After jointly investigating a data breach in July and August 2015 that occurred to a Canadian dating website operator's system, the Australian Privacy Commissioner and the Privacy Commissioner of Canada released a joint report regarding their findings. The affected websites included the Ashley Madison dating website which had users in over 50 countries. Among other disclosures, the unauthorised access resulted in online posting of details from approximately 36 million Ashley Madison user accounts.
The report provides useful tips to organisations to ensure the security of personal information which is held by the organisation. In particular:
- Appropriate privacy safeguards are crucial - organisations must have appropriate privacy safeguards for the type, quantity and sensitivity of personal information they hold and the business they conduct. Appropriate measures include:
- Documented information security policies and practices for managing network permissions which will foster a security aware culture.
- Documented risk management processes about how to determine what security measures are appropriate for the risks faced by the organisation, including periodic and pro-active assessments of privacy threats and evaluations of security practices to ensure they remain appropriate.
- Adequate training for all personnel to ensure they are aware of their specific privacy and security obligations.
- Disclaimers cannot absolve an organisation of its privacy obligations - user terms which state that the security or privacy of information submitted to the website can not be guaranteed, or that users proceed at their risk, can not absolve an organisation of its privacy law obligations.
- Privacy practices must keep up with business change and growth - rapidly growing organisations must also grow their security practices in proportion to the nature and breadth of personal information held and the nature of the risks which the organisation faces.
- Have a proper destruction policy and follow it - organisations should have an appropriate destruction policy giving guidance for destruction such as the retention periods for certain types of information. Technical practices should be reviewed to ensure that personal information which has been marked for destruction is properly destroyed.
- Re-think the need to collect - organisations should consider whether collecting certain personal information is reasonably necessary for the organisation's functions. Where appropriate give people the option not to provide personal information (eg, if appropriate give an alternate option to providing an email address).
- Be transparent about privacy practices - organisations should ensure their terms and conditions appropriately reflect their processes and are not misleading.
In an important example of collaboration between regulators globally, both regulators issued recommendations to Avid Life Media who runs the Ashley Madison website. Ashley Madison has separately entered into a Compliance Agreement with the Canadian regulator and an Enforceable Undertaking with the Australian regulator. Both require Avid Life Media to provide each regulator during 2017 with evidence of its compliance with each document including providing an independent compliance report, and details of the steps it has taken to ensure compliance.
Contributors: Anne-Marie Allgrove, Ju Young Lee