First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Business / Cybersecurity in a post-Ashley Madison world

By | 2 Minutes Read

Cybersecurity in a post-Ashley Madison world

cybersecurityCybersecurity ranks among the top organization-wide risk management issues in both the private and public sector. Canada is no exception. Canada has recently witnessed landmark legislative amendments and regulatory activity, as well as an unprecedented increase in privacy-related litigation, damage awards and class action certifications.
In a recent key finding, PIPEDA Report of Findings #2016-005 – Joint investigation of Ashley Madison, the Office of the Privacy Commissioner of Canada provided crucial guidance to organizations in relation to information protection and cybersecurity. In the wake of a high-profile hack of the adult dating website Ashley Madison, and publication of a significant amount of personal information stolen in the hack, the Commissioner determined that Ashley Madison had not complied with a number of obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Commissioner conducted an in-depth investigation into the breach. Although the Commissioner noted that Ashley Madison had taken a number of positive steps in its response to the incident, the Commissioner was critical of: (a) a lack of multi-factor authentication for remote administrative access to systems, (b) an absence of commonly used preventive and detective measures, and (c) poor key and password management practices (e.g. plain text storage of passwords, including in emails, and encryption keys stored in plain text).
In setting the standard for organizations to follow in future, the Commissioner concluded that organizations that hold sensitive or large amounts of personal information are required under PIPEDA to have a robust security governance framework, including: (a) a documented information security policy; (b) an explicit risk management process — including periodic and pro-active assessments of privacy threats, and evaluations of security practices; and (c) privacy and security training for all staff. These findings stand as a rare and significant development in relation to cybersecurity legal regulatory expectations and standards in Canada.
By: Alex Cameron, Partner, Fasken Martineau

Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Latest posts by Occasional Contributors (see all)

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference provides organizations with practical and authoritative resources to help ensure compliance with constantly changing Canadian legislation and best practice

Main Menu

Stay Connected