Three key jurisdictions have successfully launched new legal frameworks targeted at identifying critical infrastructure, imposing security requirements on same, and requiring regulatory reporting where those security requirements are breached (collectively, the “CI Cyber Breach Legislation”):
- Canada: the Critical Cyber Systems Protection Act (“CCSPA”);
- EU: Network Infrastructure Security Directive 2.0 (“NIS2 Directive”); and
- U.S.A.: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).
In my article “Cyberbreaches in Critical Infrastructure: It’s not just about Personal Data Breaches Anymore”, I review and compare in two parts the details of each of these new legal frameworks:
The first part (Beardwood, CRi 4/2023, 109–114) provides an overview of the legislative background and purpose of CCSPA, CIRCIA and the NIS2 Directive (I.); compares the scope of their application, based on systems and entities (II.) as well as their respective definitions of incidents (III.); and concludes with a comparative analysis of these foundational scope elements of the critical infrastructure cyber breach regime (IV.).
The second part (Beardwood, CRi 5/2023 “online first”) continues the analysis and compares the details of their reporting requirements, with a focus on report content, timing and exceptions (V.); contrasts the approaches to record keeping (VI.) and enforcement (VII.); compares their respective penalty regimes (VIII.); and finally concludes with a brief analysis of the challenges for any company facing a critical infrastructure cyber breach across all three jurisdictions (IX.).
Key Changes
Overall, it is worth noting that this new cyberbreach legislation is thematically very different from the existing personal data/privacy legislation in those jurisdictions. To point out three major differences:
- State Resilience:
First, the emphasis of the CI Cyber Breach Legislation is on protecting the state, not individuals. Each item of legislation enumerates a list of services/systems/sectors which are deemed to be of vital/critical importance to the state, and requires that where an organization in that sector suffers a cyber breach, it be a reportable event. Damage to the system is of equal, if not more importance, than damages to data hosted on the systems. - Trigger for Reporting:
Second, and as a consequence, the trigger for reporting is not based on the probability of individual harm test to which we are accustomed under personal data legislation. Rather, the focus is on harm to the business and/or to the applicable critical sector. For example, under CIRCIA, reportable incidents include a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network; a serious impact on the safety and resiliency of operational systems and processes; or a disruption of business or industrial operations. - Additional Decision Tree:
Finally, previous to the CI Cyber Breach Legislation, the decision tree of an organization suffering from a cyber breach would have started with the simple question: Was personal data involved in the breach? – as this could trigger potential obligations to report to the regulator and/or notify the affected subject individuals. Now the second, equally critical question is: Did the breach take place in an organization operating in a “critical infrastructure” sector? If the answer is yes to both – as it is of course quite possible for a critical infrastructure cyber breach to also constitute a personal data breach – then the organization will be required to run both decision trees in parallel.
Key Consequences
This additional complexity leads to important questions. Privacy lawyers are used to advising organizations affected by a privacy breach across multiple jurisdictions, given the different triggers for regulatory reporting, individual notification, etc. That complexity is now multiplied by the need, in many cases, to assess the additional reporting requirements which apply if the client operates in a critical infrastructure sector – which complication is further compounded again in the case of a critical infrastructure cyber breach which takes place multiple jurisdictions.
On the organizational side, it also begs the question as to which internal department should be responsible for critical infrastructure cyber breaches. Is the privacy officer the right officer in this case …or should it be the CTO/CIO? In one recent critical infrastructure cyber breach incurred by a client, one department handled the privacy breach implications, while another handled the critical infrastructure cyber breach analysis. That means a high degree of co-ordination must exist between both departments.
We also note that different threshold tests for reporting to different regulators can lead to awkward results. For example, if an organization reports to their applicable critical infrastructure regulator, but does not report to their privacy regulator, a cyber breach incident simply because the threshold test for the latter was different – and was not met – how will the privacy regulator react?
All key questions to think about as we come to grips with this burgeoning new critical infrastructure cyber breach regime …
One Final Note …
India has joined the critical infrastructure cyberbreach “club” above, with the issuance of (a) the India Computer Emergency Response Team (“CERT-IN”) mandatory cybersecurity directions under Section 70B of the Information Technology Act, and (b) the related Information Technology (The CERT-IN and Manner of Performing Functions and Duties) Rules, 2013 also issued under Section 70B of the Information Technology Act. In recognition of this framework, I am currently preparing the companion article “Cyberbreaches in Critical Infrastructure: Focus on India” for CRi 6/2023 (December). As this article will outline, in some respects the emerging cyberbreach regime in India is radically different from the emerging regimes in Canada, the United States and Europe – thereby contributing to an increasingly complex new global framework for the regulation of critical infrastructure cyber breaches.
