Governance & Compliance Review

Canada Computers Data Breach Exposes 1,284 Customers — Magecart Skimmer Active for 24 Days Before Detection

Canada Computers & Electronics confirmed a Magecart-style card skimmer attack on its retail website that compromised names, billing addresses, email addresses, phone numbers, credit card numbers, expiry dates, and CVV codes for 1,284 guest-checkout customers between December 29, 2025 and January 22, 2026.

A customer reported the suspicious script twice via support tickets, both of which were closed without investigation. The retailer has offered two years of complimentary credit monitoring. The incident underscores a recurring pattern: organizations without continuous web application monitoring and formal incident triage procedures fail to detect supply chain injection attacks until external parties escalate.

• CyberSecure Canada Control 13 (Incident Response Plan) requires documented triage procedures — closing customer reports without investigation fails this control
• PCI DSS 4.0 Requirement 6.4.3 mandates integrity monitoring of payment page scripts, which would have detected the skimmer
• Organizations processing card data should implement Content Security Policy headers and Subresource Integrity checks as baseline defences

CCCS Issues Advisory on Microsoft February Patch Tuesday — Six Zero-Days Actively Exploited

The Canadian Centre for Cyber Security published advisory AV26-111 covering the Microsoft February 2026 Patch Tuesday rollup. Six CVEs were confirmed as actively exploited in the wild, including vulnerabilities in Windows Shell, MSHTML, Office Word, Windows RDP Services, and the Windows kernel.

CISA added all six to its Known Exploited Vulnerabilities (KEV) database on the same day. The Cyber Centre urged all Canadian administrators to apply patches immediately. For organizations pursuing CyberSecure Canada certification, Control 3 (Automatic Patching) requires demonstrated patch deployment within defined timeframes — these actively exploited vulnerabilities should be treated as emergency patches with a 48-hour deployment target.

Organizations should verify that their patch management tooling covers all six affected components and that deployment evidence is captured for audit purposes. The RDP Services vulnerability is particularly concerning for organizations with internet-exposed Remote Desktop infrastructure.

Policy Options: Canada’s Cybersecurity Enforcement Framework Is Inadequate — Structural Reforms Needed

A major policy analysis published by the Institute for Research on Public Policy (IRPP) argued that Canada’s cybersecurity enforcement apparatus is fundamentally under-resourced. The piece highlighted that the CCCS Aventail blocklist — shared with critical infrastructure operators — carries a liability disclaimer that prevents telecom providers from acting on the intelligence.

The analysis called for transforming the RCMP into a high-tech national police service capable of tackling cross-border cybercrime, noting that Canada faces justified international criticism for enforcement gaps. For organizations in regulated industries, the implication is clear: reliance on government-led cyber defence is insufficient. Private-sector organizations must maintain their own detection, response, and recovery capabilities aligned to frameworks such as CyberSecure Canada, ISO 27001, or NIST CSF 2.0.

VIQ Solutions Breach Highlights Supply Chain Risk — Third-Party Vendor Controls Under Scrutiny

VIQ Solutions, a provider of legal transcription services to Canadian courts, suffered a breach when an Indian subcontractor gained unauthorized access to sensitive court transcripts containing security-critical data. Internal staff had flagged the vendor risk as early as August 2025, but those warnings were not acted upon.

The incident is a case study in failed supply chain risk management — a control area that both CPCSC and ISO 27001 address explicitly. CPCSC Level 2 requires organizations to assess and monitor the security posture of subcontractors handling CUI. ISO 27001 Annex A control A.5.19 (Information Security in Supplier Relationships) mandates documented supplier assessment processes and ongoing monitoring.

For organizations in the defence supply chain, this incident reinforces that CPCSC compliance is not limited to internal controls. Third-party and subcontractor risk management must be documented, monitored, and evidenced as part of the overall security posture.

Canada Still Lacks Binding AI Legislation — Voluntary Code of Conduct Draws Criticism

The Canadian Centre for Policy Alternatives published a critique noting that with AIDA (the Artificial Intelligence and Data Act) having died on the order paper in January 2025, Canada still lacks binding federal AI legislation. The new Ministry of Artificial Intelligence and Digital Innovation is pursuing a voluntary code of conduct and sector-specific measures rather than comprehensive law.

