Should Ontario Require Hospitals, Schools, and Colleges to Report Cyber Attacks?
Official title: Cyber Security Regulation under the Enhancing Digital Security and Trust Act, 2024.
Why This Matters
Use a hospital? Send your kids to public school? Attend college? These organizations hold your personal data—health records, student information, financial details. When they get hacked, your information is at risk. This regulation aims to make sure they're actually prepared for cyber threats and that the government knows when attacks happen.
What Could Change
Hospitals, school boards, children's aid societies, and post-secondary institutions would have to designate a cyber security contact, complete maturity assessments, and report critical incidents to the province. The government says this won't add major costs since many organizations already do this informally. Future phases may add cyber security training requirements.
Key Issues
- Should public sector organizations be required to designate a cyber security point of contact?
- What challenges would organizations face in completing cyber security maturity assessments?
- Should reporting of critical cyber security incidents be mandatory?
- Should future requirements include cyber security education and awareness training?
How to Participate
- Review the proposal details on this consultation page to understand the proposed cyber security requirements.
- Submit your feedback using the Comment on this proposal form by the deadline.
Submit Your Input
Tips for Your Submission
- Where possible, please provide examples or evidence to support your views.
Questions Being Asked (3)
- What existing cyber security practices does your organization have in place?
- What challenges might arise in meeting the proposed requirements?
- What are the potential benefits and challenges of the proposed Cyber Security Regulation?