As Canadians, we generally don’t define ourselves by what we are but rather what we are not . That is, we are not Americans.
I’m a Canadian. I’ve worked primarily in Canada but I’ve had the great fortune to work with some incredibly talented and driven individuals from Europe, Asia, the Middle East and of course the United States. It has given me perspective and insight that I could never have received by simply reading a book or taking a class.
With an untrained eye, you would be forgiven for not seeing the difference between Canadians and Americans. There are tired tropes about Canadians being too polite, having amazing health care, living in igloos etc. but they are at best outdated and at worst just plain wrong. But how would an outside observer know if these were valid or not?
In this case I might suggest you go to the source and talk to a Canadian.
In a similar vein, if you are a Canadian company looking to expand to the United States… What assumptions do you have that might be incorrect? How would you know? Who would you talk to?
In the world of cybersecurity, the risks are pretty similar regardless of geography. The bad guys aren’t bound by lines on a map, they simply follow the money and direct their attacks to where they think they can get the biggest ROI.
However, geography matters a whole lot to “the good guys!”
Regulatory Compliance Changes from Border to Border
The biggest cybersecurity difference between Canada and the United States is the regulatory landscape. It’s not even that they have separate cybersecurity and privacy laws of their own. At time of writing, they have two completely different approaches to regulating cyber!
Canada has a more top-down, federal approach. While there are provincial privacy laws, the overarching rules are federal with special considerations for financial institutions by the Office of the Superintendent of Financial Institutions (OSFI) and Health Information by the Personal Health Information Protection Act (PHIPA) but are all largely similar and frankly toothless – unless you are a multinational financial institution.
If you are a small-to-medium business looking to work in Ontario or Alberta, there wouldn’t be a huge difference in what you would need to do from either a privacy or security perspective.
Meanwhile, the United States has no single federal data protection law. There is the proposed “American Data Privacy and Protection Act” but it has not been passed.
Currently, there is a mix of different state and sectoral laws that look at specific types of data such as credit data, health information, PII of children, etc. There are an impressive array of acronyms to familiarize yourself with: FERPA, FCRA, HIPAA, GLBA, ECPA, COPPA and VPPA – and that’s before even getting into the handful of existing state laws!
California is a notable exception in that it has adopted the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) which are quite encompassing with very real financial penalties.
In general, it’s important to note that the vast majority of products (with some state-level exceptions) people use every day aren’t regulated in terms of how the data can be used, shared or sold and do not have notification rules if any data is stolen.
Given the latest $3 Billion dollar lawsuit filed against OpenAI and Microsoft for “privacy violations” it would be reasonable to assume that as Generative AI and Large Language Models mature so will the laws…but the direction remains to be seen…
Industry Compliance Is Similar
In both the United States and Canada, SOC 2 is the go-to cybersecurity compliance framework that gives assurance to partners and clients that an organization understands and prioritizes cyber.
Depending on the circumstances, more restrictive and prescriptive requirements with greater oversight (and of course costs) is required. Good examples of these would be ISO 27001 for Europe and FedRAMP/StateRAMP for US government agencies or their partners.
3 Example Strategies for Expanding from Canada to the U.S.
The key to any good strategy (sales, product, technical, or security) is to always have the big picture in view. The easiest short-term move might be to start by focusing on private B2B sales in U.S. states with few regulations; but if you actually want to expand to the entire United States? You’re just kicking the can down the road. You should align your expansion and compliance activities to support your real business plans. You should learn, understand, and implement what foundational pieces will set you up for long-term success. They are worth the time and expense now.
It should of course be noted that any risk related decisions are specific and subject to management insight but understanding your options is always important.
For example;
Sydney’s SaaS Startup
Background
A 45-employee, cloud-native company headquartered in Toronto whose product focuses on large scale procurement processes. All their employees work remotely, are skilled at what they do, making them lean and efficient. Their well thought out architecture allows them to scale in a heartbeat if the right client comes along.
Situation
Sydney’s SaaS Startup is looking to expand outside of Canada into the U.S. market, but it’s a competitive landscape and they want to make sure the potential customer is focused on their product, not checkboxes from their vendor risk management process.
