Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ANNA L. MANLEY
amanley@sampsonmcphee.com
LEGAL PERSPECTIVES ON
THE ASHLEY MADISON HACK
LIFE IS SHORT…
SUE EVERYONE
2
3
4
5
CAST OF CHARACTERS
6
7
8
#Legal
9
#Information
10
Criminal Law
Civil Law
Defamation
Family Law
Employment
Privacy Law
11
HACKERS
What have they done wrong?
12
HACKERS
Theft
Extortion
Mischief
Possession of stolen property
Unauthorized use of credit card data
Interception of pri...
13
14
BUDAPEST CONVENTION
Laws (re: unauthorized access)
Search/Seziure
Cooperation
Extradition
15
BUDAPEST CONVENTION
Article 2 - Illegal Access
Intentional access to a computer system
without right.
(with or without ...
16
Unauthorized use of a computer
342.1 (1) Everyone is guilty of an indictable offence and liable to
imprisonment for a t...
17Credit: Fox
18Credit: Fox
19
BUDAPEST CONVENTION
Article 3 - Illegal Interception
Interception of non-public transmissions of
data to / from / withi...
20
Interception of
Communications
Interception
184 (1) Every one who, by means of any electro-magnetic,
acoustic, mechanic...
21
Disclosure of information
193 (1) Where a private communication has been intercepted
by means of an electro-magnetic, a...
22
Mischief in relation to
computer data
(1.1) Everyone commits mischief who wilfully
(a) destroys or alters computer data...
23Credit: Warner Brothers
24
…. hacking is really illegal.
25
26
RETRIEVERS OF DATA
What have they done wrong?
27
28
29Credit: Binary Edge
30Credit: Dwaas
31
“All of our analysis must not expose the users
of Ashley Madison (at BinaryEdge privacy is
of outmost respect and we do...
32
#Legal
33
Do you want to see?
Yeah… No.
Credit: Marvel
34
Possession of property
obtained by crime
354 (1) Every one commits an offence who has in his
possession any property or...
35
Unauthorized use of credit
card data
(3) Every person who, fraudulently and without colour of
right, possesses, uses, t...
36
Unauthorized use of computer
342.1 (1) Everyone is guilty of an indictable offence and
liable to imprisonment for a ter...
37
Sell
Export / Import
Distribute
Deal with
“TRAFFIC”
38
So…. possessing the data is also illegal.
39
40
41
42
43
PIPEDA
Personal Information Protection and Electronic Documents Act, SC 2000, c 5
44
45
4.7 Principle 7 — Safeguards
Personal information shall be protected by security safeguards appropriate to
the sensitiv...
46
DUTY TO REPORT
47
48
USERS
What can the users do?
49
…
50Credit: The International Consortium of Investigative Journalists (ICIJ)
51Credit: Aly Song/Reuters
52
CAN JACKIE CHAN SUE?
CAN THE ASHLEY MADISON USERS SUE?
53Credit: AMC - “Breaking Bad”
54Credit: McDonald’s
55Credit: Star TreK (TNG) CBS Television
56Credit: The Internet
57
58
?
59
CLASS ACTION
60
CLASS ACTION
61
CLASS ACTION
(1) Scrub Fee

(2) Failure to Secure

“… the last truly secure space on the Internet.”
62Credit: The Walt Disney Company
63Credit: The Walt Disney Company
64
65
NEGLIGENCE
66
67
CLASS ACTION
68
CLASS ACTION
69
CLASS ACTION
70
71
72
Common law requirement for
encryption of data?
73
74
HOW DOES THE PLAY END?
75
The first thing we do, let's kill all the lawyers.
(2 Henry VI, 4.2.59)
ANNA L. MANLEY
@nnamanley
amanley@sampsonmcphee.com
annamanley.blogspot.ca
Upcoming SlideShare
Loading in …5
×

Life is Short... Sue Everyone: Legal Perspectives on the Ashley Madison hack

1,220 views

Published on

The Ashley Madison Hack and the data dump that followed didn’t just fuel the gossip mill – they raised complicated moral and legal questions in both the criminal and civil law arenas.
What are the legal implications for a company who gets hacked? What are the legal implications for those who did the hacking?
What legal recourse do Ashley Madison users have?

