Thank you.
My name is Daina Proctor. I'm the Canadian cybersecurity executive with IBM Canada, and it's a pleasure to be with you today speaking on the topic of Bill C-26.
There are three items that I would like to talk about with you today.
The first one is clarifying the core definitions within Bill C-26. Currently, Bill C-26 leaves much of the scope of the legislation to regulations. We believe it's critical to clarify the scope and the definitions in the legislation itself rather than delegate to the regulatory processes. Key terms used in the proposed law, such as “designated operators”, “confidential information” and “security incident”, are either too broadly described or not adequately articulated. We believe this committee should aim to address these definitions as much as possible, as this will enable a common understanding, increase enforceability and speed up the review when it comes time to draft the ensuing regulations.
Second is alignment with international standards. Canada's strategy and approach should be inserted into the collective efforts of our international community. As drafted, Bill C-26 carries various provisions that are not aligned with other mature cybersecurity regimes. The legislation does not differentiate between security levels of breaches. Furthermore, it includes potential incidents within the scope of its incident-reporting obligations, which could serve to overwhelm regulators with unnecessary and unhelpful information and place an unnecessary burden on industry.
The legislation's “immediate” reporting of cyber incidents, without a formal definition as to what would constitute “immediate”, is also problematic. Most jurisdictions allow for a 72-hour reporting window to allow injured parties to understand what has transpired, which in turn ensures that regulators receive a comprehensive report about actual findings.
The court has unfettered and overly broad jurisdiction when, under an act, it can impose criminal conviction, imprisonment terms, uncapped fines and personal liability, with administrative monetary penalties in the amount of $15 million that can accrue. This represents an entirely new regime and significant penalties far above those under other comparable pieces of legislation. The severity of such penalties and the enforcement action that may be taken will invariably create a chilling effect. Respectfully, the enforcement action that may be taken against individuals should be removed, or to the extent that such liability is considered necessary and proportionate, at a minimum there should be a defined standard to demonstrate the objective and substantiated culpability.
Last is avoiding government overreach. While IBM recognizes the need for compliance oversight, we specifically suggest clarification and refinement of the authorized powers belonging to the regulatory authority or persons who have the ability to enforce the provisions: namely, the ability to attend facilities, examine documents and records, and mandate internal audits, as well as unilateral broad discretion to impose remedial actions—all of these. We strongly encourage that these regulatory authorities and government access rights be limited in their scope and limited to certain critical situations that meet specific non-compliance thresholds.
In conclusion, IBM believes that the clarity around key definitions, enhanced harmonization with international standards and clear safeguards from potential government overreach would strengthen Bill C-26's mandate.
Thank you for your time. We welcome and look forward to addressing your questions.