Canada: Reporting Cyber Security Incidents To Law Enforcement In Canada: Weighing The Pros And Cons

The Royal Canadian Mount Police's (RCMP) National Cybercrime Coordination Centre coordinates responses to cybercrime and provides guidance to Canadian police. They are the only federal organization with the mandate and authority to investigate criminal offences related to cybercrime and typically investigate international cybercrime and cybercrime with a national security implication.

Cybercrimes can be reported to your local police department or the local RCMP detachment for geographical areas where the RCMP is the police of jurisdiction.

Pros of reporting cyber security incidents to law enforcement

1. Legal compliance

Reporting cyber incidents to law enforcement may be mandatory in certain circumstances under Canadian data protection and privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA applies to all businesses engaging in commercial activity in Canada unless their commercial activity is solely taking place within Alberta, British Columbia or Quebec, which have provincial privacy legislation that applies within their jurisdictions. Organizations subject to PIPEDA shall report to the Privacy Commissioner and affected individuals:

Alberta and Quebec have similar breach reporting obligations.

Beyond reporting to the Privacy Commissioner, organizations subject to PIPEDA that notify an individual of a breach of security safeguards have further obligations to notify any government institutions or organizations that the organization believes can reduce the risk of harm that could result from the breach or mitigate the harm.

To help, the Office of the Privacy Commissioner of Canada has created a "What you need to know about mandatory reporting of breaches of security safeguards" webpage. The page gives an example of notifying law enforcement if there has been an attack on your computer system by bad actors that have accessed customer's personal information if your organization believes that law enforcement could help reduce or mitigate the risk of harm to your customers.

So, while PIPEDA does not require reporting to law enforcement, it does mandate that organizations consider whether or not reporting to law enforcement can reduce the risk of harm and then report the matter to law enforcement if the assessment is affirmative. Knowingly contravening PIPEDA's reporting, notification and record-keeping requirements relating to breaches of security safeguards is an offence that can be punishable by a fine.

In Alberta, the Personal Information Protection Act (PIPA) does not require reporting to law enforcement or other organizations or even assessing whether reporting to other organizations could reduce the risk of harm.

However, Alberta's Office of the Information and Privacy Commissioner breach report form does include a question that asks whether the police or any other authorities or organizations have been notified of the breach. If organizations respond with "yes," the form asks for the name and contact information for each entity notified and the date the notification occurred.

2. Criminal investigation

One of the most apparent benefits of reporting to law enforcement is if the cyber security incident involves theft or criminal activity. Reporting an incident to law enforcement can trigger a criminal investigation, which can help identify and apprehend cybercriminals. This can be particularly valuable in cases involving cyberattacks with malicious intent and ones that specifically target an organization.

The Canadian Centre for Cyber Security (CCCS) is a federal agency that encourages organizations to report cyber security incidents voluntarily. However, reporting a cyber incident will not launch an immediate law enforcement response. They advise contacting local police services or the RCMP if a cyber incident is believed to be an imminent threat to life or of a criminal nature.

The RCMP and the CCCS co-authored a publication on reporting cybercrimes, found here.

Cybercrime includes crimes in which technology is the primary target (e.g. malware on ransomware) or crimes that use technology as an instrument to commit crimes (e.g. money laundering or fraud). CCCS and the RCMP encourage reporting to law enforcement and advise that reporting the incident within 24 hours of discovering it leads to the best outcomes.

3. Information sharing

Law enforcement agencies often work with cyber security experts and intelligence agencies, enabling them to share threat intelligence and collaborate to address cyber threats more effectively. The Canadian Anti-Fraud Centre (CAFC) collects information on fraud and identity theft. It is working with the RCMP National Cybercrime Coordination Centre (NC3) to implement a new National Cybercrime and Fraud Reporting System for Canadians and businesses.

Reporting to the CAFC can help link a number of crimes together in Canada and abroad, progress or complete an investigation, create reports for crime forecasting, and can help law enforcement, the public and private sector, and academia to learn more about cybercrimes and how to prevent them.

For example, the Ontario Provincial Police, RCMP, FBI and Europol worked together to investigate and ultimately arrest an individual in Ottawa charged with international cyber security attacks. Law enforcement agencies have to pool resources to deal with these types of geographically dispersed threats. This type of collaboration is only possible if entities affected by cyber security incidents report the events to law enforcement.

The CACF portal has been operating on a pilot basis as of March 2020. The official launch of the new system is expected to occur in 2023 or early 2024, with it becoming fully operational by the end of 2024. More information on the CACF portal is available here.

4. Deterrence

By reporting incidents, organizations contribute to the collective deterrence of cybercriminals. Knowing that they are being pursued by law enforcement can discourage hackers from targeting specific entities.

The benefits that arise from information sharing also have a deterrent impact by making cybercrime less attractive as law enforcement agencies develop better resources to forecast and track cybercrimes.

5. Stakeholder satisfaction

An organization may help satisfy its stakeholders that it is taking all possible steps to remedy a cyber incident by reporting it to law enforcement.

For example, shareholders, project partners, affected individuals and other third parties may appreciate knowing that a matter has been reported to law enforcement so that an investigation can commence.

Cons of reporting cyber security incidents to law enforcement

1. Public exposure

Reporting an incident to law enforcement may lead to public exposure, damaging a company's reputation and causing a loss of trust among customers and stakeholders.

Reports of cyber incidents often end up in national or international media.

2. Resource intensity

Criminal investigations can be resource-intensive, often requiring time, personnel and financial resources to assist in the investigation process, provide evidence and engage in legal proceedings.

This could divert valuable time and resources from the affected organization's operations and recovery efforts.

3. Limited control

Once an incident is reported, control over the investigation may shift partially or entirely to law enforcement, limiting the organization's ability to manage the process and potentially compromising sensitive data.

For example, an investigation can go in various directions that could uncover other issues with your organization's cyber security safeguards. Also, law enforcement could take actions contrary to your organization's interests in the interest of investigating the cyber security incident or a related matter.

4. Information disclosure

Reporting an incident may require organizations to disclose sensitive information to law enforcement, potentially exposing trade secrets or proprietary information. Information about your organization could become part of the public record.

Most information submitted to public bodies in Canada is subject to "freedom of information" legislation. Law enforcement organizations are considered public bodies in most Canadian jurisdictions.

While there are usually exemptions for information related to law enforcement investigations, once information is provided to law enforcement, there is always the possibility that it could be disclosed through a freedom of information request or in the context of criminal proceedings (should one arise based on a subsequent investigation).

Learning what steps to take following a cyber security incident

Deciding whether to report a cyber security incident to law enforcement in Canada is a complex and consequential choice. It involves balancing legal obligations, potential benefits in terms of apprehending cybercriminals and the risks of public exposure and loss of control over the incident.

Ultimately, the decision should be based on a careful assessment of the incident's specific circumstances. Engaging legal counsel with in-depth experience in cyber security and privacy law is advisable to navigate this complex terrain and make an informed decision that best serves the interests of the affected organization.

Staying informed about legal requirements and understanding the implications of reporting cyber security incidents is crucial for organizations seeking to protect themselves and their stakeholders from cyber threats.

Footnote