Utility Cybersecurity Transparency and Accountability Act

Summary#

This bill requires Nova Scotia Power to be more open about how it protects its systems from hacking and other cyber threats. It makes the utility file a yearly public report, face questions at a public hearing, and follow the cybersecurity standards it says it uses. It also sets fines for not following the law and stops the utility from charging customers for certain costs if it failed to comply.

• Nova Scotia Power must publish an annual cybersecurity report by May 31 each year.
• The report must outline money spent on cybersecurity, the standards it follows, any breaches (with dates, impacts, and fixes), and future risks and plans.
• Sensitive technical details can be left out of the public report with the minister’s approval, but a full private version must go to a legislative committee.
• A legislative committee will hold a yearly hearing and can call Nova Scotia Power to answer questions.
• The utilities regulator can fine the utility up to $25,000 per day for not following this Act or the reported standards.
• The utility cannot bill customers for any fines, or for costs from a cyber incident if it failed to follow this Act or its reported standards.

What it means for you#

• Customers

  • You would get a clear, yearly summary of cyber threats the utility faced, what happened, and what was done to fix issues.
  • If the utility breaks this law or its own stated standards, it cannot pass related fines or certain incident costs on to you through power rates.
  • Routine cybersecurity spending may still show up in rates, as with other utility investments, subject to the regulator.
  • Public summaries may omit highly technical details that could create new risks.

• Small businesses and large power users

  • More transparency on system risks and planned fixes can help with your business continuity planning.
  • Protection from paying for the utility’s penalties or some incident costs if the utility was not in compliance.

• Nova Scotia Power employees and contractors

  • Expect more focus on cybersecurity staffing, training, and incident response.
  • Greater oversight and accountability to the Legislature and the public.

• Lawmakers and the public

  • A standing committee will review the full report in private and hold a public hearing each year to ask questions and press for improvements.

Expenses#

Estimated public cost: minimal direct cost to the province; most costs fall on Nova Scotia Power for reporting and compliance.

• Nova Scotia Power bears the cost to prepare reports, follow stated standards, and respond to hearings.
• The regulator may levy fines up to $25,000 per day for violations; the utility cannot recover these fines through customer rates.
• If a cyber incident occurs and the utility had not complied with this Act or its stated standards, it cannot charge customers for the related costs.
• Legislative hearings and oversight may require some staff time but do not create a large new program.

Proponents' View#

• Greater transparency builds public trust and keeps pressure on the utility to protect the grid and customer data.
• Annual hearings create real accountability, not just paperwork.
• Clear fines and “no pass-through” rules make sure customers are not paying for the utility’s failures.
• Requiring disclosure of breaches and fixes encourages faster, stronger responses.
• Aligns the utility’s actions with recognized cybersecurity standards and best practices.

Opponents' View#

• Public reporting, even with redactions, could reveal patterns that help hackers.
• New reporting and compliance work could add costs that show up in rates for compliant activities.
• Large daily fines might divert money from actual security upgrades to paying penalties.
• Tying costs to compliance with self-reported standards could create disputes about what counts as “compliance.”
• Annual hearings risk politicizing technical security issues and may discourage frank internal assessments.