AI remains top of mind with cybersecurity professionals, as indicated in the recently released ISC2 Cybersecurity Workforce Study, where insights emerged showing that AI is already being used by many organizations, with few having policies in place to safely dictate its use.
However, AI use goes beyond cybersecurity, with Google now providing “AI Overviews” first to questions posed on the search engine. In a case of meta – not that Meta – statistics, as of June 2024, global searches for "generative AI" have increased dramatically. According to Statista, Gen AI hasn’t fallen below a 50 index score (a value of 100 is the peak popularity for the term) all year. The lowest it dropped was to a score of 52 on Christmas Eve 2023 – perhaps Santa was looking to see how he could use AI to optimize toy production and delivery?
With the creep of AI into our daily lives, security professionals acknowledge that legislation is a key step to securing this new technology. Since we can’t put AI back in the box, we need to ensure that what came out of the box is secure!
Bill 194 – Strengthening Cyber Security and Building Trust in the Public Sector Act
The government of Ontario, Canada has introduced a new piece of legislation that – if passed – will strengthen cybersecurity programs in the public sector and provide a strong groundwork for the responsible use of AI in public sector entities.
Bill 194 is called the Strengthening Cyber Security and Building Trust in the Public Sector Act . The key components of this bill are:
- Enhancing Digital Security and Trust Act (Proposed EDSTA) which introduces cybersecurity standards, a framework for AI governance and restrictions on processing minors’ personal information for public sector entities
- Amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) which mandates privacy impact assessments, breach reporting and enhances the Information and Privacy Commissioner’s oversight powers
Enhancing Digital Security and Trust Act
The first piece of the Act focuses on cybersecurity and AI systems in public sector entities. This includes schools, government agencies, corporations established by Parliament etc. that are under the FIPPA. There is also language in the bill to indicate the extension of these requirements to entities under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). This includes municipal governments, local boards, municipal services boards, police services boards, as well as public utilities commissions.
These entities may be required to develop or implement cybersecurity programs, set technical standards in regard to security, establish accountability frameworks and processes, incident disclosure procedures and more.
Freedom of Information and Protection of Privacy Act
The second piece of the Act details eleven amendments to the FIPPA – some simply to clarify terminology, others to add reporting requirements, as well as govern the impact of gathering personal information, the security of that information and more.
The changes to the FIPPA are focused on a few primary areas -
- Obligation to protect personal information
- Privacy impact assessments
- Breach of privacy safeguards (reporting and notification requirements)
- Expanding the powers of the Information and Privacy Commissioner (IPC) of Ontario
- Consent for retaining and using ‘customer service information’
AI Legislation Globally
At least 45 American states – as well as Puerto Rico, the District of Columbia and the U.S. Virgin Islands – introduced AI bills to legislation this year. The EU has introduced its AI Act , the U.K. has an act currently making its way through the House of Commons and many more are expected in the year ahead.