Canada’s Budget Says New Laws Will Require Companies to Disclose Cyber Breaches

Details slim, but pending bill would compel private companies to alert feds of successful attacks against critical systems
April 24, 2015 Updated: July 18, 2015

OTTAWA—The government is keeping tight-lipped about pending legislation signalled in the budget that would force some companies to disclose cyber breaches, but a spokesperson for Public Safety Canada says it will focus on “essential systems that Canadians rely on every day.”

The budget mentions the legislation in one sentence on page 327 of the 518-page document.

“Following consultations, new legislation will require operators of vital cyber systems to implement cyber security plans, meet robust security outcomes for their systems and report cyber security incidents to the Government of Canada,” it reads.

Finance Minister Joe Oliver told reporters he could not speak to the specifics of the legislation during a press conference on the budget last Tuesday.

Public Safety spokesperson Josée Sirois wrote in an email Friday that “The pending legislation would only apply to private-sector, federally regulated, cyber systems.”

These are systems used daily and that need protection to ensure national security and public safety, she noted, citing finance and telecommunication sectors as examples.

Operators of those systems would get government support and guidance, including cyber security tools, as well as threat and vulnerability information, Sirois added.

There is no date on when a bill will be tabled, and Sirois wrote that no other information was available. 

“A transparent and inclusive consultation will follow the tabling of the Bill. No obligations will apply until the Bill is passed and regulations are developed and adopted.”