In August 2016 the Office of the Australian Information Commissioner (OAIC) published its findings in the Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner.
The findings represent the result of a jointly conducted own-motion investigation by the two regulatory authorities into one of the most highly publicised and notorious data breaches of recent times. The instigation of this investigation is consistent with the suggestion that the OAIC, recently armed with strengthened regulatory powers, is not afraid to use them. However, the sanction imposed on Avid Life Media (ALM) (who operates Ashley Madison and other dating websites) might well be regarded as insignificant when one factors in the reputational damage it has suffered, as well as the potential for future class actions and trade practices litigation, particularly in Canada and the United States.
The facts
Ashley Madison is a website that essentially facilitates its users having extra marital affairs. On 15 July 2015, a group identifying itself as ‘The Impact Team’ announced that it had hacked ALM. ALM did not accede to certain demands by the hackers, and on 18 and 20 August 2015 a large number of files were posted online. Information published included users’ names, zip/postal codes, relationship status, gender, height, weight, body type, ethnicity and dates of birth, and a number of optional fields, including ‘My Intimate Desires’, ‘My Perfect Match’, ‘My Personal Interests’ and ‘My Limits Are’. It also included billing information, including the last four digits of credit card numbers.
Key findings by the regulators
With respect to the requirement to safeguard personal information, for the purposes of a ‘reasonable steps’ assessment under Australian Privacy Principle (APP) 11, relevant factors included ‘the quantity and nature of the personal information ALM held, the foreseeable adverse impact on individuals should their personal information be compromised, and the representations made by ALM to its users about security and discretion’ (at [55]). These matters dictated a conclusion that the steps ALM was required to take, to comply with its legislative obligations, were of a commensurably high level (at [77]).
As to whether ALM in fact had complied with those reasonable steps obligations, the two Commissioners noted that ALM did have in place a range of security safeguards to protect the personal information it held but the attack occurred in spite of those safeguards. However, while the regulators noted this did not necessarily mean there had been a contravention of the relevant legislative obligations, ultimately their finding was that ALM’s security framework was lacking, particularly given the high level of security that ought to have been in place. Specifically, the Commissioners considered (at [76]) that ALM lacked the ‘cornerstone’ of documented information security policies or practices, an explicit risk management process (including assessments of privacy threats and evaluations of security practices) and adequate staff training to ensure awareness of, and compliance with, their privacy and security obligations.
The conclusion of all this, according to the Commissioners, was that ‘ALM had no clear way to assure itself that its information security risks were properly managed. This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organization that holds sensitive personal information or a significant amount of personal information‘ (at [79]).
Accordingly, the Commissioner found there had been a breach of the requirement under APP 11.1 to take reasonable steps to protect information security.
Sanctions
The outcome of the joint investigation is that ALM has entered into numerous enforceable undertakings with the Commissioner. An enforceable undertaking is a written agreement between an entity and the Commissioner, provided under section 33E of the Privacy Act 1988 (Cth), and enforceable against ALM in the courts. The matters ALM has agreed to do, by its undertakings, are broadly consistent with the recommendations of the joint report. They include:
- Conducting a comprehensive review of the protections it has in place, and augmenting, implementing and documenting its information security framework;
- Taking steps to ensure that staff are aware of and follow security procedures;
- Ceasing its practice of indefinitely retaining personal information of users whose accounts are deactivated or inactive; and
- Amending its account creation process to allow users to join the Ashley Madison website without providing an email address, or implementing technical measures to enhance the accuracy of email addresses provided.
Of the OAIC’s enforcement powers, accepting enforceable undertakings is regarded as the least serious power available (see the OAIC’s Privacy regulatory action policy, at [21]-[22]). The OAIC’s powers include, at the most serious end of the scale, applying to a court for a civil penalty order for breach of a civil penalty provision. In the instant case, it might be considered that the OAIC’s determination was a lenient one, having regard to the breaches identified. On the other hand, however, there is nothing in the joint report to suggest any aggravating factors. Rather, ALM appears to have fully cooperated with both regulators in the conduct of their investigation and to have voluntarily taken remedial steps, including the initial notification of the data breach (not mandatory in Australia), and subsequent steps including with respect to training of its staff and as otherwise indicated in the joint report.
What are the lessons learned for entities governed by the Australian Privacy Act?
The joint report, at [9], states that:
[t]he most broadly applicable lesson is that it is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external).
Organisations should accordingly ensure that they:
- Have an adequate and coherent governance framework, commensurate to the levels of sensitivity of personal information and risks faced, and ensure that this framework is implemented and documented;
- Provide adequate training for all staff members and ensure that staff follow security procedures; and
- Retain personal information only for as long as it is required and, in circumstances where personal information is retained, ensure that this is properly justifiable, and only for the period reasonably necessary.
This article was written by Andrew Miers, Partner.