1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

On May 17, 2017, the US Securities and Exchange Commission (SEC), through its National Exam Program, issued a “Risk Alert” to broker-dealers, investment advisers and investment firms to advise them about the recent “WannaCry” ransomware attack and to encourage increased cybersecurity preparedness. The purpose of the alert, according to the SEC, was to “highlight for firms the risks and issues that the staff has identified during examinations of broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness.”

Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:

  • Cyber-risk Assessment: Five percent of the broker-dealers, and 26 percent of the investment advisers and investment companies examined “did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
  • Penetration Tests: Five percent of the broker-dealers, and 57 percent of the investment companies “did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
  • System Maintenance: All broker-dealers, and 96 percent of investment firms examined “have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.” And only ten percent of the broker-dealers, and four percent of the investment firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The SEC recommends registrants undertake at least two separate tasks: (1) assess supervisor, compliance and/or other risk management systems related to cybersecurity risks; and (2) make any changes, as may be appropriate, to address or strengthen such systems. To assistant registrants, the SEC highlights its Division of Investment Management’s recent cybersecurity guidance, and the webpage of the Financial Industry Regulatory Authority (FINRA), which has links to cybersecurity-related resources.

The SEC cautions that the recommendations described in the Risk Alert are not exhaustive, “nor will they constitute a safe harbor.” Factors other than those described in the Risk Alert may be appropriate to consider, and some factors may not be applicable to a particular firm’s business. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised in the Risk Alert. Ultimately, the “adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”

The SEC recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. However, “appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413), in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct.

According to the ABA, in the “technical landscape of Opinion 99-413,” unencrypted email posed “no greater risk of interception or disclosure than other non-electronic forms of communication.” Although this premise remains true today for routine communication with clients, and the use of unencrypted routine email generally remains an acceptable method of lawyer-client communications, cyber-threats and the proliferation of electronic communications devices have “changed the landscape and it is not always reasonable to rely on the use of unencrypted email.” As an example, the ABA notes that electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Lawyers must therefore, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.

Although the ABA does not provide specific steps for attorneys to take in this regard, it does provide the following considerations as guidance:

Understand the Nature of the Threat

The ABA says that understanding the nature of the threat includes consideration of the sensitivity of the client’s information and whether the client’s matter is a higher risk for cyber intrusion. Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.

Understand How Client Confidential Information is Transmitted and Where It Is Stored

The ABA says a lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information. Every “access point is a potential entry point for a data loss or disclosure.” Every access point, and each device, should therefore be evaluated for security compliance.

Understand and Use Reasonable Electronic Security Measures

Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. What is “reasonable” will vary depending on the facts of each case. The ABA indicates that making reasonable efforts may include “analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions.” A lawyer should also understand and use electronic security measures to safeguard client communications and information, including using secure internet access methods to communicate, access and store client information, using unique complex passwords, changed periodically, implementing firewalls and anti-malware/spyware/antivirus software on all devices, and applying necessary security patches and updates to software when required.

Determine How Electronic Communications About Client Matters Should Be Protected

Different communications require different levels of protection. The ABA recommends that the lawyer and client discuss what levels of security will be necessary for each electronic communication about client matters. For example, if client information is of sufficient sensitivity, the ABA says a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments. Lawyers can also consider the use of well vetted and secure third-party cloud based file storage systems to exchange documents normally attached to emails. Lawyers should also be cautious in communicating with a client if the client uses computers or other devices subject to the access or control of a third party.

Label Client Confidential Information

The ABA recommends lawyers follow the “better practice” of marking privileged and confidential client communications as “privileged and confidential” and using disclaimers in client emails.

Train Lawyers and Nonlawyer Assistants in Technology and Information Security

The ABA recommends lawyers establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.

Conduct Due Diligence on Vendors Providing Communication Technology:

The ABA recommends lawyers examine a vendor’s reference checks and credentials, security protocols and policies, hiring practices, and the use of confidentiality agreements when determining which vendors to use in supplying communications technologies.

Takeaways

Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario.

New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”

Takeaways

Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

A Cautionary Tale Regarding Consent and In-Store Tablets

The Office of the Privacy Commissioner (OPC) recently released a case summary with implications for retailers attempting to obtain consent for privacy-compliance or anti-spam compliance purposes.

Consistent with guidance by the Canadian Radio-television Telecommunications Commission (CRTC) with respect to Canada’s Anti-Spam Legislation, the OPC is taking a harder line with respect to the business records that an organization must retain in order to establish that an individual gave consent. The bottom-line is that the practice of obtaining consent by either having the individual or the salesperson check a box is vulnerable to challenge. Organizations should only use methods of obtaining consent that involve corroborative evidence.