Considerations
Conduct a “Privacy Impact Assessment” to understand what data they have, where it is, and who might care about it.
Understand what level of assurance their potential short and long term customers require.
Align sales goals with product goals and ensure security and privacy are ‘baked’ into the product and technology roadmaps.
Recommendations
It appears that their customers will be large. Not necessarily, ‘enterprise’ level but big enough that they require muscle in their provisioning process. These customers are likely mature and have established vendor risk management processes that will need to be met in order to win a contract.
Given Sydney’s SaaS Startup is a young company and still maturing, focusing on the basics with a roadmap to greater assurance is a good place to start. They completed a privacy impact assessment and confirmed that the data their product requires is not Personally identifiable Information (PII) – meaning that CCPA compliance was unnecessary.
The largest of their customers may also require SOC 2 compliance in order to close the deal. If Sydney’s SaaS Startup wants that business, they need to get compliant. First, an effort should be made to complete a SOC 2 Type 1 before building to a SOC 2 Type 2 to demonstrate they are practicing what they preach as the focus will be on proving they are doing what they said they would.
If the company is interested in government opportunities in the U.S., then compliance with FedRAMP, TX-RAMP, or another StateRAMP will eventually be needed. By keeping the big picture in mind during their move, they could use their SOC 2 program to ramp up to these government regulations by ensuring their SOC 2-compliant cybersecurity program also maps to NIST 800-53 – which all the “ramps” are based on. Thinking ahead like this will save cost over the long term in comparison to completely re-tooling an existing program down the road.
Carl’s Consulting Company
Background
Carl started his architecture and engineering consulting business a few years ago and now boasts a staff of 15 in B.C. that is entirely remote using their personal laptops and phones.
Situation
There is a great opportunity in a government infrastructure project in Texas and they want to make sure they are aware of any privacy or security considerations.
Considerations
No certifications appear required
Thoughtfully answered questionnaires may be work short term but once numbers increase a SOC 2 should be considered
Recommendation
As Carl’s Consulting Company sticks to consulting and does not sell a product (specifically in the cloud), they do not need to comply with TX-RAMP. In the same vein, they only work directly with government contractors so do not collect PII on Texas residents or interact with consumers directly meaning they do not need to comply with the Texas Data Privacy and Security Act.
Some customers will likely require a security questionnaire filled out as part of their vendor management program, which Carl’s Consulting Company should plan on thoughtfully answering to address their concerns. However, as time goes on the company may get too many questionnaires creating a deficit in terms of the pros/cons of spending hours responding to them.
Once this threshold is reached, it would be worth pursuing a SOC 2 that can be more easily shared with clients.
Ernie’s Enterprise
Background
Ernie’s Enterprise produces backend inventory management software and has 750 employees all across Canada. They already have mature processes and practices including the use of company-issued and managed desktops and laptops.
Situation
They are looking to open an office in California to take advantage of the tech talent that can be found there.
Considerations
California has two material privacy laws
The California Consumer Privacy Act (CCPA) regulates consumer data protection
The California Privacy Rights Act (CPRA) expands employers obligations with respect to HR data
Recommendations
As Ernie’s Enterprise is a well-established firm, their processes are mature and practiced. Opening an office in California isn’t enough to affect their product directly as long as there is no personal customer data kept in their software. However, any employees based in California will be protected under CPRA so complying with that regulation is vital.
As a general rule, companies that operate in different locations should carefully map the requirements for each and exceed them wherever possible. Doing this ensures organizational consistency and the flexibility to pursue future opportunities without concern about the costs of re-working foundational processes to comply with new rules.
Conclusion
International business is ferociously complicated. For even two countries that have as much in common as the United States and Canada, there are countless variables to consider – cybersecurity and privacy are just two of them!
The single biggest piece of advice I can leave you with is this:
If you’re a Canadian company focused on showcasing what an amazing product you have to American (or other international) customers, the last thing you want is predictable roadblocks showing up at the 11th hour!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.