Recently, the Australian Privacy Commissioner released his report on the Ashley Madison data breach. In July 2015, hackers gained access to Ashley Madison’s systems and published a database containing details of approximately 36 million user accounts. The hackers also stole corporate information, including e-mails, source code and business documents.
In this article we focus on the valuable insights into the Commissioner’s current thinking on the Privacy Act’s “reasonable steps” security obligation, as highlighted in the Ashley Madison investigation report (read our recent article on “reasonable steps” here). The report reinforces that privacy and security governance is an essential component of Privacy Act compliance.
Set out below are four key insights from the Ashley Madison report:
1. Inadequate privacy / security governance was a breach in and of itself
While the Commissioner identified a number of discrete security flaws in Ashley Madison’s systems (summarised in section 2 below), the Commissioner was equally (if not more) concerned with gaps in Ashley Madison’s privacy and security governance procedures that allowed these flaws to persist.
Ashley Madison’s failure to implement a sufficiently robust information security framework was, in and of itself, enough to breach the Privacy Act.
The Commissioner determined that there were critical gaps in Ashley Madison’s security governance and decision making processes which meant that Ashley Madison “had no clear way to assure itself that its information security risks were properly managed”. Ashley Madison was therefore unable to demonstrate that it had taken “reasonable steps” from a security perspective.
In particular, three key deficiencies were identified:
- Lack of documented information security policies and practices to standardise processes and avoid potential gaps in security coverage. As an example, the report points to a lack of detection and monitoring systems and suggested that a documented security policy would have identified this deficiency and highlighted it to the business.
- Lack of an explicit risk management process (including periodic and pro-active assessments) to ensure that Ashley Madison’s security practices adapted to changing circumstances. The report notes the absence of any evidence that Ashley Madison had conducted a “structured assessment of the overall threats facing (the organisation)”.
- Inadequate training to ensure all staff (including senior management) were aware of their role in achieving privacy and security compliance. Although privacy training was delivered to senior staff and new recruits, this excluded large numbers of existing staff (around 75% of all personnel).
The report suggests that the investigators conducted a fairly extensive examination of Ashley Madison’s security governance and decision-making processes, including interviews with the Chief Operating Officer, General Counsel and the VPs of Technology Operations and Support & Service.
The Commissioner also highlighted the importance of appropriate reporting lines within the business, noting that Ashley Madison had strengthened its security governance by appointing a Chief Information Security Officer who directly reported to the CEO (with a “dotted line” to the Board).
2. Specific guidance on technical security issues
In addition to the general deficiencies in Ashley Madison’s security planning framework, the report also calls out a number of specific security flaws in their systems, including:
- Use of single-factor authentication. The Commissioner noted the “increased vulnerability” of single-factor authentication, and stated that Ashley Madison’s decision not to implement multi-factor authentication was a “significant concern” given the risks to individuals’ privacy.
- Poor implementation of security measures. The Commissioner commented that, in the absence of documented policies and formal training, there were varying levels of awareness of security issues among Ashley Madison personnel.
- Storage of passwords and encryption keys in plain text. Passwords were stored as plain, clearly identifiable text in e-mails and text files, and encryption keys were similarly stored in plain text. This has been a recurring theme in previous data breach reports from the Commissioner, and he again highlighted the risks posed by this practice.
- Failure to apply password protection to server SSH key. The Commissioner noted that this would enable an attacker to connect to other servers without having to provide a password.
3. The investigation was not limited to the breach incident
Exercising his power to conduct an “own motion” investigation under section 40(2) of the Privacy Act, the Commissioner conducted a wide-reaching investigation that extended beyond the facts and circumstances of the breach incident.
The Commissioner also investigated a number of ancillary information handling practices, and examined Ashley Madison’s information collection practices, user verification procedures and data retention policies.
As a result of this broader scope, the Commissioner found that Ashley Madison had not only breached the “reasonable steps” security obligation in Australian Privacy Principle (APP) 11.1 by failing to address specific security flaws listed in section 2 above, but had also breached:
- APPs 1.2 (Compliance Procedures) and 11.1 (Reasonable Security) by failing to implement an adequate privacy and security governance framework;
- APP 11.2 (Deletion of Information) by retaining user information indefinitely for inactive and deactivated accounts and failing to impose appropriate maximum retention periods; and
- APP 10.2 (Quality of Information) by failing to take reasonable steps to verify the accuracy of user e-mail addresses that it collected and used.
Ashley Madison has given an enforceable undertaking to the Australian Commissioner which requires Ashley Madison to implement a range of new procedures and provide an independent compliance report to the Commissioner. The undertaking preserves the rights of affected individual users to lodge complaints with the Commissioner in connection with the breach.
4. The Australian Privacy Commissioner flexes his extra-territorial jurisdiction
Ashley Madison’s operating company (Avid Life Media, Inc. (ALM)) is incorporated in Canada, and the investigation was conducted jointly by the Australian and Canadian Privacy Commissioners.
The Australian Commissioner asserted jurisdiction over ALM on the basis that the Ashley Madison website was actively advertised in Australia, featured pages targeted specifically at Australian users, and collected information from Australian residents. The Commissioner held that this was sufficient to enliven the extra-territorial jurisdiction of the Privacy Act, even though ALM had no physical presence in Australia.
The joint nature of the investigation is indicative of the increasingly close working relationship between privacy regulators across jurisdictions, and serves as a timely reminder that internet businesses providing services into Australia must comply with Australian privacy law.
Strong governance is essential to compliance with the “reasonable steps” requirement in APP 11.1, and also for compliance with the overarching obligation under APP 1.2 to implement businesses processes to ensure compliance with the APPs.
As the Ashley Madison investigation report highlights, organisations will be increasingly expected to demonstrate documented, formal decision-making processes and risk management procedures for privacy and security issues.