Three things you can learn from the Ashley Madison privacy breach

Posted: August 21, 2015 | Last Updated: February 15, 2017

Posted: August 21, 2015

Written by: Andrew Buck

Hackers recently made good on their threat to release data stolen from the Ashley Madison website. It’s the latest development in a massive – and embarrassing – high-profile data breach. Here are three things you can learn from this incident:

  1. Mandatory privacy breach notification isn’t yet in force, in Manitoba (Alberta has mandatory breach notification, but it only applies to business carried on in that province). But, it’s only a matter of time. The federal private sector privacy law has introduced breach notification obligations, but they aren’t yet in force. Manitoba, meanwhile, has its own private sector privacy legislation, which contains breach notification requirements, but this legislation is also not yet in force.
  2. Apparently, many of the email addresses which were used to log in to Ashley Madison came from workplace accounts. While that doesn’t necessarily mean users were using work email to sign up (since third parties could enter others’ email addresses, as a hoax), it suggests that at least some people were using work infrastructure to access Ashley Madison, and, potentially, logging in at their workplace. Since the Supreme Court of Canada has indicated that people have Charter protected rights in their internet browsing habits, this is a good reminder that all workplaces should have acceptable use policies, which clearly communicate to employees what can (and can’t) be done with workplace technology, during work time.
  3. Cyber security insurance is not a new development, but you’d think that high profile breaches like this will continue to raise its profile. There are policies which contemplate and provide protection against hacker attacks. The coverage limits of each policy need to be carefully considered, but the point is, there are insurance products out there which contemplate this sort of loss.


Andrew Buck is a Lawyer at Pitblado Law, whose practice areas include privacy and e-commerce. Please contact Andrew for more information about this, or any other privacy or e-commerce matter.