Posted: August 21, 2015
Written by: Andrew Buck
Hackers recently made good on their threat to release data stolen from the Ashley Madison website. It’s the latest development in a massive – and embarrassing – high-profile data breach. Here are three things you can learn from this incident:
- Mandatory privacy breach notification isn’t yet in force, in Manitoba (Alberta has mandatory breach notification, but it only applies to business carried on in that province). But, it’s only a matter of time. The federal private sector privacy law has introduced breach notification obligations, but they aren’t yet in force. Manitoba, meanwhile, has its own private sector privacy legislation, which contains breach notification requirements, but this legislation is also not yet in force.
- Apparently, many of the email addresses which were used to log in to Ashley Madison came from workplace accounts. While that doesn’t necessarily mean users were using work email to sign up (since third parties could enter others’ email addresses, as a hoax), it suggests that at least some people were using work infrastructure to access Ashley Madison, and, potentially, logging in at their workplace. Since the Supreme Court of Canada has indicated that people have Charter protected rights in their internet browsing habits, this is a good reminder that all workplaces should have acceptable use policies, which clearly communicate to employees what can (and can’t) be done with workplace technology, during work time.
- Cyber security insurance is not a new development, but you’d think that high profile breaches like this will continue to raise its profile. There are policies which contemplate and provide protection against hacker attacks. The coverage limits of each policy need to be carefully considered, but the point is, there are insurance products out there which contemplate this sort of loss.