June 28, 2019

Critical Cybersecurity Compliance Issues for Canadian and U.S. Companies Operating across the Border

David Aschkinasi, Andrew C. Alleyne, William R. Denny, Michael McEvoy


  • How do businesses engaged in Canada-U.S. cross-border transactions minimize the legal, financial, and operational risks related to privacy and cybersecurity requirements?
  • Businesses must know the cybersecurity and privacy laws and regulations on both sides of the border and must develop a compliance program.
  • Where do businesses begin in developing an effective compliance program?

Enforcement activities of cybersecurity and privacy laws  in both Canada and the United States are on the rise. Canada has one federal statute governing commercial privacy matters across the country, except in three provinces where “substantially similar” legislation governs, and by specific requirements for particular industries (i.e., banking and health). This approach differs from the United States, where there are multiple federal laws and a growing number of state statutes and regulations that govern privacy and cyber security. For businesses engaged in Canada-U.S. cross-border transactions understanding the laws and regulations on both sides of the border and having an appropriate cybersecurity compliance program in place are imperative to assuring that personal and proprietary information are protected and to minimizing the legal, financial, and operational risks to businesses that may occur through noncompliance with laws.

In the United States, no single federal law regulates the privacy and security of personal information and confidential business data. Instead, a complex combination of federal and state laws and regulations overlap and sometimes contradict one another. Data breach disclosure obligations have expanded significantly as data breaches continue to dominate the news. In addition, government agencies and industry groups have developed guidelines and self-regulatory frameworks that create what amounts to privacy and security best practices. These new laws, coupled with the tremendous increase in data collection and processing, result in a greater risk of privacy and security law violations and create significant compliance challenges.

The U.S. Federal Trade Commission Act, The Health Information Portability and Accountability Act (HIPPA), the Graham-Leach-Bliley Act (GLBA), The Electronic Communications Privacy Act (ECPA), and the Children’s Online Privacy Protection Act (COPPA) are several, but not all, U.S. federal laws that govern certain actions or set out procedures that must be followed to protect certain kinds of personal information. The California Consumer Privacy Act (CCPA) and the Massachusetts Data Security Regulation are two state statutes that include greater data protection provisions than those found in the federal laws. The CCPA creates the most stringent data privacy regime and will force most companies doing business in the U.S. to change their models of data collection and processing. Legislative proposals regarding data privacy are currently under consideration in several other states and in the U.S. Congress.

The Canadian legal framework for the private sector is generally built around the federal Personal Information Protection and Electronic Documents Act (PIPEDA), except for the provinces with “substantially similar” legislation. The three provinces with “substantially similar” legislation are Alberta, British Columbia, and Québec, which operate mostly independently from PIPEDA. PIPEDA, and the provincial laws, apply regardless of a business’ physical residency within the country.

There are some differences between PIPEDA and the provincial laws. For example, British Columbia’s law is more comprehensive, covering unincorporated associations, trade unions, trusts, political parties, and not-for-profits, in addition to commercial organizations. Some provinces also have separate laws that govern how health- and employment-related personal information must be handled. Canada also has federal and provincial laws that govern privacy for public bodies. Of particular note is British Columbia’s law that restricts the storage and access of personal information to inside Canada.

 If a commercial organization operates within Canada, PIPEDA or the provincial law applies. Some important organizational obligations under PIPEDA include the designation of one or more individuals responsible for compliance with the law, notification of data breaches to individuals and the privacy commissioner if the breach causes a real risk of significant harm, and a duty to maintain certain standards of security safeguards commiserate with the sensitivity of the data. Commercial organizations must also develop policies that reflect the principles underlying PIPEDA. These principles are included in the law itself. Development of a compliance program to implement those policies will be a significant step to further assuring that a business is compliant with PIPEDA and other applicable laws.

