Avid Life Media, the company that owns the recently hacked infidelity site Ashley Madison, is being investigated by Canada's top information privacy watchdog.
Toronto police said in a press conference on Monday that their investigation will not focus on Avid Life Media, and will instead attempt to track down the hackers. The Office of the Privacy Commissioner of Canada, however, is choosing to put the company under the microscope.
Ashley Madison was breached in July by a hacking group calling themselves the Impact Team. The group posted multiple troves of data from both thesite's executives and Ashley Madison's 39 million users—some of whom had paid for a "full delete" feature which appears to not have worked. Unconfirmed suicides possibly linked to the dump have been reported, two of which were acknowledged by Toronto Police on Monday.
The investigation will "look at the safeguards the organization has in place to protect the personal information in its care"
The OPC's mandate is to make sure both Canadian companies, and companies operating in Canada, comply with the country's Personal Information and Electronic Documents Act (PIPEDA). The legislation limits the kinds of data companies can collect from their customers and requires companies to take reasonable steps to safeguard such data.
"I can tell you that as part of the investigation we would certainly look at the safeguards the organization has in place to protect the personal information in its care," OPC spokesperson Valerie Lawton told me in an email, after clarifying that she could not reveal the full scope of the investigation.
An OPC spokesperson first confirmed the investigation to the Toronto Star in an email on Monday, but declined to comment further.
Watch more from Motherboard: The Lost Art of Canada's Doomed Pre-Internet Web
"There's a lot of open questions," Tamir Israel, a staff lawyer for the Canadian Internet Policy and Public Interest Clinic, told me in an interview. "What they need to get is a reasonable grounds to open an investigation, and that gives them powers to actually compel [Avid Life Media] to say, 'This is how our security systems were set up, here's where there was a gap or wasn't."
If a company is found to be in violation of PIPEDA, it could face fines ranging anywhere from a few thousand to tens of thousands of dollars.
However, it's important to note that the OPC itself has no official power to prosecute or even fine organizations. Instead, the office's opinion that a company violated PIPEDA by not protecting its customers could could be used as the basis for future action in federal court. The OPC will also be partnering with the Australia's privacy watchdog, which has the power to fine offenders more than $1 million dollars.
The Investigation is due to "the sensitive nature of the information involved, the number of people affected, the global scope of the incident and the fact that the company is based in Canada"
An OPC investigation, Israel noted, is usually triggered by a formal complaint from a victim, but could also result from "informal" complaints, such as as tweets directed at the OPC or popular media coverage. In this case, Lawton said, the OPC initiated its investigation Avid Life Media due to "the sensitive nature of the information involved, the number of people affected, the global scope of the incident and the fact that the company is based in Canada."
After an investigation is completed, the results may be published by the OPC if they are judged by the commissioner to be in the public interest, Lawton said. These findings may include some details of Ashley Madison's inner workings.
A class action lawsuit has already been filed in Canada against Avid Life Media, seeking damagesto the tune of $750 million. Even if OPC's eventual findings don't lead to a lawsuit on their own, they have the potential to influence those proceedings one way or the other, Israel said—for example, if the OPC finds that Ashley Madison's security was completely terrible.
This may prove to be the case; as the Impact Team themselves told Motherboard, "Nobody was watching."
For now at least, it seems like the seriousness of the hack—which was always apparent to its victims—has the potential to lead to serious consequences for Avid Life Media as well.