The analysis contrasts Canada’s approach with the EU AI Act’s phased enforcement timeline, where penalties are already being issued. For Canadian organizations operating internationally, the practical reality is that the EU AI Act and equivalent frameworks in other jurisdictions create binding obligations regardless of Canada’s domestic timeline.

Organizations should not treat the absence of Canadian legislation as a reason to delay AI governance implementation. ISO/IEC 42001 provides the management system structure that satisfies both current international requirements and anticipated Canadian regulation. Building governance structures now avoids a costly retrofit when legislation eventually arrives.

Ontario’s AI Hiring Disclosure Requirement Now in Effect — First Binding AI Transparency Obligation in Canadian Employment Law

Ontario’s Working for Workers legislation now requires employers with 25 or more employees to disclose in public job postings whether AI is used to screen, assess, or select applicants. The definition of AI is broad: any “machine-based system” that infers from input to generate predictions, recommendations, or decisions.

The regulator has not yet provided guidance on specific disclosure language, leaving employers to interpret the requirement. This is the first binding AI transparency obligation in Canadian employment law, and it signals the direction of travel for provincial and federal regulation.

• Applies to all employers with 25+ employees posting jobs in Ontario
• Covers AI used anywhere in the screening, assessment, or selection process
• No prescribed disclosure format — organizations should document their approach and rationale
• ISO 42001 Annex A transparency controls (A.8) provide a framework for building compliant disclosure processes

NIST Marks Two Years of CSF 2.0 — AI Cybersecurity Profile in Development

NIST celebrated the second anniversary of the Cybersecurity Framework 2.0, highlighting the Govern function addition, expanded supply-chain risk management guidance, and the growing suite of community profiles. Notably, NIST is developing a Cybersecurity Framework Profile for Artificial Intelligence, with a preliminary draft workshop held in January 2026.

The AI Cybersecurity Profile will map AI-specific risks to CSF 2.0 functions and categories, providing organizations with a structured approach to managing cybersecurity risks introduced by AI systems. This complements ISO 42001 by focusing specifically on the cybersecurity dimensions of AI — adversarial attacks, model integrity, data poisoning, and AI-augmented threats.

• CSF 2.0’s Govern function aligns directly with ISO 27001 Clause 5 (Leadership) and ISO 42001 Clause 5
• The Transit Cybersecurity Framework Profile (NIST IR 8576) public comment period closed February 23
• CSF 2.0 is widely referenced by Canadian organizations aligning to international cybersecurity best practices
• Organizations can use CSF 2.0 as a crosswalk between CyberSecure Canada, ISO 27001, and CPCSC requirements

Fasken Privacy & Cybersecurity Bulletin — February 2026 Cross-Border Developments

Fasken’s February 2026 Privacy & Cybersecurity bulletin covered key developments across Canada and the EU, including the OPC-CNIL cooperation declaration, Bill C-4 privacy implications, and evolving EU regulatory enforcement. The bulletin highlighted that cross-border privacy obligations are increasingly complex for Canadian organizations with European operations or customers.

The OPC-CNIL cooperation is significant for organizations subject to both PIPEDA and GDPR: coordinated investigations and shared enforcement approaches mean that privacy gaps identified in one jurisdiction may trigger scrutiny in the other. Organizations maintaining ISO 27701 (Privacy Information Management) certification should ensure their privacy impact assessments account for cross-jurisdictional requirements.

SOC 2 Industry Shift — Continuous Verification Replacing Point-in-Time Audits

A 2026 Cloud Compliance & Risk Analysis released this week found that 82% of enterprise buyers now demand live security data rather than traditional point-in-time SOC 2 audit reports. The report identifies a critical shift toward “Continuous Verification” and “Identity-Centric Compliance” in SOC 2 auditing.

Traditional SOC 2 assessment frameworks are being deemed insufficient without deep integration with cloud shared-responsibility models and Zero Trust architecture. For Canadian SaaS providers and their auditors, this trend signals that annual SOC 2 Type II reports will increasingly be supplemented by continuous monitoring dashboards and real-time compliance evidence.

Organizations considering SOC 2 alongside ISO 27001 should note that the continuous monitoring expectations align with ISO 27001’s Clause 9 (Performance Evaluation) and the emerging ISAE 3000 guidance for continuous assurance engagements. Building monitoring infrastructure once to serve both frameworks is the efficient approach.