Ashley Madison Investigation — Takeaways for all Organizations

The 2015 data breach of the Ashley Madison website, operated by Avid Life Media (ALM — since renamed Ruby Corp.), made headlines due to the scale, sensitivity and prurient nature of the information accessed and disclosed by hackers.  Given the international impact of this incident, a joint investigation was commenced by the Privacy Commissioner of Canada and the Australian Information Commissioner and here is the Report of Findings.

The Report offers lessons for all organizations subject to PIPEDA, particularly those that collect, use or disclose potentially sensitive personal information.  This document sets out some of the key takeaways from the investigation, although organizations are encouraged to review the full Report of Findings for detailed information.

Takeaways — General

Harm extends beyond financial impacts. Discussions around “harm” stemming from data breaches often focus on identity theft, credit card fraud, and similar financial impacts. While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information.  Reputational harm can also be a difficult form of harm to remediate.  Therefore, organizations should carefully consider all potential harms of a breach of personal information in their care, so that they can properly assess and mitigate risks.

For further discussion on online reputation, see “Online Reputation: What are they saying about me?”

Safeguards should be supported by a coherent and adequate governance framework. In the digital economy, many organizations have a business model based primarily on the collection, use and disclosure of significant amounts of (sometimes sensitive) personal information. This includes, for example, social networks, dating websites, credit reporting agencies, and so forth. To meet their obligations under PIPEDA, any organization that holds large amounts of PI must have safeguards appropriate to, among other factors, the sensitivity and amount of information collected. Moreover, such safeguards should be supported by an adequate information security governance framework, to ensure that practices are “appropriate to the risks” and “consistently understood and effectively implemented.” In the context of ALM, the investigation concluded that the lack of such a framework was an “unacceptable shortcoming” which “failed to prevent multiple security weaknesses.” (Paragraph 79)

For further discussion of information governance, see “Getting Accountability Right with a Privacy Management Program.”

Takeaways - Safeguards

Documentation of privacy and security practices can itself be part of security safeguards. The Report of Findings from the ALM investigations highlights the importance of documentation of privacy and security practices, including:

• “Having documented security policies and procedures is a basic organizational security safeguard …” (Paragraph 65)
• “Conducting regular and documented risk assessments is an important organizational safeguard in and of itself …” (Paragraph 69, emphasis added)

Documentation provides explicit clarity around privacy- and security-related expectations for employees and signals the importance placed on information security. In focussing an organization’s attention to security as a priority, it also helps an organization to identify and avoid gaps in risk mitigations; provides a baseline against which practices can be measured; and allows the business to reassess practices in an evolving threat landscape.

For further information on safeguards obligations, see our Privacy Guide for Businesses, Securing Personal Information: A Self-Assessment Tool for Organizations, and Interpretations Bulletin: Safeguards.

Use multi-factor authentication for remote administrative access. At the time of the breach, ALM required employees connecting to its systems via Virtual Private Network (VPN) to supply a username, password, and “shared secret.” Each of these factors is “something you know” (as opposed to “something you have” or “something you are”), meaning that it was ultimately a single-factor authentication system. This lack of multi-factor authentication for controlling remote administrative access — a commonly recommended industry practice — was described as a “significant concern”

For further discussion of authentication, see “Guidelines for Identification and Authentication.”

Takeaways — Deletion and Retention

There is a high bar associated with charging a fee for deletion. PIPEDA provides individuals with the ability to withdraw consent to collection, use or disclosure of their personal information, subject to legal or contractual restrictions and reasonable notice. While the Act is silent on whether a fee can be included in these restrictions — such as the $19 fee instituted by ALM for “full delete” of user profile information (not currently being charged, following the breach) — there will be a high bar for the imposition of such a barrier to the exercise of an individual’s privacy rights. The reasonableness of such a practice would have to be evaluated in light of factors such as the actual cost to the organization relative to the fee charged, and the likely influence it would have on the individual’s decision on whether to withdraw consent. Further, in cases where a fee is reasonable, it would have to be clearly and conspicuously communicated prior to an individual providing consent. Overall, organizations should treat the decision to implement such a fee with appropriate gravity.

Retention policies should be based on a demonstrable rationale and timeline. PIPEDA requires that information be retained only as long as necessary for the fulfilment of the purposes for which it was collected.  The ALM investigation looked at two retention policies — those associated with deleted profiles, and those associated with inactive and deactivated profiles. In the case of deleted profiles, ALM was able to provide a clear purpose for retention (prevention of fraudulent chargebacks, which was a demonstrated issue for the company), and to connect their retention schedule to this purpose. However, in the case of inactive and deactivated profiles, information was kept indefinitely. ALM stated this was done in case an individual wished to reactivate their profile in the future — despite the fact that 99.9% of people who did reactivate their account did so within 29 days of deactivation. This contrast provides organizations with a clear example of good and bad practices with respect to retention policies.

Takeaways — Accuracy

The level of accuracy required is impacted by the foreseeable consequences of inaccuracy, and should also consider interests of non-users. This investigation looked at ALM’s practice of requiring, but not verifying, email addresses from registrants. While this lack of email address verification could afford individuals the ability to deny association with Ashley Madison's services, this approach creates unnecessary reputational risks in the lives of non-users — allowing, for instance, the creation of a potentially reputation-damaging fake profile for an email address owner. The requirement to maintain accuracy must consider the interests of all individuals about whom information might be collected, including non-users.

Takeaways — Transparency

False or misleading statements may impact the validity of consent. At the time of the breach, ALM’s home page displayed a fabricated trust-mark in the form of a “Trusted Security” icon. Assurances about an organization’s privacy practices — including privacy and security trust-marks — are designed to enhance individuals’ confidence in consenting to the collection, use and/or disclosure of personal information by that organization. Indeed, such assurances may materially influence an individual’s decision on whether to use a particular service. Organizations should be aware that deceptive statements will call into question the validity of consent.

Omission or lack of clarity of material statements may also impact the validity of consent. Under PIPEDA, consent is only valid if it is reasonable to expect that an individual would understand the nature, purposes and consequences of the collection, use or disclosure of personal information to which they are consenting. In the ALM investigation, it became clear that even a close reading of the information provided before registration did not offer key information that may have influenced someone’s decision on whether to sign up. For example, there was no mention of the fee to have personal information deleted from the service. Organizations should take note that a failure to be open about personal information handling practices — including omitting or lacking clarity about key practices — may bring into question the validity of consent.