An affair to remember

Key Points
  • Review and update information security systems regularly.
  • Primary issue OAIC considered was the adequacy of the safeguards ALM had in place to protect the personal information its users.
  • If you hold large amounts of personal information of a sensitive nature you must have a coherent governance framework.


Earlier this year, Ashley Madison was in the news for all the wrong reasons.

Avid Life Media Inc, (ALM) operates a number of adult dating websites including Ashley Madison.  Ashley Madison is targeted at people seeking to participate in an affair.  ALM is headquartered in Canada, but its websites have a global reach, with users in over 50 countries, including Australia.

On 15 July, a person or group identifying itself as ‘The Impact Team” announced that it had hacked ALM.  The Impact Team threatened to expose the personal information of Ashley Madison users unless ALM shut down Ashley Madison.

ALM did not agree to the demand.  On 20 July 2015, following media reports and after an invitation from the Office of the Privacy Commissioner of Canada (OPC), ALM reported the breach to the OPC.

On 18 and 20 August 2015, The Impact Team published information it claimed to have stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.

Given the scale of the data breach, the Office of the Australian Information Commissioner (OAIC) and the OPC commenced a joint investigation of ALM’s privacy practices at the time of the data breach.  The report of that joint investigation was issued on 24 August 2016 can be found here.

The primary issue under consideration was the adequacy of the safeguards ALM had in place to protect the personal information its users.

Key findings included:

  • Although ALM had a range of personal information security protection in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security.
  • Organisations holding sensitive personal information or a significant amount of personal information should have information security measures including:
    • A security policy;
    • An explicit risk management process that addresses information security matters, drawing on adequate expertise; and
    • Adequate privacy and security training for all staff.
  • It is not sufficient for any organisation that holds large amounts of personal information of a sensitive nature to address information security without an adequate and coherent governance framework.
  • ALM retained information about users with deactivated, inactive and deleted profiles for longer than was needed to fulfil the purpose for which it was collected.

Recommendations for ALM to address these findings included:

  • by 31 December 2016, conduct a comprehensive review of the protections it has in place to protect personal information;
  • by 31 May 2017, augment its information security framework to an appropriate level and implement that framework;
  • by 31 May 2017, adequately document that framework and its information security processes generally;
  • take steps to ensure that staff are aware of and follow security procedures (ALM has reported completion of this recommendation); and
  • by 31 July 2017, provide a report from an independent third party documenting the measures it has taken to come into compliance with the above recommendations or provide a detailed report from a third party, certifying compliance with a recognised privacy/security standard satisfactory to the OPC and OAIC.

Presumably if ALM does not comply with these recommendations, ALM could be subject to further penalties.  It is certain to be an expensive exercise for them – not to mention the bad publicity.

If ALM had not been hacked, it is unlikely that the inadequacy of their privacy safeguards would have come to the attention the OPC and OAIC.  The risk of being hacked is very real.  Especially in the case of organisations that hold large amounts of personal information of a sensitive nature, it is vital that they review and update information security systems regularly.

Post by John Kell 

Most Popular Articles

Blog

When can the unqualified be qualified? Non-lawyers engaging in legal practice - when is it OK and when is the law broken

Only lawyers can provide legal advice, but anyone can provide legal information. When thinking of the difference, you might ask your friend or colleague to provide information about a serious illness; however you would seek out a qualified medical professional in relation to its treatment.
Blog

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.
Blog

Thanks, but no thanks – I don’t want to inherit

It seems odd that anybody would reject an inheritance, but for some beneficiaries, there are valid reasons they do not wish to receive their inheritance.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.

Top