U.S.-Canada Cross-Border Cybersecurity Considerations

The threat of ransomware and business email compromise attacks continues to rise in both Canada and the United States. U.S.-based organizations should be prepared for and aware of the different approaches and legal obligations when responding to cybersecurity incidents in the two countries.

Below are five considerations for U.S.-based organizations faced with responding to a cybersecurity breach impacting Canadian operations, employees or customers:

1. Consider which Canadian privacy legislation applies. There is a patchwork of federal, provincial and territorial privacy legislation and sector-specific requirements in Canada that could apply to a breach depending on the circumstances, and not all applicable privacy statutes have mandatory breach-reporting requirements. It is important to consider the sector and role of the impacted entity, the type of personal information affected and the nature of the organization’s relationship with affected individuals and to engage local counsel to support the incident-response process.

2. Breach-reporting deadlines and thresholds in Canada may be different. Unlike state-level breach-reporting obligations, Canadian privacy legislation generally does not impose a specific breach-reporting deadline, such as 72 hours from the time the breach was discovered. For example, the federal Personal Information Protection and Electronic Documents Act requires reporting “as soon as feasible,” whereas in Alberta the requirement under the Personal Information Protection Act is “without unreasonable delay.” With respect to the threshold for reporting, the standard is typically “real risk of significant harm” to individuals. The Alberta and federal privacy commissioners apply similar objective threshold tests, including determining the sensitivity of the personal information involved in the breach and the probability the personal information has been misused. The relevant types of harm are not limited to potential financial losses.

3. Ransomware attacks in Canada are on the rise. Based on our upcoming 2021 Canadian Cybersecurity Trends Study, ransomware attacks represented 67 per cent of cybersecurity incidents in 2020, almost double the 35 per cent seen in 2019. More than half of the ransom payments were over US$100,000, including several in the millions. Despite the threat to businesses, however, few publicly listed companies report having cyber insurance or even an incident response plan in place.

4. The vast majority of Canadian privacy class actions are certified. Canada has seen a proliferation of privacy-based class actions. The threshold for certification is lower in Canada, resulting in approximately 80 per cent of such cases being certified. The scope of the “intrusion upon seclusion” tort and whether damages can be awarded based on negligence in the context of a privacy breach are still being debated. However, in contrast with the U.S., standing is rarely an issue in Canadian privacy class actions, including because the courts have held that plaintiffs can be awarded up to C$20,000 in “symbolic damages” for intrusion on seclusion, even in the absence of economic loss.

5. Canadian privacy law reform is on the horizon. The federal government’s proposed Bill C-11 would impose an obligation on service providers that handle personal information to report breaches to the organization that controls the personal information. Further, Quebec’s Bill 64 would introduce mandatory breach reporting in that province under its private-sector privacy legislation. U.S. organizations operating in Canada should be aware of these proposed changes, especially with respect to changes to fines for failing to report a privacy breach that under the federal proposal could increase from C$100,000 to the greater of C$25-million or five per cent of gross global revenues.

Have more than five minutes? Contact Nicole Henderson, Cathy Beagan Flood, Sunny Handa or any member of our Cybersecurity group to learn more.