The Office of the Privacy Commissioner of Canada (OPC) released its Report of Findings and Takeaways for all Organizations yesterday following the conclusion of its investigation into the Ashley Madison data breach that occurred last summer. The investigation was conducted jointly by the OPC and the Office of the Australian Information Commissioner and focussed on four issues: information security; retention and deletion of user accounts; accuracy of email addresses; and transparency.

Among the findings were that the company:

  • had inadequate security safeguards and policies;
  • inappropriately retained some personal information after profiles had been deactivated or deleted by users;
  • failed to adequately ensure the accuracy of email addresses it held including those of both users and non-users of the site; and
  • with respect to transparency, used a fictitious security trustmark, which led to a finding that consent was improperly obtained.

As a result of this investigation, the OPC entered its second compliance agreement under section 17.1(1) of PIPEDA.