Skip to content

Lawyers call for national cybersecurity standards

Plea comes as federal government launches public consultation on digital security
|Written By Yamri Taddese

Technology lawyers say they’re hopeful the federal government’s public consultation on cybersecurity will result in a set of national standards for digital safety in Canada.

Technology lawyer Lisa Abe-Oldenburg says current legislation and regulations around cybersecurity lack rigour.

Technology lawyer Lisa Abe-Oldenburg says that, currently, it’s difficult to advise clients who ask about the level of security standards they should be following to protect their systems.

“There’s really not a lot of legislation we can point to to give them any kind of guidance and comfort,” she says. “It often becomes a negotiation between the customer and the supplier.”

Ira Nishisato, partner at Borden Ladner Gervais LLP, complains of the same issue.

“There are essentially no national standards,” Nishisato says. “From a legal perspective, the issue is always the question of standard of care — to what standard of care could an organization be held to in terms of ensuring the integrity and the security of its system?

“Right now, if you look for what you should be doing, it’s really not a question that avails itself of a straightforward answer,” he adds. “It would be extraordinarily helpful to have some sort of direction in terms of national guidelines or national standards for cybersecurity and cyber-risk management.”

Last week, the federal government announced it would be launching a public consultation “on the evolving cybersecurity landscape” with the goal of strengthening digital safety.

“The government’s cybersecurity review is an opportunity to build Canadian strength and expertise. Canadians spend more time online than people in any other country,” said Ralph Goodale, minister of Public Safety and Emergency Preparedness.

“We need to get really good at cybersecurity — across our personal, business, infrastructure and government sectors — so we can take full advantage of the digital economy, while protecting the safety and security of Canadians, and selling our valuable cyberskills and products into a booming market throughout the rest of the world,” Goodale added.

Current legislation and regulations around cybersecurity lack rigour, according to Abe-Oldenburg.

“We haven’t created any robust security regulations,” she says, noting that even recent legislation such as the Personal Information Protection and Electronic Documents Act falls short of specifying details such as the level of encryption required on personal information collected for commercial purposes.

Abe-Oldenburg also says the government should look at the various risks to which the public is exposed in the age of the Internet of Things, including vulnerabilities that may come with self-driving cars. She adds she’s hopeful the consultation will result in better regulations for products and services.

Lack of software safety standards for autonomous vehicles, for example, could jeopardize personal safety and data, Abe-Oldenburg continues. “If somebody hacks into a system that’s controlling a device, a machine or an automobile, there could be serious repercussions.”

  • Lawyer

    Art Linton
    Technology is moving so quickly it is literally impossible to guarantee cyber-security. Attempts to regulate or legislate largely ignore that fact and range from regulation by inference, such as absolute liability for cyber-vulnerable energy companies to a EU requirement that energy, transport, and finance enterprises will have to guarantee they are capable of preventing cyberattacks.

    This challenge is beyond legislators and regulators, it will inevitably fall to the courts to set duties and standards of care.

    Look for an wholistic approach that recognizes the impossibility of total prevention and values formal detection and remediation efforts, not unlike the regime for environmental spills in Ontario.
  • The first question might be

    Albin Foro
    whether, as pertains to negligence claims, the standard should be left to the courts rather than some reactive and almost immediately obsolete set of regulatory standards. The focus might be better put onto public access to class action and contingency funding, and let the arguments about liability fly in court.




  • clawbies 2015
    clawbies 2014
  • clawbies 2013
    clawbies 2012
  • clawbies 2011
    clawbies 2010