Critical Cybersecurity Compliance Issues for Canadian and U.S. Companies Operating across the Border

IN BRIEF

• How do businesses engaged in Canada-U.S. cross-border transactions minimize the legal, financial, and operational risks related to privacy and cybersecurity requirements?
• Businesses must know the cybersecurity and privacy laws and regulations on both sides of the border and must develop a compliance program.
• Where do businesses begin in developing an effective compliance program?

Enforcement activities of cybersecurity and privacy laws  in both Canada and the United States are on the rise. Canada has one federal statute governing commercial privacy matters across the country, except in three provinces where “substantially similar” legislation governs, and by specific requirements for particular industries (i.e., banking and health). This approach differs from the United States, where there are multiple federal laws and a growing number of state statutes and regulations that govern privacy and cyber security. For businesses engaged in Canada-U.S. cross-border transactions understanding the laws and regulations on both sides of the border and having an appropriate cybersecurity compliance program in place are imperative to assuring that personal and proprietary information are protected and to minimizing the legal, financial, and operational risks to businesses that may occur through noncompliance with laws.

In the United States, no single federal law regulates the privacy and security of personal information and confidential business data. Instead, a complex combination of federal and state laws and regulations overlap and sometimes contradict one another. Data breach disclosure obligations have expanded significantly as data breaches continue to dominate the news. In addition, government agencies and industry groups have developed guidelines and self-regulatory frameworks that create what amounts to privacy and security best practices. These new laws, coupled with the tremendous increase in data collection and processing, result in a greater risk of privacy and security law violations and create significant compliance challenges.

The U.S. Federal Trade Commission Act, The Health Information Portability and Accountability Act (HIPPA), the Graham-Leach-Bliley Act (GLBA), The Electronic Communications Privacy Act (ECPA), and the Children’s Online Privacy Protection Act (COPPA) are several, but not all, U.S. federal laws that govern certain actions or set out procedures that must be followed to protect certain kinds of personal information. The California Consumer Privacy Act (CCPA) and the Massachusetts Data Security Regulation are two state statutes that include greater data protection provisions than those found in the federal laws. The CCPA creates the most stringent data privacy regime and will force most companies doing business in the U.S. to change their models of data collection and processing. Legislative proposals regarding data privacy are currently under consideration in several other states and in the U.S. Congress.

The Canadian legal framework for the private sector is generally built around the federal Personal Information Protection and Electronic Documents Act (PIPEDA), except for the provinces with “substantially similar” legislation. The three provinces with “substantially similar” legislation are Alberta, British Columbia, and Québec, which operate mostly independently from PIPEDA. PIPEDA, and the provincial laws, apply regardless of a business’ physical residency within the country.

There are some differences between PIPEDA and the provincial laws. For example, British Columbia’s law is more comprehensive, covering unincorporated associations, trade unions, trusts, political parties, and not-for-profits, in addition to commercial organizations. Some provinces also have separate laws that govern how health- and employment-related personal information must be handled. Canada also has federal and provincial laws that govern privacy for public bodies. Of particular note is British Columbia’s law that restricts the storage and access of personal information to inside Canada.

 If a commercial organization operates within Canada, PIPEDA or the provincial law applies. Some important organizational obligations under PIPEDA include the designation of one or more individuals responsible for compliance with the law, notification of data breaches to individuals and the privacy commissioner if the breach causes a real risk of significant harm, and a duty to maintain certain standards of security safeguards commiserate with the sensitivity of the data. Commercial organizations must also develop policies that reflect the principles underlying PIPEDA. These principles are included in the law itself. Development of a compliance program to implement those policies will be a significant step to further assuring that a business is compliant with PIPEDA and other applicable laws.

The Canadian Anti-Spam Legislation (CASL), another federal statute, addresses the way electronic communications of a commercial nature to consumers are to be handled. Concepts of consent and a requirement to identify the party sending notices are part of CASL. CASL requires that communications must include an unsubscribe feature, and it applies even to messages sent from outside of Canada to Canadian recipients.

Canadian privacy laws include accountability as a key concept. The Canadian Privacy Commissioner has stated: “Accountability in relation to privacy is the acceptance of responsibility for personal information protection. An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program.”

Development of an effective compliance program, whether in Canada or in the United States, requires the commitment of business leaders and the dedication of resources. All businesses should designate a person or team responsible for managing cybersecurity and privacy compliance programs. In a large business, a separate organization focused on compliance may be appropriate. The compliance person, team, or organization should have significant authority and status, either as part of or with direct access to senior management, and should have direct access to the board of directors. Leadership must embrace the concept that cyber security is an enterprise risk—not just the responsibility of the IT or security departments.

The first steps toward developing an effective cybersecurity compliance program are to:

• map the personal data held by the organization in terms of its location, lifecycle and sensitivity;
• conduct a risk assessment;
• develop processes and implementation plans to assure that existing security gaps are closed;
• establish a plan for ongoing assessments to provide monitoring and possible warnings of new gaps or risks;
• develop and implement training programs to educate management and employees about risks, security processes, and compliance expectations; and
• adopt an audit program to assure that monitoring, training, and compliance are occurring.

Failure to develop and implement an appropriate program for compliance with privacy and cybersecurity requirements subjects a business to significant risks. Not only are there legal risks of failing to comply with laws, including possible fines and third-party lawsuits, but there are also risks to a business’ reputation, potential financial losses, harm to its network, and potential loss of intellectual property and strategic information.