Reporting Cyber Security Incidents To Law Enforcement In Canada: Weighing The Pros And Cons – Privacy Protection | #cybercrime | #computerhacker

The Royal Canadian Mount Police’s (RCMP) National Cybercrime
Coordination Centre coordinates responses to cybercrime and
provides guidance to Canadian police. They are the only federal
organization with the mandate and authority to investigate criminal
offences related to cybercrime and typically investigate
international cybercrime and cybercrime with a national security
implication.

Cybercrimes can be reported to your local police department or
the local RCMP detachment for geographical areas where the RCMP is
the police of jurisdiction.

Pros of reporting cyber security incidents to law
enforcement

1. Legal compliance

Reporting cyber incidents to law enforcement may be mandatory in
certain circumstances under Canadian data protection and privacy
laws, such as the Personal Information Protection and
Electronic Documents Act (PIPEDA).

PIPEDA applies to all businesses engaging in commercial activity
in Canada unless their commercial activity is solely taking place
within Alberta, British Columbia or Quebec, which have provincial
privacy legislation that applies within their jurisdictions.
Organizations subject to PIPEDA shall report to the Privacy
Commissioner and affected individuals:

Alberta and Quebec have similar breach reporting
obligations.

Beyond reporting to the Privacy Commissioner, organizations
subject to PIPEDA that notify an individual of a breach of security
safeguards have further obligations to notify any government
institutions or organizations that the organization believes can
reduce the risk of harm that could result from the breach or
mitigate the harm.

To help, the Office of the Privacy Commissioner of Canada has
created a “What you need to know about mandatory reporting of
breaches of security safeguards” webpage. The page gives
an example of notifying law enforcement if there has been an attack
on your computer system by bad actors that have accessed
customer’s personal information if your organization believes
that law enforcement could help reduce or mitigate the risk of harm
to your customers.

So, while PIPEDA does not require reporting to law enforcement,
it does mandate that organizations consider whether or not
reporting to law enforcement can reduce the risk of harm and then
report the matter to law enforcement if the assessment is
affirmative. Knowingly contravening PIPEDA’s reporting,
notification and record-keeping requirements relating to breaches
of security safeguards is an offence that can be punishable by a
fine.

In Alberta, the Personal Information Protection Act
(PIPA) does not require reporting to law enforcement or other
organizations or even assessing whether reporting to other
organizations could reduce the risk of harm.

However, Alberta’s Office of the Information and Privacy
Commissioner breach report form does include a question that asks
whether the police or any other authorities or organizations have
been notified of the breach. If organizations respond with
“yes,” the form asks for the name and contact information
for each entity notified and the date the notification
occurred.

2. Criminal investigation

One of the most apparent benefits of reporting to law
enforcement is if the cyber security incident involves theft or
criminal activity. Reporting an incident to law enforcement can
trigger a criminal investigation, which can help identify and
apprehend cybercriminals. This can be particularly valuable in
cases involving cyberattacks with malicious intent and ones that
specifically target an organization.

The Canadian Centre for Cyber Security (CCCS) is a federal
agency that encourages organizations to report cyber security
incidents voluntarily. However, reporting a cyber incident will not
launch an immediate law enforcement response. They advise
contacting local police services or the RCMP if a cyber incident is
believed to be an imminent threat to life or of a criminal
nature.

The RCMP and the CCCS co-authored a publication on reporting
cybercrimes, found here.

Cybercrime includes crimes in which technology is the primary
target (e.g. malware on ransomware) or crimes that use technology
as an instrument to commit crimes (e.g. money laundering or fraud).
CCCS and the RCMP encourage reporting to law enforcement and advise
that reporting the incident within 24 hours of discovering it leads
to the best outcomes.

3. Information sharing

Law enforcement agencies often work with cyber security experts
and intelligence agencies, enabling them to share threat
intelligence and collaborate to address cyber threats more
effectively. The Canadian Anti-Fraud Centre (CAFC) collects
information on fraud and identity theft. It is working with the
RCMP National Cybercrime Coordination Centre (NC3) to implement a
new National Cybercrime and Fraud Reporting System for Canadians
and businesses.

Reporting to the CAFC can help link a number of crimes together
in Canada and abroad, progress or complete an investigation, create
reports for crime forecasting, and can help law enforcement, the
public and private sector, and academia to learn more about
cybercrimes and how to prevent them.

For example, the Ontario Provincial Police, RCMP, FBI and
Europol worked together to investigate and ultimately arrest an
individual in Ottawa charged with international cyber security
attacks. Law enforcement agencies have to pool resources to deal
with these types of geographically dispersed threats. This type of
collaboration is only possible if entities affected by cyber
security incidents report the events to law enforcement.

The CACF portal has been operating on a pilot basis as of March
2020. The official launch of the new system is expected to occur in
2023 or early 2024, with it becoming fully operational by the end
of 2024. More information on the CACF portal is available here.

4. Deterrence

By reporting incidents, organizations contribute to the
collective deterrence of cybercriminals. Knowing that they are
being pursued by law enforcement can discourage hackers from
targeting specific entities.

The benefits that arise from information sharing also have a
deterrent impact by making cybercrime less attractive as law
enforcement agencies develop better resources to forecast and track
cybercrimes.

5. Stakeholder satisfaction

An organization may help satisfy its stakeholders that it is
taking all possible steps to remedy a cyber incident by reporting
it to law enforcement.

For example, shareholders, project partners, affected
individuals and other third parties may appreciate knowing that a
matter has been reported to law enforcement so that an
investigation can commence.

Cons of reporting cyber security incidents to law
enforcement

1. Public exposure

Reporting an incident to law enforcement may lead to public
exposure, damaging a company’s reputation and causing a loss of
trust among customers and stakeholders.

Reports of cyber incidents often end up in national or
international media.

2. Resource intensity

Criminal investigations can be resource-intensive, often
requiring time, personnel and financial resources to assist in the
investigation process, provide evidence and engage in legal
proceedings.

This could divert valuable time and resources from the affected
organization’s operations and recovery efforts.

3. Limited control

Once an incident is reported, control over the investigation may
shift partially or entirely to law enforcement, limiting the
organization’s ability to manage the process and potentially
compromising sensitive data.

For example, an investigation can go in various directions that
could uncover other issues with your organization’s cyber
security safeguards. Also, law enforcement could take actions
contrary to your organization’s interests in the interest of
investigating the cyber security incident or a related matter.

4. Information disclosure

Reporting an incident may require organizations to disclose
sensitive information to law enforcement, potentially exposing
trade secrets or proprietary information. Information about your
organization could become part of the public record.

Most information submitted to public bodies in Canada is subject
to “freedom of information” legislation. Law enforcement
organizations are considered public bodies in most Canadian
jurisdictions.

While there are usually exemptions for information related to
law enforcement investigations, once information is provided to law
enforcement, there is always the possibility that it could be
disclosed through a freedom of information request or in the
context of criminal proceedings (should one arise based on a
subsequent investigation).

Learning what steps to take following a cyber security
incident

Deciding whether to report a cyber security incident to law
enforcement in Canada is a complex and consequential choice. It
involves balancing legal obligations, potential benefits in terms
of apprehending cybercriminals and the risks of public exposure and
loss of control over the incident.

Ultimately, the decision should be based on a careful assessment
of the incident’s specific circumstances. Engaging legal
counsel with in-depth experience in cyber security and privacy law
is advisable to navigate this complex terrain and make an informed
decision that best serves the interests of the affected
organization.

Staying informed about legal requirements and understanding the
implications of reporting cyber security incidents is crucial for
organizations seeking to protect themselves and their stakeholders
from cyber threats.

Footnote