Canada’s Office of the Privacy Commissioner has issued its report on the customer information data breach for Ashley Madison discovered in July, 2015. The Privacy Commissioner’s office launched its investigation a month later, under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Canada’s Privacy Commission worked together with Australia’s Information Commission, which also issued an identical report on the findings of the joint investigation.
The Compliance Agreement between the Office of the Privacy Commissioner and Avid Life Media, the owners of Ashley Madison, is considered to be legally binding. The Agreement outlines steps Ashley Madison must take, including:
- enhancing privacy safeguards;
- amending information retention practices;
- improving information accuracy; and,
- increasing transparency.
Ashley Madison was found to have used a fictitious security trustmark, and concluded that meant individuals’ consent was improperly obtained.
Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award.” ALM officials later admitted the trustmark was their own fabrication and removed it.
The Privacy Commissioner also identified important lessons for all organizations to consider. The Privacy Commissioner’s website organizes some of the key takeaways from the investigation, using the following headings.
- General
- Harm extends beyond financial impacts.
- Safeguards should be supported by a coherent and adequate governance framework.
- Safeguards
- Documentation of privacy and security practices can itself be part of security safeguards.
- Use multi-factor authentication for remote administrative access.
- Deletion and Retention
- There is a high bar associated with charging a fee for deletion.
- Retention policies should be based on a demonstrable rationale and timeline.
- Accuracy
- The level of accuracy required is impacted by the foreseeable consequences of inaccuracy, and should also consider interests of non-users.
- Transparency
- False or misleading statements may impact the validity of consent.
- Omission or lack of clarity of material statements may also impact the validity of consent.
Each of these items is more completely described with a paragraph and links for further information to aid in corporate best practices and compliance with the legislation. Among the more interesting items was the consideration that a lack of email address verification could allow “the creation of a potentially reputation-damaging fake profile for an email address owner.”
Ashley Madison‘s website encourages its members to “find your moment” while the company tries to promote discretion, promising to help its members keep their private life private.
A year after its data breach, the lessons from Ashley Madison need to help other firms ensure that they won’t find their own moment in the spotlight, and keep their customers’ private information private.