March 29, 2019

Critical Cybersecurity Compliance Issues for Canadian and US Companies Operating Cross-Border

Laws governing cybersecurity and privacy have been in effect for a number of years in both Canada and the United States. Enforcement activities have been on the rise in both countries. Although the Canadian framework has one federal statute, supplemented by provincial laws, in the U.S. there are multiple federal laws and a growing number of state statutes and regulations that govern privacy and cybersecurity. Understanding the laws and regulations that are applicable to a business or client is imperative in order to assure that personal information and sensitive or confidential information are appropriately protected. For businesses that are engaged in Canadian-U.S. cross-border transactions it is important to have knowledge of laws and regulations on both sides of the border in order to assure that the personal and confidential information of  individuals is protected while also minimizing risks to businesses that may occur through penalties for non-compliance with laws and as a result of possible loss of strategic business information through hacking activities or other loss of data.

In the U.S., no single federal law regulates the privacy and security of personal information and confidential data.  Instead, there is a complex combination of federal and state laws and regulations that overlap and sometimes contradict one another.  Recently, data breach disclosure obligations have expanded significantly as data security breaches continue to dominate the news.  In addition, governmental agencies and industry groups have developed guidelines and self-regulatory regimes that create what amount to privacy and security best practices.  These new laws, coupled with the tremendous increase in data collection and processing, result in greater risk of privacy and security violations and create significant compliance challenges.

The U.S. Federal Trade Commission Act, The Health Information Portability and Accountability Act (HIPPA), The Electronic Communications Privacy Act, and the Children's Online Privacy Protection Act are several, but not all U.S. federal laws that govern certain actions or set out procedures that must be followed in order to protect private information as defined in the respective laws. The California Consumer Privacy Act and the Massachusetts Data Security Regulation are two state statutes that are trying to provide greater protection than may be available under federal laws. Washington State’s legislature is considering enacting a law called the Washington Privacy Act. If enacted, that law and the California act are two frameworks that are more stringent than other U.S. frameworks. The Washington legislation is more closely modeled after the European Union’s General Data Protection Regulation, which is more restrictive on businesses than current U.S. laws.