An affair to remember

Key Points
  • Review and update information security systems regularly.
  • Primary issue OAIC considered was the adequacy of the safeguards ALM had in place to protect the personal information its users.
  • If you hold large amounts of personal information of a sensitive nature you must have a coherent governance framework.


Earlier this year, Ashley Madison was in the news for all the wrong reasons.

Avid Life Media Inc, (ALM) operates a number of adult dating websites including Ashley Madison.  Ashley Madison is targeted at people seeking to participate in an affair.  ALM is headquartered in Canada, but its websites have a global reach, with users in over 50 countries, including Australia.

On 15 July, a person or group identifying itself as ‘The Impact Team” announced that it had hacked ALM.  The Impact Team threatened to expose the personal information of Ashley Madison users unless ALM shut down Ashley Madison.

ALM did not agree to the demand.  On 20 July 2015, following media reports and after an invitation from the Office of the Privacy Commissioner of Canada (OPC), ALM reported the breach to the OPC.

On 18 and 20 August 2015, The Impact Team published information it claimed to have stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.

Given the scale of the data breach, the Office of the Australian Information Commissioner (OAIC) and the OPC commenced a joint investigation of ALM’s privacy practices at the time of the data breach.  The report of that joint investigation was issued on 24 August 2016 can be found here.

The primary issue under consideration was the adequacy of the safeguards ALM had in place to protect the personal information its users.

Key findings included:

  • Although ALM had a range of personal information security protection in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security.
  • Organisations holding sensitive personal information or a significant amount of personal information should have information security measures including:
    • A security policy;
    • An explicit risk management process that addresses information security matters, drawing on adequate expertise; and
    • Adequate privacy and security training for all staff.
  • It is not sufficient for any organisation that holds large amounts of personal information of a sensitive nature to address information security without an adequate and coherent governance framework.
  • ALM retained information about users with deactivated, inactive and deleted profiles for longer than was needed to fulfil the purpose for which it was collected.

Recommendations for ALM to address these findings included:

  • by 31 December 2016, conduct a comprehensive review of the protections it has in place to protect personal information;
  • by 31 May 2017, augment its information security framework to an appropriate level and implement that framework;
  • by 31 May 2017, adequately document that framework and its information security processes generally;
  • take steps to ensure that staff are aware of and follow security procedures (ALM has reported completion of this recommendation); and
  • by 31 July 2017, provide a report from an independent third party documenting the measures it has taken to come into compliance with the above recommendations or provide a detailed report from a third party, certifying compliance with a recognised privacy/security standard satisfactory to the OPC and OAIC.

Presumably if ALM does not comply with these recommendations, ALM could be subject to further penalties.  It is certain to be an expensive exercise for them – not to mention the bad publicity.

If ALM had not been hacked, it is unlikely that the inadequacy of their privacy safeguards would have come to the attention the OPC and OAIC.  The risk of being hacked is very real.  Especially in the case of organisations that hold large amounts of personal information of a sensitive nature, it is vital that they review and update information security systems regularly.

Post by John Kell 

Most Popular Articles

Blog

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.
Blog

Commonwealth Redress Scheme for Institutional Child Sexual Abuse

On 26 October 2017 the Federal Social Services Minister introduced two bills facilitating a Commonwealth redress scheme for victims of institutional child sexual abuse.
Blog

Motor Accident Injuries Act 2017- Effects on Section 151Z(1)(d) – Indemnity Claims

The Motor Accident Injuries Act 2017 commences operation on 1 December 2017.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.

Top