Canada: How Much Cybersecurity Is Enough?

Last Updated: April 24 2015
Article by Ira Nishisato

Most Read Contributor in Canada, September 2016

How much cybersecurity is enough? This question is as legal as it is technical. In legal terms, the question is answered by the applicable standard of care. The standard of care draws the line between conduct that renders a company liable, and that which does not. Where a company meets or exceeds the standard of care, it cannot be held liable in law for damages related to that conduct. In the context of cybersecurity, the standard of care may be established by a regulator, by the legislature, by contract or, retrospectively, by a court in the context of a lawsuit. This is rarely if ever done explicitly. Standards of care, typically are framed in "should" rather than "must" language. They are, often, technologically neutral, in the sense that they do not require a specific solution to a specific problem.

By way of example, most regulators prefer persuasive as opposed to mandatory regulation. Hence they prefer to issue "guidelines" or "advisories" to establish standards of care. Thus, for example, the CSA Staff Notice 11-326 Cyber Security is, as its name states, a notice, rather than an order or regulation. As a notice, it is not enforceable at the instance of the regulator, nor is there a penalty regime in place for failure to abide. That said, failure to comply would be a strike against an issuer, registrant or regulated entity in any proceeding that arises as a result of a cybersecurity breach.

Similarly, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued its Cyber Security Self-Assessment Guidance on October 28, 2013. While noting that many federally regulated financial institutions were already conducting assessments of their level of preparedness, OSFI suggested those institutions "could benefit from guidance related to such self-assessment activities." While the guidance is neither a regulation nor order, per se, no one doubts that OSFI expects federally regulated institutions to abide by it, and that a failure to do so would have consequences in other forums' proceedings related to cybersecurity breaches.

In the United States, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, issued on February 12, 2013, called for the development of a voluntary, risk-based cybersecurity framework — a set of industry standards and best practices, to help organizations manage cybersecurity risks. In response, the National Institute of Standards and Technology (NIST) published its Framework for Improving Critical Infrastructure exactly one year later. The Framework "uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses".

NIST is of particular interest when one is concerned with critical infrastructure businesses, such as public utilities, communication systems, electrical grids, pipelines and the like. It is premised on a "core" of five functions.

"Identify" means to identify those systems which are critical to the business, and those which are less critical, so that they can be prioritized. The control of private and confidential information may be critical to some businesses (for example, law firms), whereas the control SCADA systems may be much more relevant to others (for example, pipelines). "Protect" means to develop and implement activities necessary to ensure delivery of the critical services. "Detect" is the ability to know if and when a cybersecurity event occurs. This is no minor matter. Not all cyberattacks are easily detected. Some lay in wait, for a period of days, months or even years. "Respond" is the ability to take action to terminate or mitigate a threat. "Recover" is the ability to develop resilience and restore capabilities or services that were impaired as a result the event.

"Categories" divide functions into groups of outcomes like, for example, "access control" or "intrusion detection". "Subcategories" further divide the category into more specific outcomes - for example "access control by double identification" or "notifications from intrusion detection system are investigated". "Informative references" include specific standards, guidelines and practices common in infrastructure industries, if and to the extent they exist.

Some standards are industry-specific.  The North American Electric Reliability Corporation (NERC) has issued standards for the North American electrical distribution grid in the form of CIP (critical infrastructure protection) Version 4, and is beginning to transition to CIP Version 5. The NERC standards were tested in the GridEx II physical security and cybersecurity exercise in November 2013.

The ISO/IEC 27000 family of standards comprises of information security standards published jointly by the ISO and the International Electrotechnical Commission. The series is meant to provide an overall information security system, within which cybersecurity risks are addressed. Whereas NIST is designed to apply in particular to infrastructure, systems, the ISO/IEC 27000 family establish information security management standards applicable generically - they include, for example, standards in respect of leadership, planning, support, operation, performance evaluation and improvement.

