Ashley Madison Security Breach: Lessons Learned and Valuable Recommendations for all Businesses

Éloïse Gratton August 26, 2016

On August 22, 2016, the Office of the Privacy Commissioner of Canada (OPC) released an important joint investigation report regarding the Ashley Madison data breach, which exposed the personal information of some 32 million users of the online dating website marketed to people who are married or in committed relationships. As part of its investigation, held jointly with the Australian Information Commissioner, the OPC raised a number of issues regarding the security practices of Ashley Madison’s parent company, Avid Life Media (“ALM”). In its report, the OPC examined the circumstances of the data breach and considered ALM’s information handling practices that may have affected the likelihood or the impact of the data breach. In a section entitled “Takeaways for all Organizations,” the OPC raised a number of key elements and recommendations for all organizations subject to the federal Personal Information and Electronic Documents Act (PIPEDA), especially those that collect, use or disclose potentially sensitive personal information. I have co-authored a short piece in which we discuss and address some of these key takeaways.

Many businesses and organizations may initially not feel concerned with the Ashley Madison security breach, given that they do not manage personal information which is as sensitive as information about users interested in extramarital affairs. However, the takeaways and recommendations contained in the OPC report apply to all organizations. The OPC report sheds light on a number of issues affecting all businesses and organizations, such as the importance of taking the risk of subjective and reputational harm into account; the need to implement safeguards supported by an adequate information security governance framework; the risks associated with charging a fee for the deletion of user profile information; the issues pertaining to the long-term retention of information contained in inactive or deactivated profiles; the importance of email verification; and the impact of false or misleading seals, icons or statements on the validity of consent.

To read the bulletin, click here.

A french version will be available in the coming days.

Ashley Madison

This content has been updated on August 10, 2017 at 11 h 16 min.

Éloïse Gratton

Privacy & Data Protection Law

Ashley Madison Security Breach: Lessons Learned and Valuable Recommendations for all Businesses

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet