Review and update information security systems regularly.
Primary issue OAIC considered was the adequacy of the safeguards ALM had in place to protect the personal information its users.
If you hold large amounts of personal information of a sensitive nature you must have a coherent governance framework.
Earlier this year, Ashley Madison was in the news for all the wrong reasons.
Avid Life Media Inc, (ALM) operates a number of adult dating websites including Ashley Madison. Ashley Madison is targeted at people seeking to participate in an affair. ALM is headquartered in Canada, but its websites have a global reach, with users in over 50 countries, including Australia.
On 15 July, a person or group identifying itself as ‘The Impact Team” announced that it had hacked ALM. The Impact Team threatened to expose the personal information of Ashley Madison users unless ALM shut down Ashley Madison.
ALM did not agree to the demand. On 20 July 2015, following media reports and after an invitation from the Office of the Privacy Commissioner of Canada (OPC), ALM reported the breach to the OPC.
On 18 and 20 August 2015, The Impact Team published information it claimed to have stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.
Given the scale of the data breach, the Office of the Australian Information Commissioner (OAIC) and the OPC commenced a joint investigation of ALM’s privacy practices at the time of the data breach. The report of that joint investigation was issued on 24 August 2016 can be found here.
The primary issue under consideration was the adequacy of the safeguards ALM had in place to protect the personal information its users.
Key findings included:
- Although ALM had a range of personal information security protection in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security.
- Organisations holding sensitive personal information or a significant amount of personal information should have information security measures including:
- A security policy;
- An explicit risk management process that addresses information security matters, drawing on adequate expertise; and
- Adequate privacy and security training for all staff.
- It is not sufficient for any organisation that holds large amounts of personal information of a sensitive nature to address information security without an adequate and coherent governance framework.
- ALM retained information about users with deactivated, inactive and deleted profiles for longer than was needed to fulfil the purpose for which it was collected.
Recommendations for ALM to address these findings included:
- by 31 December 2016, conduct a comprehensive review of the protections it has in place to protect personal information;
- by 31 May 2017, augment its information security framework to an appropriate level and implement that framework;
- by 31 May 2017, adequately document that framework and its information security processes generally;
- take steps to ensure that staff are aware of and follow security procedures (ALM has reported completion of this recommendation); and
- by 31 July 2017, provide a report from an independent third party documenting the measures it has taken to come into compliance with the above recommendations or provide a detailed report from a third party, certifying compliance with a recognised privacy/security standard satisfactory to the OPC and OAIC.
Presumably if ALM does not comply with these recommendations, ALM could be subject to further penalties. It is certain to be an expensive exercise for them – not to mention the bad publicity.
If ALM had not been hacked, it is unlikely that the inadequacy of their privacy safeguards would have come to the attention the OPC and OAIC. The risk of being hacked is very real. Especially in the case of organisations that hold large amounts of personal information of a sensitive nature, it is vital that they review and update information security systems regularly.
Post by John Kell