• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Cybersecurity in a post-Ashley Madison world

By Occasional Contributors | 2 Minutes Read July 18, 2017

Cybersecurity in a post-Ashley Madison world

cybersecurityCybersecurity ranks among the top organization-wide risk management issues in both the private and public sector. Canada is no exception. Canada has recently witnessed landmark legislative amendments and regulatory activity, as well as an unprecedented increase in privacy-related litigation, damage awards and class action certifications.
In a recent key finding, PIPEDA Report of Findings #2016-005 – Joint investigation of Ashley Madison, the Office of the Privacy Commissioner of Canada provided crucial guidance to organizations in relation to information protection and cybersecurity. In the wake of a high-profile hack of the adult dating website Ashley Madison, and publication of a significant amount of personal information stolen in the hack, the Commissioner determined that Ashley Madison had not complied with a number of obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Commissioner conducted an in-depth investigation into the breach. Although the Commissioner noted that Ashley Madison had taken a number of positive steps in its response to the incident, the Commissioner was critical of: (a) a lack of multi-factor authentication for remote administrative access to systems, (b) an absence of commonly used preventive and detective measures, and (c) poor key and password management practices (e.g. plain text storage of passwords, including in emails, and encryption keys stored in plain text).
In setting the standard for organizations to follow in future, the Commissioner concluded that organizations that hold sensitive or large amounts of personal information are required under PIPEDA to have a robust security governance framework, including: (a) a documented information security policy; (b) an explicit risk management process — including periodic and pro-active assessments of privacy threats, and evaluations of security practices; and (c) privacy and security training for all staff. These findings stand as a rare and significant development in relation to cybersecurity legal regulatory expectations and standards in Canada.
By: Alex Cameron, Partner, Fasken Martineau

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022
  • Finance proposes changes to disbursement quota for charities and some increased transparency - November 11, 2022

Article by Occasional Contributors / Business, Privacy / Ashley Madison, cyber threat, cybersecurity, IT, Personal Information Protection and Electronic Documents Act, PIPEDA, privacy, privacy protection, risk, risk management, security

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy