Ashley Madison Security Breach: Lessons Learned and Valuable Recommendations for all Businesses
On August 22, 2016, the Office of the Privacy Commissioner of Canada (OPC) released an important joint investigation report regarding the Ashley Madison data breach, which exposed the personal information of some 32 million users of the online dating website marketed to people who are married or in committed relationships. As part of its investigation, held jointly with the Australian Information Commissioner, the OPC raised a number of issues regarding the security practices of Ashley Madison’s parent company, Avid Life Media (“ALM”). In its report, the OPC examined the circumstances of the data breach and considered ALM’s information handling practices that may have affected the likelihood or the impact of the data breach. In a section entitled “Takeaways for all Organizations,” the OPC raised a number of key elements and recommendations for all organizations subject to the federal Personal Information and Electronic Documents Act (PIPEDA), especially those that collect, use or disclose potentially sensitive personal information. I have co-authored a short piece in which we discuss and address some of these key takeaways.
Many businesses and organizations may initially not feel concerned with the Ashley Madison security breach, given that they do not manage personal information which is as sensitive as information about users interested in extramarital affairs. However, the takeaways and recommendations contained in the OPC report apply to all organizations. The OPC report sheds light on a number of issues affecting all businesses and organizations, such as the importance of taking the risk of subjective and reputational harm into account; the need to implement safeguards supported by an adequate information security governance framework; the risks associated with charging a fee for the deletion of user profile information; the issues pertaining to the long-term retention of information contained in inactive or deactivated profiles; the importance of email verification; and the impact of false or misleading seals, icons or statements on the validity of consent.
To read the bulletin, click here.
A french version will be available in the coming days.
This content has been updated on August 10, 2017 at 11 h 16 min.