The online adult dating website Ashley Madison, operated by Avid Life Media Inc (ALM), made headlines last year after it was hacked by a hacker or hacker group called ‘The Impact Team’. The hacker accessed databases and files and posted millions of user accounts and personal information online.
The Acting Australian Information Commissioner and Privacy Commissioner of Canada (Privacy Commissioners) have released a joint investigation report into Ashley Madison’s information handling practices and compliance with the Privacy Act 1988 (Cth) (Privacy Act) and Canadian Personal Information Protection and Electronic Documents Act.
A copy of the investigation report can be found on the Office of the Australian Information Commissioner’s website.
The investigation report raises a number of interesting legal issues. These issues include:
- what the Acting Australian Information Commissioner (Australian Privacy Commissioner) considers to amount to a breach of the Privacy Act
- the extra-territorial application of the Privacy Act
- misleading or deceptive conduct in the context of statements made by an organisation regarding its online data security credentials.
Over the coming weeks we will explore these issues in a three part update.
This week’s update focuses on Ashley Madison’s breaches of the Privacy Act that were identified by the Privacy Commissioners.
Overview of investigation
The Privacy Commissioners’ investigation primarily focused on the adequacy of the safeguards ALM had in place to protect the personal information of its website users. In addition, the investigation also looked at ALM’s information handling practices that may have affected the likelihood or impact of the data breach.
The Privacy Commissioners were particularly concerned about the nature of the personal information ALM held about its users and the risks to those users in the event their personal information was compromised, such as reputational harm. The harm to users and non-users of the Ashley Madison website was a key factor in the Australian Privacy Commissioner’s assessment of whether ALM had breached a number of the Australian Privacy Principles (APPs).
The APPs considered during the investigation
The investigation considered whether ALM had taken:
- reasonable steps to implement practices, procedures and systems to ensure ALM was complying with the APPs (APP 1.2)
- such steps (if any) as are reasonable in the circumstances to ensure that the personal information it collected was accurate, up to date and complete (APP 10.2)
- such steps as were reasonable in the circumstances to protect the personal information it held (APP 11.1)
- steps that were reasonable in the circumstances to destroy or de-identify personal information (APP 11.2).
In summary, the Australian Privacy Commissioner concluded that ALM had breached the APPs listed above for the following reasons:
- no information security framework: ALM did not have an adequate overarching information security framework within which it assessed the adequacy of its information security practices
- no documented information security policies: ALM’s information security framework did not have documented information security policies or practices
- no documented risk management process: ALM did not have risk management processes that were used to periodically assess privacy threats
- poor staff training: ALM did not have adequate all staff training
- poor management of deactivated accounts: ALM held personal information about users who had deactivated their accounts for an indefinite period of time that was unreasonable in the circumstances
- failure to keep information accurate and up to date: ALM did not verify a user’s email during the account registration process, which resulted in ALM collecting unverified email addresses.
The Ashley Madison data breach is a useful case study that highlights the consequences that may arise if an organisation does not implement adequate systems and processes to deal with the use, collection and disclosure of personal information. It is important that an organisation fully understands the nature, quality and sensitivity of the personal information it holds to appropriately protect that information, especially if that personal information is stored electronically.
Important lessons can also be drawn from the Privacy Commissioners’ findings to assist organisations to assess their privacy compliance framework. In particular, the investigation report highlights the importance of an organisation:
- having clear and appropriate processes, procedures and systems to handle information security risks, such as security policies
- having a risk management process that explicitly addresses information security matters
- having risk management processes and information security policies that are informed and supported by adequate expertise (internal or external)
- having adequate privacy and security training for all staff to promote a privacy compliant culture
- considering the nature of the personal information its holds and the foreseeable adverse impact on individuals should that personal information be compromised.
Next week we will look at the extra-territorial application of the Privacy Act. Stay tuned.