sectoral level. Additionally, "critical infrastructure" carries a broad definition which includes "processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government." See Critical Infrastructure, Public Safety Canada (June 7, 2019).

 

Each of the 10 critical infrastructure sectors have lead departments or agencies that are responsible for carrying out the Action Plan for Critical Infrastructure. See National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada (May 11, 2018).

 

Other critical infrastructure security partners include other Canadian government agencies, provincial authorities, and international partners. See Critical Infrastructure Partners, Public Safety Canada (May 23, 2019). 

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Generally, no, but the Canadian Cyber Centre may mandate specific cyber security standards for government agencies. See Directives, Canadian Centre for Cyber Security, (last visited Dec. 1, 2019).  

Does it take a risk-based approach?

Yes. Canada's National Strategy for Critical Infrastructure favors a risk-based approach. See National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada (May 11, 2018). Additionally, the Canadian Centre for Cyber Security publishes risk-based guidance based on industry and business size. See, e.g., The Path to Enterprise Security, Canadian Centre for Cyber Security (Sep. 6, 2019). 

Furthermore, the Investment Industry Regulatory Organization of Canada has also taken a risk-based approach to cyber security as provided in its industry guidance. Cybersecurity Best Practices Guide, IIROC. (last visited Dec. 1, 2019). The same is true for the Bank of Canada's 2019-2021 Cyber Security Strategy. See 2019-2021 Cyber Security Strategy, Bank of Canada. (last visited Dec. 1, 2019). 

Do the security measures enable the use of international standards?

Yes, and some are recommended. The Canadian Centre for Cyber Security has recommended the use of ISO 27001:2013, to protect small and medium organizations from cyber threats. However, the 2018 National Cyber Security Strategy does not identify a particular international standard. See The Path to Enterprise Security, Canadian Centre for Cyber Security (Sep. 6, 2019). 

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Yes. The Canadian Centre for Cyber Security advertises NIST CSF as one of the ways in which Canadian businesses and critical infrastructure sectors can increase technological security. See The Path to Enterprise Security, Canadian Centre for Cyber Security (Sep. 6, 2019). Additionally, the Bank of Canada's cyber security guidance is organized to be NIST-compatible. See 2019-2021 Cyber Security Strategy, Bank of Canada, (last visited Dec. 1, 2019). 

Do they include prescriptive or technology-based security measures?

Generally, no. Although the Canadian Centre for Cyber Security's guidance documents are technology-based. See, e.g., Virtual Private Networks (ITSAP.80.101), Guidance for Hardening Microsoft Windows 10 Enterprise (ITSP.70.012) (Mar. 20, 2019).  

Incident Reporting

Are there mandatory incident reporting requirements?

It depends on the sector.

 

Both PIPEDA and some provincial-level data protection statutes have mandatory reporting requirements. Under PIPEDA, organizations involved in a breach of security safeguards must report the breach to the Office of the Privacy Commissioner. Additionally, the organization is required to provide notification to the individual if there is a "risk of significant harm." See PIPEDA, at § 10.1(1) 

There are also industry-level security incident reporting requirements promulgated by government agencies. See, e.g., Technology and Cyber Security Incident Reporting, Office of the Superintendent of Financial Institutions Canada (January 2019) . 

Are there clear thresholds above which an incident should be reported?

It depends on the sector.

 

Breach incidents require reporting to the Canadian Office of the Privacy Commissioner and the affected individual when there is a "real risk of significant harm." PIPEDA defines a "significant harm" as one that includes "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property." Furthermore, in determining whether there is a real risk, the impacted organization shall weigh (1) the sensitivity of the personal information involved; (2) the probability that the information has or will be misused; and (3) any other relevant factor. See PIPEDA, at §§ 10.1(7)-(8). Regulated financial entities are also required to report "Technology or Cyber Security Incidents" to OSFI after consideration of a number of factors, including the level of system/service disruptions and the number of customers impacted, and whether that number is increasing. See Technology and Cyber Security Incident Reporting, Office of the Superintendent of Financial Institutions Canada (January 2019).

How do they determine the timeline within which an incident must be reported?

It depends on the sector.

Under PIPEDA, the notification must be given "as soon as feasible" after the affected organization has determined that a breach occurred. PIPEDA, at § 10.1(6). The OSFI Advisory requires that a regulated financial institution inform its designated Lead Supervisor of a Technology or Cyber Incident "as promptly as possible, but no later than 72 hours" after making the determination that the incident meets the characteristics described in the Advisory for reporting.  See Technology and Cyber Security Incident Reporting, Office of the Superintendent of Financial Institutions (January 24, 2019). 

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The Canadian Centre for Cyber Security leads the Canadian government's response to cyber security events. The Centre works with the public and private sectors to develop cyber security guidance. It also provides security directives for federal agencies. See About the Cyber Centre, Canadian Centre for Cyber Security (Aug. 6, 2018). 

Does this entity share information out to industry, as well as receiving information?

Yes. The Canadian Centre for Cyber Security provides guidance for both industry and the public at-large. See About the Cyber Centre, Canadian Centre for Cyber Security (Aug. 6, 2018). 

Is threat information sharing mandatory for any private sector entity?

No. It is only required for breach reporting as illustrated above.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

It depends on the sector. The Office of the Privacy Commissioner may conduct extensive investigations into the data protection practices of private companies under PIPEDA, and into federal agencies under the Privacy Act. Under a PIPEDA investigation, the Office of the Privacy Commissioner may enter the premises of a private business "at any reasonable time" and obtain copies of data found on the premises. See Enforcement of PIPEDA, Office of the Privacy Commissioner (Apr. 20, 2017). 

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No. See Canada: Cybersecurity 2020, ICLG (Oct. 22, 2019). 

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

Not nationally. British Columbia and Nova Scotia both have data localization requirements. The British Columbia Freedom of Information and Protection of Privacy Act ("FOIPPA") requires that government entities store and access personal information only within Canada. The Nova Scotia Personal Information International Disclosure Act also requires data localization for government entities within Canada. See Data Localization and Digital Trade in the New United States-Mexico-Canada Agreement, Mondaq (Oct. 24, 2018);  How Did Canada Fare on Privacy in the USMCA? IAPP (Oct. 12, 2018). 

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

It depends on the sector. PIPEDA regulations were promulgated in 2018 for breach reporting. Specifically, if a company fails to comply with breach reporting and recordkeeping requirements, the company may now face financial penalties of up to $100,000. See Canada: Cybersecurity 2020, ICLG (Oct. 22, 2019); Lisa R. Lifshitz, Canada: New Rules For Mandatory Privacy Breach Notification In Canada: What Organizations Need To Know (May 2, 2018). 

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

There are criminal penalties related to hacking, denial of service attacks, phishing, intentional malware infections, identity theft or identity fraud, and electronic fraud. The maximum penalty for hacking (Criminal Code § 342.1), denial of service attacks (Criminal Code § 430), intentional malware infections (Criminal Code § 430), and identity fraud (Criminal Code § 403) is 10 years' imprisonment. Identity theft (Criminal Code § 402.2) and electronic fraud (Copyright Act § 41.1(1)) carry maximum terms of five years. See Canada: Cybersecurity 2020, ICLG.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The OSFI financial entity breach reporting guidelines were implemented in January 2019. PIPEDA was enacted in 2000, but its breach reporting requirements were instituted in May 2018. 

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.