Ashley Madison, a website created to facilitate extramarital affairs, could have benefited from the recent CSA guidance on cybersecurity when it suffered a cyberattack in 2015. While the breach suffered by Ashley Madison in July of 2015 was not near the scale of the massive 2014 Yahoo breach, it effectively destroyed the company’s most vital asset – it’s reputation for secrecy and discretion. Upon the release of personal customer information including names, addresses, and credit card information, a $578 million class action was brought by customers who incurred both reputational and financial harm.
In addition to the ongoing class action, the Office of the Privacy Commissioner (OPC) as well as the Australian Privacy Commissioner recently released their findings with respect to the data breach. In particular, the OPC found that though Avid Life Media (ALM), the private company that operates Ashley Madison, had Terms of Service that stated the security of a user’s information could not be guaranteed, as the nature of the information was highly sensitive and posed a significant risk of harm to users if disclosed, the disclaimer did not impact ALM’s legal obligations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Not only did the OPC find that ALM should have had a higher level of security in place given the sensitive nature of the information stored, but it found that ALM did not have documented information security policies or procedures in place and only used single-factor authentication as opposed to the stronger multi-factor authentication.
The OPC also found that ALM failed to obtain informed consent from its users in two central ways. Firstly, it provided false information about its cybersecurity safeguards (including reference to a fake “Trusted Security Award”), and there was a lack of information to users about ALM’s information retention practices. As such, the users’ initial consent to collect personal information upon account sign up was invalid and in contravention of PIPEDA. Secondly, it found that ALM retained personal information for an indefinite period of time after account deactivation or inactivity and improperly charged users a fee (without prior notice) to withdraw their consent and have personal information erased.
The Ashley Madison case serves as an important reminder that companies should have strong Cybersecurity, Information Security and Privacy Compliance Programs in place, including appropriate policies and procedures, training and audits to ensure internal practices align with those policies and procedures. As well, it is vital to provide accurate information to customers on issues such as the security of their personal information, as their consent may be invalid in the absence of such transparency, much less deliberate misinformation. Finally, the involvement of the Australian Privacy Commissioner demonstrates the cross-border nature of privacy legislation and the need to be cognizant of, and in compliance with, the legislation of the jurisdictions you operate in.