Skip to main content
Canada’s most-awarded newsroom for a reason
Enjoy unlimited digital access
per week
for 24 weeks
Canada’s most-awarded newsroom for a reason
per week
for 24 weeks
// //

A photo illustration shows the Ashley Madison app displayed on a smartphone in Toronto, Aug. 20, 2015. Love lives and reputations may be at risk after the release of customer data from infidelity website Ashley Madison, an unprecedented breach of privacy likely to rattle users' attitudes towards the Internet.


The widely publicized data breach of extramarital affairs website Ashley Madison last summer not only exposed the e-mail addresses of about 33 million of its users, but also the surprising number who registered for the site using a company account.

The rise of remote employees, flexible work arrangements and bring-your-own-device policies, coupled with a growing expectation for employees to make themselves available by e-mail after hours, has blurred the line between work and personal activities online.

But employee misuse of corporate e-mail accounts, computers and mobile devices has the potential to expose employers and employees to significant legal and security risks. In a recent report, Toronto-based law firm Borden Ladner Gervais LLP (BLG) cited workplace cybersex and IT security among the top 10 legal risks for businesses in 2016.

Story continues below advertisement

"There is clearly less and less distinction between private life and work life," said Justine Laurier, a Quebec-based associate with the labour and employment group at BLG. "It creates new challenges for the employer, but also for the employee, who is not necessarily aware of what an employer can do or monitor when they use the employer's working tools."

Among the workplace e-mail domains revealed in the Ashley Madison hack were those belonging to Canadian public sector employees at the federal, provincial and municipal levels, including the Justice Department and Canada Revenue Agency, as well as members of the RCMP, the Canadian Armed Forces, and at least one MP. In the United States, leaked e-mail addresses belonged to employees of Fortune 500 companies, such as Microsoft Corp., Cisco Systems Inc., Apple Inc. and Bank of America, as well as U.S. government employees.

Ms. Laurier said she has witnessed a sharp increase in Quebec case law over the past five years related to misuse of employer tools such as e-mail addresses, computers and smartphones, a situation she said is at least partly the fault of employers who fail to clearly define appropriate use. "It's a new reality," she said, adding that the issue affects organizations of all shapes and sizes in Canada.

Under Quebec provincial law, employees have a duty of loyalty to protect their employers' reputations, which extends to the employee's cyber-identity and social media activity. As such, Ms. Laurier says Quebec residents can be terminated for engaging in any online activity that might diminish the reputation of their employer, ranging from offensive social media posts, even on personal accounts, to the misuse of company assets, including e-mail addresses.

"It could go against the company's policies, if there's a strict policy on the use of work e-mail," she said. "It could also go against the company's values, depending on the industry or the role of the employee in particular."

Outside of Quebec, there are higher standards for termination, said Andrew Monkhouse, the managing partner and owner of Monkhouse Law, a Toronto-based firm specializing in employment and labour law.

"It's a fine line. If you ruin or hurt the reputation of your employer to a very large degree, it might be cause for termination, but the cause for terminating someone outside of Quebec is a very high standard," he said. "It would have to be directly related to your business."

Story continues below advertisement

Though there is no explicit employer-reputation law in other provinces, Mr. Monkhouse said that employees outside of Quebec can still be terminated as a result of their online activity.

"Someone can say, 'I can't be fired for what I wrote on Twitter because you don't have a policy,' and they're right, they can't be terminated for cause," he said, adding that any non-unionized employee can still be terminated without cause, so long as they're provided sufficient notice and severance pay.

Beyond registering with a work e-mail address for services such as Ashley Madison, which have a clear potential for damaging an employer's reputation, Ms. Laurier suggests that employees are subject to disciplinary action for misusing corporate e-mail accounts to sign up for video streaming websites like Netflix or social media accounts like Snapchat, a popular photo- and video-sharing application.

"If there's a policy on such topics, and then the employer notices the employee is using a work e-mail for personal purposes like registering for Netflix, it can go against the policy," she said, adding that such infractions could lead to disciplinary action but not necessarily termination.

