At a glance.
- Security firm criticizes Canada’s cybersecurity laws as too weak.
- China’s cross-border data transfer rules.
- EPA highlights water system cybersecurity.
Security firm criticizes Canada’s cybersecurity laws as too weak.
As Canada faces a surge in cyberattacks against household names like Sobeys supermarkets and Indigo booksellers, some wonder if a change in legislation could be the answer. CTV spoke with David Shipley, CEO of New Brunswick cybersecurity firm Beauceron Security Inc., to get his perspective. “Our current national cybersecurity strategy is woefully out of date,” Shipley said. “We are way behind our peers in the United States and Europe.” Calling Canada’s current approach to cybersecurity regulation “absolutely toothless,” he says the EU’s General Data Protection Regulation, with its steep penalties and focus on user consent, could be a good template to follow. “It forced companies to take privacy much more seriously,” he says. While an update to Canada’s federal cybersecurity laws is in the works, it’s currently being reviewed and it could be up to three years before any new legislation is enacted.
China’s cross-border data transfer rules.
The Cyberspace Administration of China (CAC) released the final version of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information at the end of February, and cyber/data/privacy insights offers a primer on what to expect from the new measures. The standard contract is one of three lawful cross-border data transfer mechanisms introduced under China’s Personal Information Protection Law. (Rules for the other two mechanisms – a CAC security assessment, and a certification from a qualified institution – were released in 2022.) The measures state that a personal information handler may use a standard contract to transfer personal information outside China as long as they are not a critical information infrastructure operator. In order to qualify for the standard contract, the handler must also process the personal information of fewer than one million individuals and must have not cumulatively transferred the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals since January 1 of the previous year. They must also conduct a “personal information protection impact assessment,” or PIA, and file the signed standard contract and PIA with provincial CAC. The information handler’s obligations include notifying data subjects of the details of the cross-border transfer, obtaining a separate consent when necessary, and informing individuals that they are third-party beneficiaries to the standard contract. As for the overseas recipient, they must only process personal information within the scope of the standard contract, and they are required to delete the personal information after the retention period expires. While the measures will take effect on June 1, there will be a six-month grace period.
EPA highlights water system cybersecurity.
On Friday the US Environmental Protection Agency (EPA) released a memorandum on the importance of state-level cybersecurity risk assessments for the nation’s drinking water systems. In an announcement accompanying the memo, the EPA states, “While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor.” The memo offers several approaches to cybersecurity risk assessments, and the EPA can provide technical assistance and resources to help states with implementation upon request. EPA Assistant Administrator for Water Radhika Fox told reporters, “Historically, sanitary surveys have been utilized to protect water utilities from physical vulnerabilities. Under our new cyber memorandum, we have clarified that sanitary surveys must also include cybersecurity, as well as physical security, as essential to being able to deliver clean, safe water.” SC Media notes that the memo was issued one day after the Biden administration released its new national cyber strategy, which emphasizes the need to improve cybersecurity for critical infrastructure.