Published in: Law
  • Be the first to comment

  • Be the first to like this

Life is Short... Sue Everyone: Legal Perspectives on the Ashley Madison hack

  1. 1. ANNA L. MANLEY amanley@sampsonmcphee.com LEGAL PERSPECTIVES ON THE ASHLEY MADISON HACK LIFE IS SHORT… SUE EVERYONE
  2. 2. 2
  3. 3. 3
  4. 4. 4
  5. 5. 5 CAST OF CHARACTERS
  6. 6. 6
  7. 7. 7
  8. 8. 8 #Legal
  9. 9. 9 #Information
  10. 10. 10 Criminal Law Civil Law Defamation Family Law Employment Privacy Law
  11. 11. 11 HACKERS What have they done wrong?
  12. 12. 12 HACKERS Theft Extortion Mischief Possession of stolen property Unauthorized use of credit card data Interception of private communication Unauthorized use of a computer
  13. 13. 13
  14. 14. 14 BUDAPEST CONVENTION Laws (re: unauthorized access) Search/Seziure Cooperation Extradition
  15. 15. 15 BUDAPEST CONVENTION Article 2 - Illegal Access Intentional access to a computer system without right. (with or without infringing security measures) (with or without intent to obtain data or dishonest intent)
  16. 16. 16 Unauthorized use of a computer 342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right, (a) obtains, directly or indirectly, any computer service; (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system; (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system; or (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c). 341.1(1) CRIMINAL CODE • Obtain computer service • Intercept any function of a computer system • Uses a computer system with intent to obtain or intercept • Uses / possesses / traffics in or permits another person to have access to a computer password • Fraudulently • without colour of right • Indictable or Summary
  17. 17. 17Credit: Fox
  18. 18. 18Credit: Fox
  19. 19. 19 BUDAPEST CONVENTION Article 3 - Illegal Interception Interception of non-public transmissions of data to / from / within a computer system - without right. (with or without dishonest intent) (with or without connection to another computer system)
  20. 20. 20 Interception of Communications Interception 184 (1) Every one who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years. 184(1) CRIMINAL CODE • Intercept a private communication • Wilfully • Via: electro-magnetic, acoustic, mechanical or other device • Indictable (max 5 yrs) • Saving provision • Management of system • Protecting the system
  21. 21. 21 Disclosure of information 193 (1) Where a private communication has been intercepted by means of an electro-magnetic, acoustic, mechanical or other device without the consent, express or implied, of the originator thereof or of the person intended by the originator thereof to receive it, every one who, without the express consent of the originator thereof or of the person intended by the originator thereof to receive it, wilfully (a) uses or discloses the private communication or any part thereof or the substance, meaning or purport thereof or of any part thereof, or (b) discloses the existence thereof, is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years. 193(1) CRIMINAL CODE • Discloses the intercepted private communication • Substance or meaning • OR the existence of the private communication • Without the express consent of the originator or the recipient • Wilfully • Indictable (max 2 yrs) • Exemptions
  22. 22. 22 Mischief in relation to computer data (1.1) Everyone commits mischief who wilfully (a) destroys or alters computer data; (b) renders computer data meaningless, useless or ineffective; (c) obstructs, interrupts or interferes with the lawful use of computer data; or (d) obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it. 430(1.1) CRIMINAL CODE • Destroy / Alter data • Renders data meaningless, useless, or ineffective • Obstructs, interrupts, or interferes with lawful use of computer data or a person • Wilfully • Danger to life - Indictable (max life) • Property - Indictable or Summary
  23. 23. 23Credit: Warner Brothers
  24. 24. 24 …. hacking is really illegal.
  25. 25. 25
  26. 26. 26 RETRIEVERS OF DATA What have they done wrong?
  27. 27. 27
  28. 28. 28
  29. 29. 29Credit: Binary Edge
  30. 30. 30Credit: Dwaas
