1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

The Ashley Madison Breach: Canada-Australia Report of Investigation and Takeaways for all Organizations

On August 23, 2016, the Office of the Privacy Commissioner of Canada (OPC) released its joint report with the Office of the Australian Information Commissioner (OAIC) regarding its investigation of the 2015 Ashley Madison breach.

The report articulates several takeaways for all organizations. However, if there is one key lesson to be learned, it is that the OPC considers a solid information compliance and governance program to include documented policies and procedures. Organization’s safeguards should be adopted with “due consideration of the risks faced” and with a formal framework in order to ensure its proper management.

The following summarizes the report by the OPC and OAIC including several takeaways for all organizations.

The Breach

As many recall, on June 12 2015, a group identified as ‘The Impact Team’ hacked Avid Life Media, Inc. (ALM), headquartered in Toronto, Canada and operator of Ashley Madison and several other dating websites.

It is believed the intrusion took place over several months, beginning with the compromise of an employee’s valid account credentials and used to understand ALM’s systems until ALM’s information technology team detected unusual behavior on July 12. The next day, ALM computers projected warning notices from The Impact Team stating ALM had been hacked and threatened to expose the personal information of Ashley Madison users unless ALM shut down the website. The Impact Team published its actions and threats to the internet on July 19. The OPC contacted ALM soon after, and ALM voluntarily reported the details of the breach. On August 18 and 20, 2015, after its demands were not met, The Impact Team published information allegedly hacked from ALM of approximately 36 million Ashley Madison users from around the world.

The Personal Information Exposed

The sensitive personal information exposed by The Impact Team fell into three main categories:

  1. Profile information that described the users, including names, physical descriptions, date of births, experiences sought through Ashley Madison, details relating to intimate desires, personal and sexual interests.
  2. Account information such as e-mail addresses, security questions and answers and hashed passwords.
  3. Billing information for users who made purchases on Ashley Madison, including real names, billing addresses and the last four digits of credit cards. (Note: As billing information was stored by ALM’s third party processor, it is strongly believed the third party processor was also hacked by The Impact Team).

The sophisticated and targeted hack made it a challenge to determine the extent of the access gained by The Impact Team. ALM reported to the OPC and OAIC, as well as notified affected individuals, that exposed information could also include photos and communications between users.

Canadian and Australian Joint Investigation

The OPC and OAIC did not focus or report any conclusions with respect to the cause of the breach itself. The report is an assessment of the practices by ALM against its obligations under both the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act. The OAIC established an “Australian link” (s.5B(1A) of the Australian Privacy Act)) with the foreign-based ALM as a result of ALM’s targeting of its services to Australians, the collection of personal information of Australian residents and advertising in Australia. The collaboration was made possible by the OPC’s and OAIC’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement

Report of Findings and Takeaways for all Organizations

  1.  Safeguards

Under both PIPEDA and the Australian Privacy Act, organizations must protect personal information by safeguards appropriate to the sensitivity of the information from loss and unauthorized access, use, disclosure, etc. Both jurisdictions require a similar assessment of the risk of harm to individuals. The Commissioners agreed the key risk for users of Ashley Madison was reputational harm.

Discretion and secrecy in being a member of AshleyMadison.com was a central marketing and legal representation to its users. ALM also stated to the OPC and OAIC that protection of its customer’s confidence was a core element of its business. ALM advertised a series of trust-marks including “Trusted Security Award”, “100% Discreet Service” and “SSL Secure Site” on the front page of AshleyMadison.com. It was later discovered some trust-marks were fabricated. Further, the Terms of Service warned users that security and privacy of information could not be guaranteed, a statement many organizations include in their policies. However, the OPC and OAIC found the qualifier in the Terms of Service did not absolve ALM of its obligations.

The Commissioners found ALM lacked appropriate safeguards considering the sensitivity of the personal information. The safeguards adopted by ALM allegedly did not consider the risks individuals could face as a result of unauthorized access.

Key elements ALM’s safeguards allegedly lacked included:

  • a comprehensive information security program expected of an organization collecting and processing such sensitive personal information.
  • documented information security policies and procedures for managing network permissions including critical gaps in security coverage indicative of the absence of documented policies and practices.
  • an adequate intrusion detection system or prevention system , including a security information and event management system in place, or data loss prevention monitoring
  • adequate training for all staff and senior management

Takeaways regarding safeguards for all organizations

  • Organizations should have documented privacy and security practices as part of their compliance program
  • The sensitivity of the personal information collected must be considered when determining and developing an organization’s information and security program
  • Organizations should conduct regular and documented audits and risk assessments
  • Documenting your privacy and security practices can assist your organization identify gaps
  • Training of all employees, including senior management is part of a functional and robust compliance program.

        2. Indefinite Retention and Paid Deletion of User Accounts

Both PIPEDA and the Australian Privacy Act place require limits on the length of time that personal information may be retained and require organizations take reasonable steps to destroy or de-identify information no longer needed for any purpose.

The investigation highlighted that information of deactivated accounts as well as accounts that have not been used for a prolonged period were retained by ALM indefinitely. Further, at the time of the breach, Ashley Madison provided users with two methods to close an account; a basic de-activation that would allow users to re-activate their accounts in the future should they choose to, and a full deletion for a fee of CAD $19 that would delete all personal information within 48 hours (Note: This fee was not disclosed in ALM’s privacy policy or terms of service). However, it was alleged that ALM did not delete all personal information and retained certain financial information in the event of charge backs for a period of up to 12 months following the purchase of a full deletion. ALM presented statistics to the OPC and OAIC that if any chargebacks were to occur, they would happen within 6 months from the date of purchase. Among those affected by the breach were individuals who purchased the full deletion and likely believed their information was destroyed.

The OPC and OAIC had the following findings regarding retention and deletion:

  • ALM had data that the vast majority of users who deactivated their account reactivated it within 29 days. As such, ALM was unable to justify an indefinite retention period of users who deactivated their accounts. Further, it was not clear to users that information would be retained indefinitely.
  • Accounts that have been inactive for prolonged periods were retained indefinitely. While such account users did not provide an affirmative indication of their intent to no longer use their account, justification to retain the personal information diminishes over an extended period of time. Lack of clear retention limits and inability to justify retaining inactive profiles indefinitely contravened PIPEDA and the Australian Privacy Act.

The OPC and OAIC varied in their conclusions regarding the retention of information of users who purchased the full delete option.

  • Under the Australian Privacy Act, ALM is required to destroy or de-identify personal information once it no longer needs it for any primary purpose (deliver its online dating services) and can only retain data for a secondary purpose (reasonably believes is necessary for charge backs to address the risk of fraud ) for a limited time period. ALM provided sound business and legal reasons to retain the financial data to which the OAIC found ALM provided a reasonable basis to retain the financial information for 12 months.
  • The OPC also found ALM satisfied its retention of financial information to prevent chargebacks for 12 months following a full delete (Note: ALM has reduced the retention period to 6 months since the breach), however the OPC found ALM contravened PIPEDA as a result of photo’s that were retained by error following a full deletion.

The OPC found ALM’s practice of charging a CAD $19 fee for withdrawal of consent and full deletion contravened PIPEDA, as ALM did not disclose the fee at the time of sign up, as well, the OPC is not convinced ALM met the high burden to request such a fee. ALM no longer charges a fee for full deletion.

Takeaways regarding deletion and retention for all organizations

  • While PIPEDA is silent on whether organizations may charge a fee to delete their personal information, the OPC has established a high bar in demonstrating such a fee is reasonable.
  • If a fee were reasonable, it must be clearly disclosed and communicated prior to an individual providing consent.
  • Organizations should document retention policies based on a demonstrable rationale and timeline
  • Organizations must clearly disclose and communicate such retention timelines to individuals
  • Organizations should review and audit their practices to ensure information is being deleted and de-identified accordingly.

         3. Accuracy of Email Addresses

Both PIPEDA and the Australian Privacy Act require organizations to take steps to maintain the quality and accuracy of the personal information they collect and use.

ALM collects e-mail addresses in order to create accounts and send confirmation, support and marketing e-mails. ALM’s practice was not to verify e-mail addresses as manner to enhance privacy. Also, ALM feared it would discourage some individuals from signing up. A subset of e-mail addresses involved in the breach belonged to people who never used Ashley Madison. ALM admitted it was aware that some users do no provide their real e-mail addresses when they register, and as such, was in possession of e-mail addresses that belonged to non-users.