The Canadian Anti-Spam Legislation (CASL), another federal statute, addresses the way electronic communications of a commercial nature to consumers are to be handled. Concepts of consent and a requirement to identify the party sending notices are part of CASL. CASL requires that communications must include an unsubscribe feature, and it applies even to messages sent from outside of Canada to Canadian recipients.

Canadian privacy laws include accountability as a key concept. The Canadian Privacy Commissioner has stated: “Accountability in relation to privacy is the acceptance of responsibility for personal information protection. An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program.”

Development of an effective compliance program, whether in Canada or in the United States, requires the commitment of business leaders and the dedication of resources. All businesses should designate a person or team responsible for managing cybersecurity and privacy compliance programs. In a large business, a separate organization focused on compliance may be appropriate. The compliance person, team, or organization should have significant authority and status, either as part of or with direct access to senior management, and should have direct access to the board of directors. Leadership must embrace the concept that cyber security is an enterprise risk—not just the responsibility of the IT or security departments.

The first steps toward developing an effective cybersecurity compliance program are to:

  • map the personal data held by the organization in terms of its location, lifecycle and sensitivity;
  • conduct a risk assessment;
  • develop processes and implementation plans to assure that existing security gaps are closed;
  • establish a plan for ongoing assessments to provide monitoring and possible warnings of new gaps or risks;
  • develop and implement training programs to educate management and employees about risks, security processes, and compliance expectations; and
  • adopt an audit program to assure that monitoring, training, and compliance are occurring.

Failure to develop and implement an appropriate program for compliance with privacy and cybersecurity requirements subjects a business to significant risks. Not only are there legal risks of failing to comply with laws, including possible fines and third-party lawsuits, but there are also risks to a business’ reputation, potential financial losses, harm to its network, and potential loss of intellectual property and strategic information.

David Aschkinasi

Special Counsel; Glade, Voogt, Lopez and Smith PC

David Aschkinasi is  Special Counsel with Glade, Voogt, Lopez and Smith PC, Denver, Colorado. David provides advice on complex commercial, government and international transactions, as well as advising on corporate compliance issues and risk analysis, especially regarding cybersecurity, privacy, FCPA and international regulatory and trade matters.

Serving on the Steering Committee of the firm’s Technology practice group and frequently working in the IT and outsourcing space, Andrew advises clients on the challenges and complexities of commercializing, acquiring and implementing technology solutions; and also works with private companies on M&A transactions, frequently across borders.  Andrew regularly advises on IT and business process outsourcings, bancassurance outsourcings, cloud and SaaS arrangements, software licensing and commercial due diligence and the technology aspects of M&A transactions, including transition services arrangements. His experience also extends to a variety of Internet and e-commerce matters, and to the legal and regulatory aspects of online gambling in Canada.

William R. Denny practices primarily in the areas of cybersecurity, data privacy and information governance, focusing on privacy and security compliance, vendor management, mergers and acquisitions and information technology. Mr. Denny is a Certified Information Privacy Professional (CIPP/US) and a Certified Information Privacy Manager (CIPM) through the International Association of Privacy Professionals (IAPP) and Chair of the IAPP KnowledgeNet Chapter for Delaware. He has represented public and privately held companies and government entities in a wide range of technology transactions.

Michael McEvoy

Information and Privacy Commissioner, British Columbia

Michael McEvoy was appointed Information and Privacy Commissioner for BC by unanimous motion of the Legislative Assembly. He began his six-year term as an independent Officer of the Legislature on April 1, 2018. Prior to his appointment, he was seconded from his position as Deputy Commissioner at the OIPC to the Information Commissioner’s Office in the UK, where he helped lead an investigation into Cambridge Analytica and Facebook. Commissioner McEvoy served in local government for 12 years before joining the OIPC in 2007. He obtained a Juris Doctorate from the University of Manitoba in 1985 and a Bachelor of Arts in 1980 from the University of Winnipeg. He has been a member of the Law Society of British Columbia since 1986.