Recently, the Australian Privacy Commissioner released his report on the Ashley Madison data breach. In July 2015, hackers gained access to Ashley Madison’s systems and published a database containing details of approximately 36 million user accounts. The hackers also stole corporate information, including e-mails, source code and business documents.
In this article we focus on the valuable insights into the Commissioner’s current thinking on the Privacy Act’s “reasonable steps” security obligation, as highlighted in the Ashley Madison investigation report (read our recent article on “reasonable steps” here). The report reinforces that privacy and security governance is an essential component of Privacy Act compliance.
Set out below are four key insights from the Ashley Madison report:
While the Commissioner identified a number of discrete security flaws in Ashley Madison’s systems (summarised in section 2 below), the Commissioner was equally (if not more) concerned with gaps in Ashley Madison’s privacy and security governance procedures that allowed these flaws to persist.
Ashley Madison’s failure to implement a sufficiently robust information security framework was, in and of itself, enough to breach the Privacy Act.
The Commissioner determined that there were critical gaps in Ashley Madison’s security governance and decision making processes which meant that Ashley Madison “had no clear way to assure itself that its information security risks were properly managed”. Ashley Madison was therefore unable to demonstrate that it had taken “reasonable steps” from a security perspective.
In particular, three key deficiencies were identified:
The report suggests that the investigators conducted a fairly extensive examination of Ashley Madison’s security governance and decision-making processes, including interviews with the Chief Operating Officer, General Counsel and the VPs of Technology Operations and Support & Service.
The Commissioner also highlighted the importance of appropriate reporting lines within the business, noting that Ashley Madison had strengthened its security governance by appointing a Chief Information Security Officer who directly reported to the CEO (with a “dotted line” to the Board).
In addition to the general deficiencies in Ashley Madison’s security planning framework, the report also calls out a number of specific security flaws in their systems, including:
Exercising his power to conduct an “own motion” investigation under section 40(2) of the Privacy Act, the Commissioner conducted a wide-reaching investigation that extended beyond the facts and circumstances of the breach incident.
The Commissioner also investigated a number of ancillary information handling practices, and examined Ashley Madison’s information collection practices, user verification procedures and data retention policies.
As a result of this broader scope, the Commissioner found that Ashley Madison had not only breached the “reasonable steps” security obligation in Australian Privacy Principle (APP) 11.1 by failing to address specific security flaws listed in section 2 above, but had also breached:
Ashley Madison has given an enforceable undertaking to the Australian Commissioner which requires Ashley Madison to implement a range of new procedures and provide an independent compliance report to the Commissioner. The undertaking preserves the rights of affected individual users to lodge complaints with the Commissioner in connection with the breach.
Ashley Madison’s operating company (Avid Life Media, Inc. (ALM)) is incorporated in Canada, and the investigation was conducted jointly by the Australian and Canadian Privacy Commissioners.
The Australian Commissioner asserted jurisdiction over ALM on the basis that the Ashley Madison website was actively advertised in Australia, featured pages targeted specifically at Australian users, and collected information from Australian residents. The Commissioner held that this was sufficient to enliven the extra-territorial jurisdiction of the Privacy Act, even though ALM had no physical presence in Australia.
The joint nature of the investigation is indicative of the increasingly close working relationship between privacy regulators across jurisdictions, and serves as a timely reminder that internet businesses providing services into Australia must comply with Australian privacy law.
Strong governance is essential to compliance with the “reasonable steps” requirement in APP 11.1, and also for compliance with the overarching obligation under APP 1.2 to implement businesses processes to ensure compliance with the APPs.
As the Ashley Madison investigation report highlights, organisations will be increasingly expected to demonstrate documented, formal decision-making processes and risk management procedures for privacy and security issues.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.