Background

The complaint arose out of a dispute with respect to whether an individual had applied for a co-branded credit card with a retailer. While shopping in a retail store, the complainant was approached to join a loyalty program. The individual provided the salesperson with his driver’s licence as part of the registration.

Later, the individual received a credit card and learned that a credit check had been conducted on him. After obtaining access to the information held by the bank that provided the credit card, the complainant discovered that much of the information on the application was inaccurate and asserted that he had not provided that information to the salesperson. He also argued that he did not check the box on the tablet to permit a credit check.

The OPC concluded that the bank could not establish that it had obtained consent and that the information collected from the complainant was accurate. There was no evidence that the complainant ever saw the tablet screen, provided the information in the application, understood that the information would be used for a credit check or that the individual actually clicked the consent box on the tablet.

No Recognition of Canada Evidence Act

Certainly, the circumstances of this case were suspicious. However, bad facts can make for bad legal interpretations. That seems to be the case here. The OPC appears to believe that organizations must retain independent proof that consent has been obtained. This is similar to guidance form the CRTC’s guidance that oral consent to receive commercial electronic messages must be backed up with an audio recording or third party verification.

This guidance fails to directly engage with the laws of evidence within which both the Personal Information Protection and Electronic Documents Act and Canada’s Anti-Spam Legislation exist.  The Canada Evidence Act specifically contemplates that the business records, including electronic business records, are admissible for the proof of what is recorded in them. While other evidence may raise concerns regarding their accuracy or veracity, as in the case before the OPC, they are not inherently inadequate as the OPC and CRTC seem to suggest. In an informal administrative process such as the one before the OPC, the OPC may be free to ignore the law of evidence. However, this would not be the case before the Federal Court.

The real issue should have been that the organization was unable to establish that it audited compliance of the salespersons such as through secret shoppers or that the organization confirmed the individual’s consent by sending the individual a copy of the application once completed.

Conclusion

Be forewarned: organizations should have some means of corroborating their records when obtaining oral consent from individuals in retail stores in order to avoid problems with the OPC and the CRTC. To access the OPC’s decision, click here: PIPEDA Case Summary 2016-12.

A Cautionary Tale Regarding Consent and In-Store Tablets

The Ashley Madison Breach: Canada-Australia Report of Investigation and Takeaways for all Organizations

On August 23, 2016, the Office of the Privacy Commissioner of Canada (OPC) released its joint report with the Office of the Australian Information Commissioner (OAIC) regarding its investigation of the 2015 Ashley Madison breach.

The report articulates several takeaways for all organizations. However, if there is one key lesson to be learned, it is that the OPC considers a solid information compliance and governance program to include documented policies and procedures. Organization’s safeguards should be adopted with “due consideration of the risks faced” and with a formal framework in order to ensure its proper management.

The following summarizes the report by the OPC and OAIC including several takeaways for all organizations.

The Breach

As many recall, on June 12 2015, a group identified as ‘The Impact Team’ hacked Avid Life Media, Inc. (ALM), headquartered in Toronto, Canada and operator of Ashley Madison and several other dating websites.

It is believed the intrusion took place over several months, beginning with the compromise of an employee’s valid account credentials and used to understand ALM’s systems until ALM’s information technology team detected unusual behavior on July 12. The next day, ALM computers projected warning notices from The Impact Team stating ALM had been hacked and threatened to expose the personal information of Ashley Madison users unless ALM shut down the website. The Impact Team published its actions and threats to the internet on July 19. The OPC contacted ALM soon after, and ALM voluntarily reported the details of the breach. On August 18 and 20, 2015, after its demands were not met, The Impact Team published information allegedly hacked from ALM of approximately 36 million Ashley Madison users from around the world.

The Personal Information Exposed

The sensitive personal information exposed by The Impact Team fell into three main categories:

  1. Profile information that described the users, including names, physical descriptions, date of births, experiences sought through Ashley Madison, details relating to intimate desires, personal and sexual interests.
  2. Account information such as e-mail addresses, security questions and answers and hashed passwords.
  3. Billing information for users who made purchases on Ashley Madison, including real names, billing addresses and the last four digits of credit cards. (Note: As billing information was stored by ALM’s third party processor, it is strongly believed the third party processor was also hacked by The Impact Team).

The sophisticated and targeted hack made it a challenge to determine the extent of the access gained by The Impact Team. ALM reported to the OPC and OAIC, as well as notified affected individuals, that exposed information could also include photos and communications between users.

