The Ashley Madison hack raises some awkward questions, and not just in the bedroom.
The adult website that tells us ‘Life is short. Have an affair’ is in deep trouble after its data was apparently hacked and all of its members exposed online. Ironic for the site that boasts “over 38,855,000 anonymous members”. Awkward. While it makes for intriguing, albeit mostly sad and ‘erode your faith in humankind’ reading, the security breach might put Ashley Madison in serious legal strife.
The Privacy Act requires companies to take ‘reasonable steps’ to ensure the security of the personal information they hold. For most companies, that means firewalls and encryption devices for the information they have online and physical protection (i.e. locked drawers) for the hard copy stuff. For others, the bar may be set a little higher. The Privacy Commissioner has released some guidance on what will constitute ‘reasonable steps’ stating it will depend on the circumstances including:
- The nature of the entity (size, resources, business model);
- The amount and sensitivity of the information held (note that ‘sensitive information’ is a defined term under the Privacy Act, but the whole ‘affair’ thing is pretty sensitive);
- The possible adverse consequences for an individual in the case of a breach (tick!);
- The practical implication of implementing a security measure, including time and cost;
- Whether that security measure is itself privacy invasive.
The Privacy Commissioner is already onto the Ashley Madison breach and is investigating how it occurred as well as what the company is doing to mitigate the situation. The Commissioner has also urged caution for anyone reporting details of the published database, as initial reports say that it is potentially inaccurate – something Fitzy and Wippa of Nova 969 could be accused of having ignored when they live broadcasted the moment Jo from Blacktown learned her husband’s name was on the list. (Refer to the ‘erode your faith in humankind’ comment above.)
We think Ashley Madison is in big trouble, particularly if it can’t demonstrate some decent security was in place or that it didn’t do enough to clean up the breach once it happened. There are also suggestions it had been charging members a fee to have their data deleted, but hadn't actually carried the deletions out. If that's right, ouch. The Commissioner has the power to impose penalties of up to $1.7 million for serious and repeated breaches.
And that's just one consequence. In the US, the first class action lawsuit by members has already been launched against Ashley Madison, and we can expect the same here. Along with a spike in the divorce rate. Funny, but not funny at all.