The Star’s view: Flirtin’ and hurtin’,
Marvin Gaye may have heard it through the grapevine back in the day. But today, it’s bad vibes from the Dark Web that have left Canadians about to lose their minds over relationships gone sour.
The 9.7-gigabyte data dump of confidential Ashley Madison customer information, courtesy of a blue-nosed band of hackers with a hurt on for “cheating dirt bags,” has the owners of email addresses ending in “.ca” squirming over their errant mouse pads.
Customers of the world’s “leading married dating service for discreet encounters” — the site boasts nearly 39 million worldwide — rue the day they bought into the slogan “Life is Short. Have an affair.” They never counted on signing on for an “outing” as well. The hackers have now shared customers’ names, email addresses, home addresses, sexual fantasies and worse for all the world to snigger at.
So much for putting any faith in a company that traffics in infidelity.
Yet as the Star’s Sunny Freeman reports, this cloud of two-timing gloom has a silver lining, however tarnished. It serves as a cautionary reminder that Canadians tend to take Internet security for granted, and companies have little incentive to let us know when they’ve been hacked. The Toronto-based cheating site is just the latest victim that suddenly has some explaining to do.
But broadly speaking we don’t know how secure corporate Canada is because companies aren’t required to report security breaches. Many don’t, preferring to pull a silken sheet of commercial silence over any unfortunate incidents.
Happily, that will change when the new Digital Privacy Act comes into effect and throws open the bedroom windows, as it were. Passed in June, it requires companies to notify customers speedily about breaches that create “a real risk of significant harm,” and tell customers what they can do to mitigate the damages. Significant harm includes identity theft, financial loss, damage to reputation, damage to a person’s credit rating and loss of property. Companies that violate the act face fines up to $100,000. But the act won’t come into force until Ottawa crafts implementing regulations.
That won’t happen until federal privacy commissioner Daniel Therrien’s office is consulted, along with the private sector and other stakeholders. With a federal election campaign underway, there’s no real timeline. A new government will have to prove it is up to the job.
When the public reporting regulations do come in, however, they should be demanding, and backed up by sufficiently robust fines to compel compliance. Protecting customers’ data is a big investment in terms of time, human resources and money. Most companies know their reputations are on the line and will do the right thing. But some will need a forceful regulatory prod.
Ashley Madison’s rueful clients are the living proof that doing the right thing doesn’t always spring to mind.
Ashley Madison data breach offers lessons for Canada’s corporate sector