Ms. Laurier adds that employees are often unaware that employers retain the right to access corporate e-mail accounts and company-issued devices at any time. "It's definitely a question of the right of privacy of employees versus the rights of an employer to control or make sure that the employees are performing their job adequately," she said.

Use of corporate e-mail addresses and company-issued devices to register for services like Netflix may seem inconsequential, but the risk it poses to employers is significant, said Addison Cameron-Huff, a Toronto-based technology lawyer.

Story continues below advertisement

"The most serious issue is if people are reusing the same password for services like Ashley Madison as well as for work services," he said, explaining that hackers will try to gain access to company information using leaked corporate e-mail addresses and passwords. "If there's a giant data breach at one of these services, the employer's servers could be at risk."

Mr. Cameron-Huff adds that the wave of widely publicized data breaches in recent years has done little to curb employee misuse of business tools and e-mail accounts.

"I'd like to think it's changed their [employees'] behaviour, but I expect that in future large data breaches, we'll see the same thing," he said. "I don't think a lot of people are treating it as seriously as they should be, even employers."

To protect themselves and their employers, employees should always maintain separate work and personal e-mail accounts, said Mark Nunnikhoven, the Ottawa-based vice-president of cloud and emerging technologies for Trend Micro Inc., a global security software company.

"The good news is that it's relatively simple to keep a strong level of separation between work and home activities, and it starts with your e-mail address, because the e-mail account tends to be the foundation piece of your digital identity," he said.

Mr. Nunnikhoven added that employers should strive to build a corporate culture that takes such issues seriously.

Story continues below advertisement

"It needs to be understood, it needs to be talked about, and there are easy and inexpensive solutions," he said, citing a guest WiFi network for personal devices as one potential solution. "As long as you can clearly communicate what you're doing and why you're doing it to the employees, I think that at least lets everyone make an informed decision about the activities they're going to undertake on company assets."

Maintaining up-to-date policies and providing regular information sessions on appropriate use can also go a long way in ensuring an employer's e-mail domain doesn't appear in the next large-scale data breach.



Top 10 legal challenges for business for Canadian business in 2016, according to Borden Ladner Gervais LLP:

Climate change

Story continues below advertisement

Provincial carbon initiatives, federal targets stemming from the recent climate talks in Paris and advancements in renewable energy technology are poised to have far-reaching effects on Canadian businesses in 2016, even those operating outside the energy sector.

Tax crackdown

A need for tax revenue coupled with a global trend toward tax transparency will allow Canada Revenue Agency to become more aggressive in seeking confidential taxpayer information.

Privacy class actions

The cost of data breaches has risen 23 per cent since 2013, with class actions remaining the preferable option for privacy enforcement.

E-payment fraud

Story continues below advertisement

Digital financial fraud is much more difficult to prevent than in-person fraud, requiring the development of more effective authentication protocols, technology, policies and procedures.

Regulatory purgatory

Regulatory uncertainty following the advent of the Cooperative Capital Market Regulatory System (CCMRS) will make it more difficult to enact hostile takeovers.

Good faith contracts

Honesty is no longer the best policy; it's the law. The Supreme Court of Canada recently established a "general organizing principle" of good-faith contractual performance in common law disputes, mandating that "parties generally must perform their contractual duties honestly and reasonably and not capriciously or arbitrarily."

Trade agreements

Canada's inclusion in the Trans-Pacific Partnership and EU trade agreements will have far-reaching effects on bilateral trade and competition, particularly in the agriculture, manufacturing and service industries.

Regulatory compliance

Regulatory compliance cost Canadian businesses $37.1-billion in 2014, and with the election of a new federal regime and two new provincial governments in 2015, the system is likely to become more complex.

Canada's anti-spam law

Regulatory authorities began enforcing Canada's anti-spam law in 2015, with penalties of up to $1-million for individuals and $10-million for businesses.

Report an error Editorial code of conduct
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies