Canada: Cybersecurity In A Post-Ashley Madison World

Cybersecurity ranks among the top organization-wide risk management issues in both the private and public sector. Canada is no exception. Canada has recently witnessed landmark legislative amendments and regulatory activity, as well as an unprecedented increase in privacy-related litigation, damage awards and class action certifications.

In a recent key finding, PIPEDA Report of Findings #2016-005 - Joint investigation of Ashley Madison, the Office of the Privacy Commissioner of Canada provided crucial guidance to organizations in relation to information protection and cybersecurity. In the wake of a high-profile hack of the adult dating website Ashley Madison, and publication of a significant amount of personal information stolen in the hack, the Commissioner determined that Ashley Madison had not complied with a number of obligations under the Personal Information Protection and Electronic Documents Act ("PIPEDA").

The Commissioner conducted an in-depth investigation into the breach. Although the Commissioner noted that Ashley Madison had taken a number of positive steps in its response to the incident, the Commissioner was critical of: (a) a lack of multi-factor authentication for remote administrative access to systems, (b) an absence of commonly used preventive and detective measures, and (c) poor key and password management practices (e.g. plain text storage of passwords, including in emails, and encryption keys stored in plain text).

In setting the standard for organizations to follow in future, the Commissioner concluded that organizations that hold sensitive or large amounts of personal information are required under PIPEDA to have a robust security governance framework, including: (a) a documented information security policy; (b) an explicit risk management process — including periodic and pro-active assessments of privacy threats, and evaluations of security practices; and (c) privacy and security training for all staff. These findings stand as a rare and significant development in relation to cybersecurity legal regulatory expectations and standards in Canada.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.