First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Cybersecurity in a post-Ashley Madison world

cybersecurityCybersecurity ranks among the top organization-wide risk management issues in both the private and public sector. Canada is no exception. Canada has recently witnessed landmark legislative amendments and regulatory activity, as well as an unprecedented increase in privacy-related litigation, damage awards and class action certifications.

In a recent key finding, PIPEDA Report of Findings #2016-005 – Joint investigation of Ashley Madison, the Office of the Privacy Commissioner of Canada provided crucial guidance to organizations in relation to information protection and cybersecurity. In the wake of a high-profile hack of the adult dating website Ashley Madison, and publication of a significant amount of personal information stolen in the hack, the Commissioner determined that Ashley Madison had not complied with a number of obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Commissioner conducted an in-depth investigation into the breach. Although the Commissioner noted that Ashley Madison had taken a number of positive steps in its response to the incident, the Commissioner was critical of: (a) a lack of multi-factor authentication for remote administrative access to systems, (b) an absence of commonly used preventive and detective measures, and (c) poor key and password management practices (e.g. plain text storage of passwords, including in emails, and encryption keys stored in plain text).

In setting the standard for organizations to follow in future, the Commissioner concluded that organizations that hold sensitive or large amounts of personal information are required under PIPEDA to have a robust security governance framework, including: (a) a documented information security policy; (b) an explicit risk management process — including periodic and pro-active assessments of privacy threats, and evaluations of security practices; and (c) privacy and security training for all staff. These findings stand as a rare and significant development in relation to cybersecurity legal regulatory expectations and standards in Canada.

By: Alex Cameron, Partner, Fasken Martineau

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , , , , ,

Comments are currently closed.