Canada’s Federal Privacy Commissioner and Australia’s Privacy Commissioner have concluded in their joint investigation into Ashley Madison’s 2015 data breach that the Toronto-based company had serious faults in its data security. For example, the company had inadequate authentication processes for employees accessing the company’s system remotely, and there were poor password management practices.
The company, which markets itself as discreet service for people seeking to have an affair, has now entered into a compliance agreement with the Canadian Commissioner and signed an undertaking with the Australian Commissioner, making the recommendations enforceable in court.
Canada’s Commissioner, Daniel Therrien, says that the investigation Report offers lessons for all organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), particularly those that collect, use or disclose potentially sensitive personal information.
The Commissioners say that “harm extends beyond financial impacts. Discussions around harm stemming from data breaches often focus on identity theft, credit card fraud, and similar financial impacts. While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information. Reputational harm can also be a difficult form of harm to remediate. Therefore, organizations should carefully consider all potential harms of a breach of personal information in their care.”