Caught in the (Privacy) Act
The Ashley Madison Data Breach and Investigation Report
27 April 2017
Ashley Madison, a website targeted at people seeking a discreet affair, is now widely known for all the wrong reasons. One of these reasons is its failure to properly secure the personal information of its users in more than 50 countries (including Australia). The findings of a recently released report into ALM's privacy practices provide important lessons for those organisations that hold personal information.
In July 2015 a group called 'The Impact Team' announced they had hacked ALM and threatened to expose the personal information of Ashley Madison users unless the website was shut down. ALM refused and reported the breach to the Office of the Privacy Commissioner of Canada (OPC). On 18 and 20 August 2015, The Impact Team published the account details of about 36 million Ashley Madison users.
Of these accounts released, there were more than one million Canadian users and about 670,000 Australian users affected. The OPC and the Office of the Australian Information Commissioner (OAIC) jointly investigated ALM's privacy practices and policies at the time of the data breach. The report prepared by the OPC and OAIC provides great lessons for businesses, especially for those where user privacy (and secrecy) is at the core of their business.
Under the Australian Privacy Act, the test for whether a contravention of the Act has occurred was whether ALM had taken such steps as were reasonable in the circumstances to protect the personal information it held. It's important to keep in mind that a data breach or other security compromise does not necessarily mean that there has been a contravention of the Australian Privacy Act.
Process, Procedures and Systems
The primary lesson from the report is that it's crucial for any business that holds personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks supported by adequate expertise, particularly where the information is sensitive or could cause significant harm to the individuals affected.
When assessing what procedures are reasonable a company should consider the potential risk of harm to individuals from the release of the information.
Key missing features
The Commissioners identified three key elements that ALM's security framework was lacking:
- documented information security policies or practices;
- an explicit risk management process; and
- adequate training to ensure all staff (including senior management) complied with their privacy and security obligations.
What should I look out for?
The report makes a number of observations regarding the particular circumstances in the Ashley Madison Data Breach.
- Indefinite retention and "Pay for Privacy": ALM had a policy of indefinitely retaining information and a "Pay for Privacy" service which forced users to pay to permanently delete their profiles. Neither of these were considered acceptable under the Australian Privacy Act.
- Accuracy of email addresses: ALM's lack of systems for verifying whether an email address was real and associated with an actual user of Ashley Madison exposed potential non-users to reputational harm.
- Transparency with users: ALM failed in a number of instances to obtain their users' fully informed consent.
Who should be notified?
The Australian Federal Government is currently considering legislation creating a serious data breach mandatory notification regime. The draft bill imposes on regulated entities an obligation to notify the OAIC of a 'serious data breach' and to take reasonable steps to notify individuals affected by a breach or, if not practicable, publish the notification provided to the OAIC on its website.
What happens next?
ALM has agreed to address the concerns of the joint report. Some of the undertakings are set out below:
- conduct a comprehensive review of systems in place for protecting information;
- appropriately train staff to follow security procedures;
- cease its practice of indefinite retention of information; and
- amend its account creation process to ensure accuracy of information.
Importantly, ALM has undertaken to confirm to the OPC and OIAC its implementation of each undertaking and to provide all requested documents and information. The Commissioners will be monitoring closely!
Clifford Chance is the legal sponsor Deloitte Technology Fast 50 Australia and is proud to support Australia's growing technology companies.