It is important to understand that NIST and ISO/IEC 27000 are systems for identifying specific objectives in "best of class" security systems. They may specify, for example, that there be "information transfer policies and procedures", but neither tells you those what policies or procedures should be. These must be determined in the context of each case. NIST and ISO/IEC 27000 technologically neutral. So too are COBIT and PCI DSS.

COBIT, or Control Objectives for Information Related Technology, is a framework created by the Information Systems Audit and Control Association (ISACA). It is now in its fifth version. Its purpose is to link business goals to IT goals. COBIT operates at a high level as a process model, dividing the subject in the four domains- Plan and Organize, Acquire, and Implement, Deliver and Support, and Monitor and Evaluate. These subjects are further divided and can be linked to more particularized or detailed standards, such as PCI DSS.

PCI DSS is the Payment Card Industry Data Security Standard. It is a proprietary standard for organizations that handle credit cards, and is administered by the Payment Card Industry Security Standards Council. Now in its third version, the standard specifies 12 requirements for compliance. These include, inter alia, the installation and maintenance of a firewall to protect cardholder data, the encryption of cardholder data access, which is open to public networks, and the restriction of access to cardholder data by business on a need to know basis, etc.

None of NIST, ISO/IEC 2700, COBIT or PCI DSS constitutes a legal standard. The legal standard of care is the standard that a court considers that the defendant should meet, due regard being had not only for relevant technical or process standards, but the conduct of the prototypical "reasonable man" or "reasonable company" in like circumstances. In any given case, regimes and frameworks, such as NIST, ISO/IEC 2700, COBIT or PCI DSS, may or may not constitute part of the standard of care. Much depends on what others in a given industry, or in like industries, consider to be appropriate security processes, methods and regimes.

Legal standards of care can be established by analysis of the activities of industry participants. A report of the SEC's Office of Compliance Inspections and Examinations issued February 3, 2015 in respect of registered broker dealers and investment advisers is an example. The National Exam Risk Alert, Cybersecurity Examination Sweep Summary, found that:

  • 93 per cent of broker-dealers and 83 per cent of advisers had adopted written information security policies;
  • 88 per cent of broker-dealers and 53 per cent of advisers referenced published cybersecurity risk prevention standards, such as the NIST standards or ISO-standards;
  • the vast majority of examined firms conducted periodic risk assessments, on a firm-wide basis, but few applied those requirements to their vendors;
  • 88 per cent of broker-dealers and 74 per cent of advisers stated that they had experienced cyberattacks directly or through one or more of their vendors;
  • almost all of the examined broker-dealers and advisers made use of encryption in some form;
  • 68 per cent of brokers and 30 per cent of advisers had a designated chief information security officer (CISO); and
  • 58 per cent of brokers and 21 per cent of advisers maintained cybersecurity insurance.

Standards of care at law can also be legislated. No Canadian federal or provincial legislation establishes cybersecurity standards of care per se. There are, however, legislated standards of care with respect to private information and health-care information. As cybersecurity breaches often result in the disclosure of personal information, these standards of care are especially important.

Federally regulated workplaces in the private sector are regulated under the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to banks listed in Schedules I and II of the Bank Act and to personal information that flows across provincial or national borders. Privacy rights in respect of information collected by federally regulated bodies (including Canada Revenue Agency, the Canadian Space Agency, the National Research Council of Canada, Statistics Canada, and the Treasury Board of Canada) are governed by the federal Privacy Act.

Privacy rights of provincial sector organizations are protected under statutes "substantially similar" to PIPEDA in the provinces of Alberta, British Columbia, and Quebec. PIPEDA applies in those provinces that do not have their own legislation. Each province and territory has its own public sector privacy legislation. In British Columbia, for example, the Freedom of Information and Protection of Privacy Act (FIPPA) sets out access and privacy rights of individuals as they relate to the public sector.

A review of each of these pieces of legislation is beyond our present scope, but a concise review of one is instructive. Under PIPEDA, personal information includes "information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization". The combined effect of PIPEDA s. 5 and s. 4.7.1 of Schedule 1 is to require that personal information be protected "by security safeguards appropriate to the sensitivity of the information," including technological measures.

Section 34 of British Columbia's Personal Information Protection Act (BC PIPA) states that "an organization must protect personal information in its custody or under its control by making reasonable security arrangements to manage unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks".

Broad legislative standards such as "reasonable" and "appropriate" arguably do nothing more than invoke the common-law test, where the issue is whether conduct is reasonable, having regard to that which would have been undertaken by a reasonably minded person operating in the same circumstances.

Though not the decision of a court, the Privacy Commissioner's PIPEDA Report on Findings #2014-004 is revealing. In this matter, an individual received a breach notification letter from a third-party provider of ticketing, marketing and fundraising services based in the United States. The letter indicated that her personal information (including name, contact information, and credit card number) had potentially been accessed through a cyberattack. While the individual had no direct relationship with the organization, she had made a purchase from a merchant that used its services.

The letter was part of a broader breach notification effort that included notifying (i) United States law enforcement, (ii) Canadian data protection authorities, including the Privacy Commissioner, and (iii) the organization's clients. Some of the organization's Canadian clients were small businesses, so the organization also opted to contact these clients' customers directly, where this course of action would be the most expedient means of notification. After receiving a notification letter, the individual filed a complaint against the organization under the PIPEDA.

In keeping with requirements of Section 5 and Schedule 1 of the Act, the investigation focused on whether the organization had safeguards in place that were appropriate to the sensitivity of the information at the time of the breach. It noted that the fact that a breach had occurred was not necessarily indicative of a contravention of the Act, as "an organization may have appropriate safeguards in place and still fall victim to a determined, clever and/or innovative attacker".

In this instance, the commissioner found that the organization had numerous technical safeguards in place at the time of the incident that were aimed at preventing and detecting breaches. These included: (i) the use of firewalls, (ii) the hashing and encryption of sensitive information, (iii) separate storage and obfuscation of encryption keys, and (iv) multiple intrusion detection systems (through which the breach was detected). The effectiveness of these safeguards was independently evaluated on a regular basis through external vulnerability scans and an audit of its "at-rest" data protection practices against industry standards.

The commissioner also accepted that "the organization had a vulnerability prevention program in place at the time of the breach; however, the vulnerability that led to the incident was a 'zero-day exploit', meaning it was not publicly known prior to the attack, and as such, the organization could not have had foreknowledge of it".

Given the above, the commissioner found that the organization did have appropriate safeguards in place at the time of the breach. As such, the commissioner rejected the complaint.

While the criteria applied by the commissioner was "appropriateness", it seems clear based on the reasons given that "appropriateness" was judged in the context of what was reasonable and what was not. Certainly, a finding that the technologies employed were appropriate necessarily leads to a conclusion that they were reasonable.

A recent decision of the United States District Court in New Jersey is also instructive. In this case an action was brought by a shareholder against the directors and officers of Wyndham Worldwide Corporation for their failure to sue as a result of data breaches pertaining to the company's online networks, during which hackers accessed the personal and financial information of a large number of customers. The court found that the directors had made appropriate inquiries, obtained appropriate advice, and had enough information to make their decision. Their conduct was therefore reasonable in the circumstances, and the action was dismissed.

Wyndham Worldwide is, however, not yet out of the woods. The U.S. Federal Trade Commission commenced injunction proceedings in 2012, alleging that Wyndham's failure to maintain reasonable security allowed intruders to obtain unauthorized access to its computer networks, as well as those of its franchisees, resulting in fraudulent charges on customers' accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to a domain registered in Russia. Proceedings are ongoing.

Therefore, the answer to the question "How much cybersecurity is enough?" depends on the organization, the industry and the threats to which the organization is exposed. An equally important question is, "When do we have enough?" The frank answer to this question is, "Never." Cybersecurity is a process, not a state. As cyber technologies and threats developed, so too do standards of care.

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.