  31. 31. 31 “All of our analysis must not expose the users of Ashley Madison (at BinaryEdge privacy is of outmost respect and we do not condone the actions that were performed against the Ashley Madison website).” DISCLAIMER: blog.binaryedge.io
  32. 32. 32 #Legal
  33. 33. 33 Do you want to see? Yeah… No. Credit: Marvel
  34. 34. 34 Possession of property obtained by crime 354 (1) Every one commits an offence who has in his possession any property or thing or any proceeds of any property or thing knowing that all or part of the property or thing or of the proceeds was obtained by or derived directly or indirectly from (a) the commission in Canada of an offence punishable by indictment; or (b) an act or omission anywhere that, if it had occurred in Canada, would have constituted an offence punishable by indictment. 354(1) CRIMINAL CODE • Possess property you know is stolen • Obtained or derived (directly or indirectly) from an indictable offence
  35. 35. 35 Unauthorized use of credit card data (3) Every person who, fraudulently and without colour of right, possesses, uses, traffics in or permits another person to use credit card data, including personal authentication information, whether or not the data is authentic, that would enable a person to use a credit card or to obtain the services that are provided by the issuer of a credit card to credit card holders is guilty of (a) an indictable offence and is liable to imprisonment for a term not exceeding ten years; or (b) an offence punishable on summary conviction. 342 CRIMINAL CODE • Possess / use / traffics credit card data • Data enabling use of credit card • Whether or not data is authentic • Indictable offence
  36. 36. 36 Unauthorized use of computer 342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right, (a) obtains, directly or indirectly, any computer service; (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system; (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system; or (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c). 341.1(1) CRIMINAL CODE • Uses / possesses / traffics in or permits another person to have access to a computer password • Fraudulently • without colour of right • Indictable or Summary
  37. 37. 37 Sell Export / Import Distribute Deal with “TRAFFIC”
  38. 38. 38 So…. possessing the data is also illegal.
  39. 39. 39
  40. 40. 40
  41. 41. 41
  42. 42. 42
  43. 43. 43 PIPEDA Personal Information Protection and Electronic Documents Act, SC 2000, c 5
  44. 44. 44
  45. 45. 45 4.7 Principle 7 — Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. 4.7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4. 4.7.3 The methods of protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption. 4.7.4 Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. 4.7.5 Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3). 4.7 PRINCIPLE 7 PIPEDA • Info protected by security safeguards appropriate to sensitivity of info • Protects against theft / unauthorized access • More sensitive >> higher level of protection required • Methods of Protection: includes passwords and encryption
  46. 46. 46 DUTY TO REPORT
  47. 47. 47
  48. 48. 48 USERS What can the users do?
  49. 49. 49 …
  50. 50. 50Credit: The International Consortium of Investigative Journalists (ICIJ)
  51. 51. 51Credit: Aly Song/Reuters
  52. 52. 52 CAN JACKIE CHAN SUE? CAN THE ASHLEY MADISON USERS SUE?
  53. 53. 53Credit: AMC - “Breaking Bad”
  54. 54. 54Credit: McDonald’s
  55. 55. 55Credit: Star TreK (TNG) CBS Television
  56. 56. 56Credit: The Internet
  57. 57. 57
  58. 58. 58 ?
  59. 59. 59 CLASS ACTION
  60. 60. 60 CLASS ACTION
  61. 61. 61 CLASS ACTION (1) Scrub Fee (2) Failure to Secure “… the last truly secure space on the Internet.”
  62. 62. 62Credit: The Walt Disney Company
  63. 63. 63Credit: The Walt Disney Company
  64. 64. 64
  65. 65. 65 NEGLIGENCE
  66. 66. 66
  67. 67. 67 CLASS ACTION
  68. 68. 68 CLASS ACTION
  69. 69. 69 CLASS ACTION
  70. 70. 70
  71. 71. 71
  72. 72. 72 Common law requirement for encryption of data?
  73. 73. 73
  74. 74. 74 HOW DOES THE PLAY END?
  75. 75. 75 The first thing we do, let's kill all the lawyers. (2 Henry VI, 4.2.59)
  76. 76. ANNA L. MANLEY @nnamanley amanley@sampsonmcphee.com annamanley.blogspot.ca

×