Canadian and Australian Joint Investigation

The OPC and OAIC did not focus or report any conclusions with respect to the cause of the breach itself. The report is an assessment of the practices by ALM against its obligations under both the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act. The OAIC established an “Australian link” (s.5B(1A) of the Australian Privacy Act)) with the foreign-based ALM as a result of ALM’s targeting of its services to Australians, the collection of personal information of Australian residents and advertising in Australia. The collaboration was made possible by the OPC’s and OAIC’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement

Report of Findings and Takeaways for all Organizations

  1.  Safeguards

Under both PIPEDA and the Australian Privacy Act, organizations must protect personal information by safeguards appropriate to the sensitivity of the information from loss and unauthorized access, use, disclosure, etc. Both jurisdictions require a similar assessment of the risk of harm to individuals. The Commissioners agreed the key risk for users of Ashley Madison was reputational harm.

Discretion and secrecy in being a member of AshleyMadison.com was a central marketing and legal representation to its users. ALM also stated to the OPC and OAIC that protection of its customer’s confidence was a core element of its business. ALM advertised a series of trust-marks including “Trusted Security Award”, “100% Discreet Service” and “SSL Secure Site” on the front page of AshleyMadison.com. It was later discovered some trust-marks were fabricated. Further, the Terms of Service warned users that security and privacy of information could not be guaranteed, a statement many organizations include in their policies. However, the OPC and OAIC found the qualifier in the Terms of Service did not absolve ALM of its obligations.

The Commissioners found ALM lacked appropriate safeguards considering the sensitivity of the personal information. The safeguards adopted by ALM allegedly did not consider the risks individuals could face as a result of unauthorized access.

Key elements ALM’s safeguards allegedly lacked included:

  • a comprehensive information security program expected of an organization collecting and processing such sensitive personal information.
  • documented information security policies and procedures for managing network permissions including critical gaps in security coverage indicative of the absence of documented policies and practices.
  • an adequate intrusion detection system or prevention system , including a security information and event management system in place, or data loss prevention monitoring
  • adequate training for all staff and senior management

Takeaways regarding safeguards for all organizations

  • Organizations should have documented privacy and security practices as part of their compliance program
  • The sensitivity of the personal information collected must be considered when determining and developing an organization’s information and security program
  • Organizations should conduct regular and documented audits and risk assessments
  • Documenting your privacy and security practices can assist your organization identify gaps
  • Training of all employees, including senior management is part of a functional and robust compliance program.

        2. Indefinite Retention and Paid Deletion of User Accounts

Both PIPEDA and the Australian Privacy Act place require limits on the length of time that personal information may be retained and require organizations take reasonable steps to destroy or de-identify information no longer needed for any purpose.

The investigation highlighted that information of deactivated accounts as well as accounts that have not been used for a prolonged period were retained by ALM indefinitely. Further, at the time of the breach, Ashley Madison provided users with two methods to close an account; a basic de-activation that would allow users to re-activate their accounts in the future should they choose to, and a full deletion for a fee of CAD $19 that would delete all personal information within 48 hours (Note: This fee was not disclosed in ALM’s privacy policy or terms of service). However, it was alleged that ALM did not delete all personal information and retained certain financial information in the event of charge backs for a period of up to 12 months following the purchase of a full deletion. ALM presented statistics to the OPC and OAIC that if any chargebacks were to occur, they would happen within 6 months from the date of purchase. Among those affected by the breach were individuals who purchased the full deletion and likely believed their information was destroyed.

The OPC and OAIC had the following findings regarding retention and deletion:

  • ALM had data that the vast majority of users who deactivated their account reactivated it within 29 days. As such, ALM was unable to justify an indefinite retention period of users who deactivated their accounts. Further, it was not clear to users that information would be retained indefinitely.
  • Accounts that have been inactive for prolonged periods were retained indefinitely. While such account users did not provide an affirmative indication of their intent to no longer use their account, justification to retain the personal information diminishes over an extended period of time. Lack of clear retention limits and inability to justify retaining inactive profiles indefinitely contravened PIPEDA and the Australian Privacy Act.

The OPC and OAIC varied in their conclusions regarding the retention of information of users who purchased the full delete option.

  • Under the Australian Privacy Act, ALM is required to destroy or de-identify personal information once it no longer needs it for any primary purpose (deliver its online dating services) and can only retain data for a secondary purpose (reasonably believes is necessary for charge backs to address the risk of fraud ) for a limited time period. ALM provided sound business and legal reasons to retain the financial data to which the OAIC found ALM provided a reasonable basis to retain the financial information for 12 months.
  • The OPC also found ALM satisfied its retention of financial information to prevent chargebacks for 12 months following a full delete (Note: ALM has reduced the retention period to 6 months since the breach), however the OPC found ALM contravened PIPEDA as a result of photo’s that were retained by error following a full deletion.

The OPC found ALM’s practice of charging a CAD $19 fee for withdrawal of consent and full deletion contravened PIPEDA, as ALM did not disclose the fee at the time of sign up, as well, the OPC is not convinced ALM met the high burden to request such a fee. ALM no longer charges a fee for full deletion.

Takeaways regarding deletion and retention for all organizations

  • While PIPEDA is silent on whether organizations may charge a fee to delete their personal information, the OPC has established a high bar in demonstrating such a fee is reasonable.
  • If a fee were reasonable, it must be clearly disclosed and communicated prior to an individual providing consent.
  • Organizations should document retention policies based on a demonstrable rationale and timeline
  • Organizations must clearly disclose and communicate such retention timelines to individuals
  • Organizations should review and audit their practices to ensure information is being deleted and de-identified accordingly.

         3. Accuracy of Email Addresses

Both PIPEDA and the Australian Privacy Act require organizations to take steps to maintain the quality and accuracy of the personal information they collect and use.

ALM collects e-mail addresses in order to create accounts and send confirmation, support and marketing e-mails. ALM’s practice was not to verify e-mail addresses as manner to enhance privacy. Also, ALM feared it would discourage some individuals from signing up. A subset of e-mail addresses involved in the breach belonged to people who never used Ashley Madison. ALM admitted it was aware that some users do no provide their real e-mail addresses when they register, and as such, was in possession of e-mail addresses that belonged to non-users.

Given the sensitivity of the Ashley Madison service and the possible harm a non-user could face, the OPC and OAIC found ALM did not take reasonable steps to ensure the e-mail addresses were accurate. The Commissioners did not agree with ALM’s argument that making the e-mail address field mandatory, but not verified, is a practice of enhancing the privacy of its users. The Commissioners found such approach creates an unnecessary risk in the lives of non-users in order to provide users with a possibility of denying their association with Ashley Madison. The Commissioners highlighted other options available to ALM to address this issue and emphasized that ALM has a responsibility for all information it collects, including considering the personal information provided from a user that does not belong to them (a user providing an e-mail address that is not theirs to register) and must consider the possible harm of the non-user.

Takeaways regarding accuracy for all organizations

  • The level of accuracy required by organizations is impacted by the foreseeable consequences of inaccuracy
  • Organizations must take reasonable steps to ensure information in their possession is accurate
  • Organizations are responsible for all information in their control, including information that belongs to non-users, non-customers or other third parties who did not directly provide their information to the organization.
  • The requirement to maintain accuracy must include considering the interests of all individuals about whom the information might be collected, including non-users, non-customers and other third parties.

           4. Requirement for transparency and informed consent

PIPEDA states that consent is only valid if it is reasonable to expect the individual would understand the nature, purpose and consequences of the collection, use and disclose of the personal information to which they are consenting. PIPEDA also requires organizations to make their handling practices readily available and understandable to individuals.

The OPC analyzed two issues, first whether the privacy practices of ALM were adequate under PIPEDA, and two, whether the privacy practices at the time individuals were consenting to provide their information to ALM was adequate and not obtained through deception.

Generally, the OPC found that while ALM did provide some information about its security safeguards, account closure options and retention practices, critical elements of their practices that would be material to users’ decision to join Ashley Madison were not as clear as they should be. For example:

  • The fabricated “trusted security award” trust-mark
  • Language in the privacy policy and terms and conditions were not consistent regarding retention of personal information and could confuse a user or lead them to expect that inactivity can alone lead to the deactivation or deletion of their information
  • The required fee for a full deletion was not disclosed until after creating an account
  • Users who requested a full deletion were not informed until after they paid the fee that their information would in fact be retained for an additional 12 months

The OPC found ALM did not meet its obligations under PIPEDA to be open and transparent about its policies and practices of its management of personal information. The OPC further found the lack of clarity regarding certain practices could materially impact a prospective user’s informed consent to join Ashley Madison and allow the collection, use and disclosure of their personal information.

Takeaways regarding transparency for all organizations

  • Organizations must be cautious of the representations they make in their privacy policies and terms and conditions
  • Omission or lack of clarity of material statements may also impact the validity of consent. Organizations should make effort to ensure an individual understands the nature, purpose and consequences of their consent.
  • Organizations privacy policies, terms of service and other disclosure of practices should be clear and inform individuals prior to or at the time of consenting.

The Commissioners noted that ALM was cooperative during the investigation. ALM has entered into a compliance agreement with the OPC and an enforceable undertaking with the OAIC. The events of the hack and the report by the Commissioners provide important lessons for all organizations that collect personal information.

To read details of the compliance agreement with the OPC and the steps Avid Life Media has undertaken to take, click here.

The news release released by the OPC on August 23, 2016 can be found here.

The OPC’s summary of takeaways for all organizations can be found here.

To read the full joint report of the investigation by the OPC and OAIC click here.

The Ashley Madison Breach: Canada-Australia Report of Investigation and Takeaways for all Organizations