In June 2017, the Ontario Energy Board (“OEB”) issued for comment a Staff Report to the Board on a Proposed Cyber Security Framework and Supporting Tools for the Electricity and Natural Gas Distributors and a companion white paper titled “Cybersecurity Framework to Protect Access to Electronic Operating Devices and Business Information Systems within Ontario’s Non-Bulk Power Assets”. OEB’s announcement letter explains that the proposed policy and reporting requirements are designed to provide measureable assurances that electricity distributors “address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations”.
The White Paper includes a proposed Cybersecurity Framework, based on the U.S. National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity, which has been widely adopted and endorsed as a foundational cybersecurity resource by many kinds of organizations around the world, including in Canada. The White Paper also includes a Risk Profile Tool to assess an organization’s cyber risk profile.
The White Paper explains that “security and privacy are inextricably linked” and that “security is integral to privacy, because without strong information security measures, privacy breaches will occur”. The White Paper is instructive because the proposed Cybersecurity Framework supplements the NIST Framework with 11 privacy controls – based on the Fair Information Principles embodied in the Canadian Personal Information Protection and Electronic Documents Act and the Privacy by Design methodology – designed to enable organizations to address compliance with Canadian personal information protection laws. The added privacy controls are as follows:
The organization is able to identify: the personal information or customer proprietary information in its custody or control, the organization’s authority for the collection, use and disclosure of the information, and the sensitivity of the information.
Responsibility for the privacy management program has been established.
Senior management is committed to a privacy respectful culture.
A policy is established for collection, use and disclosure of customer personal and proprietary information, including requirements for consent and notification.
A policy is established for retention and disposal of customer personal or proprietary information.
Governance and risk management processes address privacy risks.
Activities and processes that involve the collection, use or disclosure of personal or customer proprietary information are identified.
Privacy impacts are considered when a new process, technology or activity is contemplated.
Documentation is developed to explain the organization’s personal information policies and procedures to staff and customers.
Privacy is included in human resources practices (e.g. privacy training).
Policies for receiving and responding to privacy complaints or inquiries are established and such policies are communicated to customers.
OEB’s announcement letter indicates that the proposed Cybersecurity Framework is expected to be finalized and in place in late 2017.