Caught in the act: adultery website falls short on privacy

05 September 2016

Ashley Madison breached a number of its obligations under Australian privacy law in the months leading up to a cyber-attack on its customer database in July 2015, a joint report by the Canadian and Australian privacy commissioners found recently.

Ashley Madison’s key privacy failures were:

  • not having documented information security policies or practices, including both preventive and detective measures
  • inadequate privacy risk management, including regular assessments of privacy threats, and evaluations of security practices to ensure security arrangements were, and remained, fit for purpose
  • failure to properly train staff in privacy and security procedures appropriate to their role and the nature of Ashley Madison’s services
  • the retention of users’ personal information indefinitely following a ‘deactivation’ of their account
  • failure to ensure the accuracy of users’ email addresses by verifying that the email address that users sign-up with does in fact belong to them.

Under the Privacy Act 1988, a business holding personal information must take such steps as are reasonable in the circumstances to protect the information from misuse, interference, loss, and unauthorised access, modification or disclosure (Australian Privacy Principle 11.1). Exactly what a business must do to comply with this obligation depends on what type of business it is, what type of information it collects, the potential consequences of a breach, and how costly the security measure is to implement.

In determining the reasonable steps a business in Ashley Madison’s circumstances would have taken, the report took into account the high risk of harm to users’ reputations, ie the effect on an individual’s long-term ability to access and maintain employment, harm to critical relationships, and exposure to extortion. The report noted that ‘once information affecting a person’s reputation is disclosed, correct or not, it can continue to affect them indefinitely.’

The report also considered the nature of Ashley Madison’s services, noting that, as an adult dating service, it collects sensitive information about its users, including ‘information that reveals the sexual practices, preferences, and fantasies of those users’ and that engaging in an extramarital affair is ‘an activity where discretion is expected and paramount’.

Comment

An information security compromise does not necessarily mean a breach of privacy law; it is possible for a business’ customer database to be hacked without the business being in breach of their privacy law obligations. A business must be able to show that the steps it took to protect the information from misuse, interference, loss, and unauthorised access, modification or disclosure were reasonable in the circumstances.

A number of the Australian Privacy Principles impose on businesses the obligation to ‘take such steps as are reasonable in the circumstances’. The precise requirements will vary between businesses, and within the same business over time. Security measures (both physical and digital) must be reviewed regularly in light of an evolving risk landscape.

Ashley Madison did have a range of standard security measures in place at the time of the attacks, including ‘salted password hashing’, storage encryption and secure communication, VPNs, and servers located in a locked room with restricted access. These measures were ultimately not enough.

For businesses, the most troubling effect of a privacy breach could be the resulting loss of reputation and revenue. Consumers in the age of big data are increasingly nervous about who does what with their personal information, so that even a relatively minor breach may cause a permanent loss of trust and confidence in a brand.

Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.

Liability limited by a scheme approved under Professional Standards Legislation.

©2016 Rigby Cooke Lawyers