The enormity of it, 36 million users' profiles published online, and worst of all, profiles whose owners were or had been subscribers to a dating site based around infidelity, secrecy and discretion.
This was the Ashley Madison data breach of August 2015. On 24 August 2016, the Australian Privacy Commissioner and the Canadian Privacy Commissioner issued their joint investigation report and it is good reading.
The Australian link
Why, you ask, are the Aussies involved when Ashley Madison or Avid Life Media (ALM) is a Canadian Company? 670,000 Australians had their information published as part of the breach, and the Australian Privacy Commissioner was able to establish an 'Australian link' under the Privacy Act, sufficient to conclude that ALM was subject to the Australian Privacy Act. Whilst ALM had no physical presence in Australia, it conducted marketing in Australia and collected information from people in Australia.
The primary focus of the joint report was the adequacy of the safeguards ALM had in place to protect the personal information of its users. But what lessons can we learn about both ALM's security protection measures and the way ALM responded?
The response to the data breach
On one hand, the Privacy Commissioners appeared to see the following actions (post-incident) in a favourable light:
- ALM took immediate steps to contain the breach as quickly as possible, such as shutting down VPN access.
- ALM engaged a cyber-security consultant.
- ALM issued a press release (confirming the breach had occurred) and (later) provided direct written notification by email.
- ALM responded to requests by the privacy regulators on a voluntary basis prior to the initiation of the investigation.
- ALM took 'significant' measures to improve its information security, including a comprehensive review of its framework and creation of documented policies and procedures, and additional training of staff.
- ALM made significant efforts to limit the dissemination of stolen information online, including issuing takedown notices.
On the other hand, the report details a number of inadequacies in the way ALM handled the personal information of its users, including the following:
- Lack of documentation and processes around data security at the time of the breach, including those that covered both preventative and detective measures.
- Lack of transparency around personal information handling practices. For example, users were not informed about how long their information would be retained.
- Lack of certain security safeguards, such as having only one-factor VPN authentication. The regulators considered for the amount and sensitivity of the information held, another factor of authentication should have existed for remote access (which is how the hackers entered the system). This could include a biometric step such as retina scan, or the user being required to have a physical key, login device or other token. This aspect of the findings is very interesting in informing ICT security practices of any organization.
- ALM's practice of retaining personal information of its users for an indefinite period after their profiles had been deactivated or were inactive. Upon investigation, the 'reasonable purposes' for which ALM claimed they retained the information did not stack up, as only on a very small percentage of occasions was information required beyond a year (for example to counter credit card payment disputes), let alone indefinitely.
- ALM had in instances charged users to 'fully delete' their profiles, which, especially as users had not been informed of this fact prior to signing up, was a breach of privacy laws in itself.
- ALM had inadequate processes to confirm the accuracy of user email addresses before collecting or using them.
The key message from the regulators was that organisations holding sensitive personal information or a significant amount of personal information should have:
- a security policy or policies;
- a risk management process that addresses security measures, and draws on adequate expertise;
- sufficient privacy and security training for all staff.
When considering the sensitivity of the information, the report recommends conducting a context based assessment not focused solely on financial loss due to identity theft and fraud but also on the physical and social well being at stake, including potential impacts on relationships and reputational risks, embarrassment or humiliation. Obviously, this criterion was highly relevant in the case of the affected ALM users (whether they deserved it or not!).
Outcomes and key messages
Not surprisingly, the conclusion was that ALM was in breach of the Act including Australian Privacy Principles (APP) 1.2 and 11.1. Further to the data breach itself, ALM was found to be in breach of APP 11.2 in relation to the indefinite retention of personal information and APP 10.1 and 10.2 in relation to a failure to take reasonable steps to ensure the accuracy of the email addresses it collected.
ALM has accepted an enforceable undertaking from the Australian Privacy Commissioner, requiring it to do certain things, such as conducting comprehensive reviews, implementing an enhanced security framework and providing the regulators with a third party report documenting these actions.
The outcome is an important reminder to any business marketing to and collecting personal information of Australians to ensure it has the policies, processes and framework in place to protect the personal information it collects. Having those with appropriate expertise document and review the framework and policies, will assist in exposing potential vulnerabilities and other contraventions of the privacy laws such policies in relation to retention and accuracy of personal information held.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.