Insights Header image
Insights Header image
Insights Header image

Top of the Class: New Cybersecurity Program to Certify Privacy-Minded Businesses

August 2019 Privacy Bulletin 2 minute read

On August 14, 2019, the federal government launched a new cybersecurity certification program aimed at helping small and medium-sized businesses protect against cyber threats.

The release of CyberSecure Canada (“CyberSecure”) is just one of the measures implemented by the government following its announcement of the Digital Charter earlier this year. (See McMillan’s summary of the Digital Charter). The certification is intended to further the government’s goal of assisting Canadian businesses in developing trust with consumers and remaining globally competitive in the digital age.

CyberSecure is a voluntary certification program wherein businesses implement numerous basic cyber security controls designed to safeguard against the most common kinds of cyber threats.

These basic cyber security controls are intended to be relatively easy and inexpensive for businesses with less than 500 employees and medium risk exposure to implement. Examples of the basic cyber security controls include:

  • Developing an incident response plan to manage cyber security incidents;
  • Implementing a security information and event management system;
  • Enabling automatic updates for software and hardware where available;
  • Configuring and enabling up-to-date anti-virus and anti-malware software;
  • Implementing two-factor authentication;
  • Developing policies regarding passwords;
  • Providing employee awareness training to minimize human error;
  • Backing up and encrypting data;
  • Establishing appropriate perimeter defences, such as firewalls; and
  • Implementing the principle of “least privilege” by providing users with only the minimal functionality required to perform their duties and responsibilities.

The Standards Council of Canada will be responsible for accrediting certification bodies, who will evaluate business’ compliance with CyberSecure and grant the certification. Businesses who are found to be in compliance with CyberSecure will be able to display a certification mark or logo on their website or other promotional materials.

The CyberSecure program will be in a pilot phase until a national standard for compliance is established. Businesses can now sign up as “early adopters” to help with the testing and development of the certification process. Those interested in enrolling as early adopters can contact the CyberSecure team at 1-800-328-6189 or by email at

Businesses who do not wish to sign up as early adopters can still get ahead of the curve by beginning to review and implement the basic security controls.

It is also important to note that, while the CyberSecure certification is voluntary, many organizations are required by applicable privacy legislation – including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) – to implement appropriate security safeguards to protect personal information against loss, theft or unauthorized access, disclosure, copying, use or modification.  Organizations are therefore advised to continuously evaluate the maturity of their privacy and data security compliance program in the face of ever-evolving threats to cybersecurity and developments in Canadian and international privacy laws.

by Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2019

Insights (5 Posts)

Featured Insight

A Look at Some Key Findings by the Alberta Securities Commission in Re Bison Acquisition Corp.

On December 21, 2021, a panel of the Alberta Securities Commission issued its written decision providing its reasons for the oral ruling it made on July 12, 2021 regarding applications brought by Bison Acquisition Corp. and Brookfield Infrastructure Corporation Exchange Limited Partnership, as well as Inter Pipeline Ltd. and Pembina Pipeline Corporation.

Read More
Mar 20, 2023
Featured Insight

Employer’s Disturbing Termination Conduct Results in $15,000 Moral Damages Award

Teljeur v Aurora Hotel Group 2023 ONSC 1324 provides example of post-termination conduct and bad faith damages.

Read More
Mar 16, 2023
Featured Insight

Succeeding at Succession: Tips on Corporate Governance including How to Navigate Board Renewals and Elections

Stakeholders are demanding good corporate governance, which includes effective succession planning where a range of skills, experience, and backgrounds are highly valued and reflected. In collaboration with WATSON, a national multidisciplinary governance firm, join us in the morning on Wednesday, April 19, to discuss strategies and action plans that drive robust succession planning and strong corporate governance.

Wednesday, April 19, 2023
Featured Insight

Adjudication under the Construction Act: Court Confirms Test to Apply for Judicial Review a “High Bar”

Adjudication under the Construction Act: Court Confirms Test to Apply for Judicial Review a “High Bar” Anatolia Tile & Stone Inc. v Flow-Rite Inc. 2023 ONSC 129.

Read More
Mar 15, 2023
Featured Insight

Québec Industrial Establishments Face Substantial Increase To Environmental Discharge Fees

This bulletin provides an overview of certain regulatory amendments that would increase fees for Québec industrial establishments.

Read More
Mar 15, 2023