An investigation report issued by the Australian Privacy Commissioner found that an operator of over 35 dating websites failed to reasonably secure the personal information of its users, thereby violating Australia privacy law. Cupid Media Pty Ltd (Cupid) creates user accounts by collecting and storing users’ full names, dates of birth, email addresses and passwords. The Commissioner initiated an investigation into Cupid’s privacy practices after media allegations had surfaced that hackers who had obtained unauthorized access to Cupid’s web server had stolen users’ personal information. The Commissioner investigated whether Cupid took reasonable steps to protect users’ personal information from unauthorized access as required by Australia’s “National Privacy Principles” (NPP). The report concluded that Cupid violated the NPPs, specifically those that require organizations to take reasonable steps to protect personal information from unauthorized access and to destroy or permanently de-identify personal information no longer in use. Cupid violated these provisions where Cupid stored passwords in plain text instead of adopting password encryption strategies and failed to destroy information that was no longer in use. The report concluded, however, that Cupid acted appropriately in response to the data breach by applying a security patch to fix the vulnerability and notifying affected individuals to ensure that they reset their passwords.

Tip: This case is a reminder to think about how your company destroys personally identifiable information. Even if you are not located in Australia, if the methods taken to destroy information are not secure and lead to a breach, you may find yourself subject to examination.