To enforce these new obligations, the CCSPA grants to the Appropriate Regulators investigatory, auditing, and order-making powers, including issuing administrative monetary penalties (“AMPs”) of up to $1 million per day for individuals (such as directors and officers), and $15 million per day for other persons. Additionally, Designated Operators, and their directors and officers, may also be fined—or imprisoned if a director or officer—if either contravene specific provisions of the CCSPA; the amount of a fine is at the discretion of the federal court.
Telecommunication Act Amendments
The amendments to the Telecommunications Act (the “Amendments”) establish new order-making powers for the Governor-in-Council and the Minister of Industry (the “Minister”) to direct Telcos to take specific actions to secure the Canadian telecommunications system. Specifically, the Governor-in-Council may, by order,
- prohibit a Telco from using all the products and services offered by a specified person; and
- direct a Telco to remove all products provided by a specified person.
The Minister, after consultation with the Minister of Public Safety and Emergency Preparedness, may, by order,
- prohibit a Telco from providing services to a specified person; and
- direct a Telco to suspend any service to a specified person.
Additionally, the Amendments grant the Minister the power to direct Telcos to do anything or refrain from doing anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including the following:
- prohibiting Telcos from using any specified product in or in relation to Telcos’ network or facilities, or part thereof;
- prohibiting Telcos from entering service agreements for any product or service;
- requiring Telcos to terminate a service agreement;
- prohibiting the upgrade of any specified product or service; and
- subjecting the Telcos’ procurement plans to a review process.
Interestingly, Telcos will not be compensated for any financial losses resulting from these orders.
The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos’ compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000–$50,000 per day for individuals (such as directors and officers), and up to $10–$15 million per day for other persons. Moreover, contravention of orders or regulations may result in prosecution whereby the Telcos, and their directors and officers, may have to pay fines (whose amount is at the discretion of the court) or face imprisonment.
Information Sharing and Secrecy
The CCSPA and the Amendments require Designated Operators, Telcos, and any other person to share confidential information with the Appropriate Regulators, and Governor-in-Council and Minister, respectively, in furtherance of the objectives of the Bill. This confidential information may be shared with multiple federal government organizations, provincial and foreign counterparts, as well as international organizations, to pursue the objectives of the CCSPA and the Amendments. While these information exchanges will be governed by agreements and memorandums of understanding between the parties, the Minister may disclose the information if is necessary in the Minister’s opinion to secure the telecom system.
Given the national security purpose underlying this Bill, the secrecy of the orders is paramount. The orders from the Governor-in-Council and Minister may be subject to non-disclosure requirements. Moreover, for the sake of secrecy and expediency, the orders and directions of the Governor-in-Council and Minister do not follow the complete process outlined in the Statutory Instruments Act, and thus, are not registered, published, or debated in an open manner.
Recommendations
Given that the Bill has just been introduced, its passage is not guaranteed, and additional changes to the draft law may occur. However, and in the interim, if you are a provider of vital services and systems as described in the Bill, we recommend that you consider taking the following steps to improve your cyber resilience:
- Preemptively improve your security posture and processes to conform with the CSE’s best practices and guidance, or industry practices, and ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and
- given the secrecy and potential immediacy of Government orders and directives, Telcos and Designated Operators should draft contracts to flow down potential cyber security risks appropriately.
If you are a supplier of products and services related to the critical cyber systems of Designated Operators as described in the Bill, we recommend that you consider taking the following steps:
- Preemptively improve your security posture and processes as described immediately above in anticipation of more strenuous cybersecurity requirements requested by Designated Operators; and
- anticipate shouldering more risk when contracting with Designated Operators and consult with your insurance provider accordingly.