Canadian Office of the Privacy Commissioner

The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  FTC Chairwoman Edith Ramirez referred to the case as “one of the largest data breaches that the FTC has investigated to date.”

According to the FTC’s complaint, despite Ashley Madison’s representations that it was “100% secure” and “risk free,” the website failed to implement reasonable data security practices.  Specifically, the FTC cited several data security failures, including the lack of a written information security policy, reasonable access controls, employee data security training, or oversight over third-party service providers, and a failure to use “readily available security measures” to monitor its systems.  The complaint also alleged that Ashley Madison staff deceptively created fake profiles as a way to attract users, with no way for users to tell real profiles from fake ones.
Continue Reading Ashley Madison Settles Data Security and Deception Charges

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law.  The DPA amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) in important respects, including introducing a new data breach notification requirement (which is not yet in force) and making other material changes to PIPEDA.  This post summarizes key changes to PIPEDA brought about by the DPA.
Continue Reading Highlights of the Canada Digital Privacy Act 2015