Persons who are registered with the Controlled Goods Directorate must notify the Minister of Public Services and Procurement of any actual or potential data breach within 3 days of discovery of the breach. Since the requirement includes potential data breaches, Controlled Goods Registrants should report any hacking incidents, potential data breaches, employees taking company data, loss of USB keys with controlled information, etc. Most companies know about reporting requirements under the Privacy Act, but do not know there is a reporting requirement under the Controlled Goods Regulations.
Paragraph 10(h) of the Controlled Goods Regulations states that:
“Every registration of a person [under the Defence Production Act] is subject to the following conditions: … (h) that the person advise the Minister of any actual or potential security breach in relation to controlled goods within three days after the day on which they discover the breach…”
Failure to report a data breach could result in the suspension of a Controlled Goods registration and shows that the registrant does not know their reporting obligations.
Paragraph 2.8 of the Guideline on Controlled Goods Program registration provides guidance as to what is expected of registrants:
“Registrants must contact the Controlled Goods Program within three days upon discovering a potential security breach. Security breaches must be properly investigated by the registrant’s security organization and corrective action must be taken to prevent any re-occurrence. The registrant is best placed to determine the nature of a security incident and whether it constitutes a breach. Security breaches can be categorized as loss, destruction, modification, removal or disclosure, of a controlled good. For example, a security breach can be a known theft or disappearance, appearance of willful damage to or tampering with a controlled good and/or the witnessing of unauthorized persons examining controlled goods.
Any breach of a criminal nature that can be subject to conviction under the Criminal Code must be reported immediately to the authorities having jurisdiction, and in turn, within three days upon discovery to the program.
The security breach report must include at minimum the information listed below:
- date, time and place of the security breach;
- name and contact information (phone, address, fax) of the person making the report;
- nature of event (for example, theft);
- detailed description of incident;
- list of controlled goods involved, including name, description, the controlled goods list entry to the most accurate sub-entry, any identifiers and the quantity involved;
- name and contact information of the person or organization investigating the incident; and
- remedial action taken.
The program will use the information provided to track the incident and take corrective action as required.”
Reporting is required because of the nature of the goods – they are Controlled Goods and this means that the information is sensitive. Controlled Goods are goods on the Controlled Goods List, which is a schedule to the Defence Production Act. Controlled Goods are primarily goods, including components and technical data (including blueprints and technical specifications in paper or electronic format) that have military or national security significance. The Controlled Goods List includes (a) a good of U.S-origin that is a defense article as defined in section 120.6 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations, and (b) a good, other than a good of United States origin, that is manufactured using technical data of United States origin, as defined in section 120.10 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations, (if the technical data is a defense article).
For more information, please contact Cyndee Todgham Cherniak at 416-307-4168 or at Cyndee@lexsage.com. We have posted many articles about export controls, economic sanctions, trade restrictions and controlled goods on the LexSage website.