The Office of the Privacy of Commissioner Canada (‘OPC’) in collaboration with the Office of the Australian Information Commissioner (‘OAIC’) released, on 23 August 2016, a report outlining the results of their joint investigation into the Ashley Madison data breach, which occurred in July 2015 and compromised approximately 36 million user accounts (‘the Report’). Following the investigation, Avid Life Media Inc. (‘ALM’), the company operating the dating website Ashley Madison, entered into an enforceable undertaking with the OAIC and a compliance agreement with the OPC to ensure that its activities are in compliance with the Australian Privacy Act 1988 and the Canadian Personal Information Protection and Electronic Documents Act 2000.
“The Report did not disappoint from a privacy analysis point of view,” Alec Christie, Partner of Digital Law & Privacy at EY, told DataGuidance. “The clear, precise and targeted analysis of key elements of the privacy law in both Australia and Canada will likely be the precedent/benchmark against which future complaints and own motion investigations of organisations will be measured by the OPC and OAIC.”
In relation to information security, the Report notes that ALM confirmed that the trust-marks displayed on Ashley Madison website front-page were ‘their own fabrication rather than a validated designation by any third party.’ They included a medal icon labelled ‘trusted security award,’ a lock icon indicating the website was ‘SSL secure’ and a statement that the website offered a ‘100% discreet service.’ In particular, the OPC and OAIC affirmed, ‘These statements and trust-marks appear to convey a general impression to individuals considering the use of ALM’s services that the site held a high standard of security and discretion and that individuals could rely on these assurances.’
The Report also underlines that although ALM had physical, technological and organisational safeguards in place at the time of the breach, it did not have ‘an adequate overarching information security framework within which it assessed the adequacy of its information security.’
In the past, OAIC has insisted that a PMP was best practice. Now, it seems clear that a PMP is fundamental to organisations that collect and/or store significant amounts of personal information or any sensitive information to be able to comply with their security obligations
Christie noted, “Any organisation holding a significant amount of personal information or any sensitive information cannot meet its obligations under Canadian or Australian privacy laws in respect of information security without an adequate and coherent governance framework. In Australia this is the first time the Privacy Commissioner has put this as forcefully as this. In the past, he has insisted that a privacy management plan (‘PMP’) was best practice. Now, it seems clear that a PMP is fundamental to organisations that collect and/or store significant amounts of personal information or any sensitive information to be able to comply with their security obligations.”
Moreover, the Report addresses other ALM’s practices, including retaining personal information of users after profiles had been deactivated or deleted by users, and when profiles were inactive, charging users to ‘fully delete’ their profiles, not confirming the accuracy of user email addresses before collecting or using them, and finally ALM’s transparency with users about its personal information handling practices.
Christie concluded, “We encourage you to read the Report, in particular for its analysis of the obligations of information security, deletion and de-identification of personal information, transparency and openness and, most importantly, how basic privacy compliance (i.e. not having a PMP) will no longer be sufficient for most organisations collecting and holding personal information.”
Alice Marini | Privacy Analyst