The OAIC this week issued its 40 page joint report with its Canadian counterpart of their joint investigation into the data security practices of Ashley Madison adult dating website operator Avid Life Media (ALM).The website suffered a large scale breach affecting individual users in multiple countries (see our previous blog post here).
It's a pretty significant report. Why? For a number of reasons ...
This is the first joint report of its kind issued by the OAIC and is a real demonstration of national data regulators cooperating on cross-border regulatory matters. As the OAIC tweeted yesterday:
"Privacy & data are global challenges & int'l co-op like this will become a key tool for the future of privacy enforcement" #AshMadfindings
- OAIC (@OAICgov) August 24, 2016
It sends a clear message from Acting Australian Information Commissioner Timothy Pilgrim that he considers the information handling practices of overseas entities which affect Australian customers to be subject to the Privacy Act 1988 (Cth). In a statement by Mr Pilgrim tweeted by the OAIC yesterday:
"My office will always look to pursue Australians’ privacy rights, no matter where that leads" #privacy Commissioner https://t.co/DTsVgwRJl9
- OAIC (@OAICgov) August 25, 2016
While ALM is headquartered in Canada and has no physical presence in Australia, the report found it has an 'Australian link' as defined in the Privacy Act, and therefore its acts or practices outside Australia are subject to the Privacy Act.
ALM was found to carry on business in Australia through marketing and targeting its services at Australian users (with website pages dedicated to them) and to have collected personal information about Australian users.
While this should come as no surprise, the introduction of the definition 'Australian link' by the 2014 amendments to the Privacy Act and its application was a focus of great debate given its potential to apply to international companies who do business in Australia only through offshore websites.
="twitter-tweet">
It has resulted in an overseas based entity offering an enforceable undertaking to the OAIC. There have only been a handful of enforceable undertakings accepted by the OAIC.
It confirms the OAIC's expectations about the need for organisations to have an appropriate information security framework and the adequacy of practices, procedures and processes that holders of electronic data should implement in order to address information security risks, including security policies and staff training.
It reinforces the OAIC's determination to take steps of its own motion to investigate data breaches having regard to their size, the sensitivity of the information involved, the impact on affected individuals as well as the international nature of the responsible entity's business.
It further identifies the costs to and impact on ALM and its staff of the data breach:
The reports notes the significant steps ALM took after the breach occurred to secure the website, notify affected individuals, improve its security and develop policies and prevent the spread of the information, as well as cooperating with the two regulators.
ALM also hired Deloitte to conduct a full scale review of its security practices,and has had Payment Card Industry Data Security Standard (PCI-DSS) incident and compliance reporting requirementsand costs.
ALM has also rebranded itself as Ruby Corp no doubt in an attempt to distance the association of the brand with the data breach. However the details of the data breach itself and its aftermath will no doubt be revisited over and over again in the coming weeks following the release of the report, and the association will be highlighted.
ALM must now continue to comply with its enforceable undertaking in Australia and its compliance agreement in Canada. This includes completing a number of onerous steps in the next 12 months before reporting back to the two regulators, such as a comprehensive review of its protections of personal information, developing and documenting its information security framework, training staff and contractors and obtaining a report from an independent third party documenting these measures and certifying compliance with a recognised privacy and security standard satisfactory to the regulators.
The investigation and its findings
The purpose of the investigation was not touncover the cause of the data breach, but rather to establish whether ALM was complying with its obligations in the Australian Privacy Principles (APPs) in the Privacy Act, in particular its data security obligations under APP 11.
While noting that the fact an attack had occurred (which was sophisticated) was not evidence itself of a breach of ALM's data security obligations, the OAIC foundsignificant failings in ALM's security practices. This was also assessed against the nature and sensitivity of the personal information it collected (given users were seeking discreet affairs via the website)and the foreseeability of the reputational harm that could be caused if the information was leaked. Various users had reportedly been exposed to extortion threats after the breach. ALM had also misrepresentedthe security of the site through its display various trust marks.
The failings identified included:
poor monitoring and a lack of detection measures to identify the targeted attack and the compromised VPN credentials which were used to access ALM’s systems and which went undetected for a significant period of time;
no risk-based approach to managing security risks;
use of single factor authentication only;
only25% of staff had received security and privacy training at the time of the breach;
poor key and password management, including storage of passwords in plain text (for example, a server was found with an SSH key that was not password protected);
retaining the personal information of users with inactive, deactivated or deleted profiles beyond their purpose;
no explanation of ALM's data retention practices in its privacy policy or terms;
not disclosing to users its charges to delete (rather than deactivate) their profiles;
retention of some information even after a 'full delete'; and
collecting unverified email addresses via a mandatory field which would result in individuals being signed up to the service and receiving emails without their consent.
Conclusion
There is much to learn from a detailed review of the report, which provides valuable insight into the cross-jurisdictional regulatory approach to data breaches. The lessons range from expected standards forcollection and retention of personal information via websites, to security, risk management and authentication and, of course, the reach of the Privacy Act to overseas entities who provide services to Australian customers and collect their personal information in order to do so.
As for ALM, their troubles are not over yet, as it appears that the company will be the subject of a US Federal Trade Commission investigation. The FTC can look at representations that ALM made about its security, and has the power to issue substantial fines.