Given the sensitivity of the Ashley Madison service and the possible harm a non-user could face, the OPC and OAIC found ALM did not take reasonable steps to ensure the e-mail addresses were accurate. The Commissioners did not agree with ALM’s argument that making the e-mail address field mandatory, but not verified, is a practice of enhancing the privacy of its users. The Commissioners found such approach creates an unnecessary risk in the lives of non-users in order to provide users with a possibility of denying their association with Ashley Madison. The Commissioners highlighted other options available to ALM to address this issue and emphasized that ALM has a responsibility for all information it collects, including considering the personal information provided from a user that does not belong to them (a user providing an e-mail address that is not theirs to register) and must consider the possible harm of the non-user.

Takeaways regarding accuracy for all organizations

  • The level of accuracy required by organizations is impacted by the foreseeable consequences of inaccuracy
  • Organizations must take reasonable steps to ensure information in their possession is accurate
  • Organizations are responsible for all information in their control, including information that belongs to non-users, non-customers or other third parties who did not directly provide their information to the organization.
  • The requirement to maintain accuracy must include considering the interests of all individuals about whom the information might be collected, including non-users, non-customers and other third parties.

           4. Requirement for transparency and informed consent

PIPEDA states that consent is only valid if it is reasonable to expect the individual would understand the nature, purpose and consequences of the collection, use and disclose of the personal information to which they are consenting. PIPEDA also requires organizations to make their handling practices readily available and understandable to individuals.

The OPC analyzed two issues, first whether the privacy practices of ALM were adequate under PIPEDA, and two, whether the privacy practices at the time individuals were consenting to provide their information to ALM was adequate and not obtained through deception.

Generally, the OPC found that while ALM did provide some information about its security safeguards, account closure options and retention practices, critical elements of their practices that would be material to users’ decision to join Ashley Madison were not as clear as they should be. For example:

  • The fabricated “trusted security award” trust-mark
  • Language in the privacy policy and terms and conditions were not consistent regarding retention of personal information and could confuse a user or lead them to expect that inactivity can alone lead to the deactivation or deletion of their information
  • The required fee for a full deletion was not disclosed until after creating an account
  • Users who requested a full deletion were not informed until after they paid the fee that their information would in fact be retained for an additional 12 months

The OPC found ALM did not meet its obligations under PIPEDA to be open and transparent about its policies and practices of its management of personal information. The OPC further found the lack of clarity regarding certain practices could materially impact a prospective user’s informed consent to join Ashley Madison and allow the collection, use and disclosure of their personal information.

Takeaways regarding transparency for all organizations

  • Organizations must be cautious of the representations they make in their privacy policies and terms and conditions
  • Omission or lack of clarity of material statements may also impact the validity of consent. Organizations should make effort to ensure an individual understands the nature, purpose and consequences of their consent.
  • Organizations privacy policies, terms of service and other disclosure of practices should be clear and inform individuals prior to or at the time of consenting.

The Commissioners noted that ALM was cooperative during the investigation. ALM has entered into a compliance agreement with the OPC and an enforceable undertaking with the OAIC. The events of the hack and the report by the Commissioners provide important lessons for all organizations that collect personal information.

To read details of the compliance agreement with the OPC and the steps Avid Life Media has undertaken to take, click here.

The news release released by the OPC on August 23, 2016 can be found here.

The OPC’s summary of takeaways for all organizations can be found here.

To read the full joint report of the investigation by the OPC and OAIC click here.

The Ashley Madison Breach: Canada-Australia Report of Investigation and Takeaways for all Organizations

The thorny issue of retention periods – Insurers Beware

There is perhaps no issue under Canadian and international privacy legislation that causes as much grief as the issue of what retention period can be applied to data collected by an organization. However, recently the Office of the Privacy Commissioner of Canada (OPC) provided some guidance that should assist organizations in drawing some parameters around what is an acceptable retention period.

In particular, organizations must ensure retention periods are rationally connected to the purposes for which the information was obtained or the legal obligations that are being cited as a reason for a longer retention. At least in the insurance industry, three years may be an acceptable retention period for retaining information relating to an insurance quote. Organizations may also consider obtaining consent to a specific retention period, provided that the organization is equipped to follow it.

The Limiting Retention Principle

Even in the absence of an express request for deletion, organizations are generally directed by privacy legislation to destroy personal information when it is no longer required to fulfill the purposes for which it was collected (subject to any overriding legal obligations to retain the information). Organizations are also directed to create record retention policies. For example, Principle 4.5.3 of Schedule 1 to the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA) states:

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

However, the direction to destroy information is at odds with the structure of many organization’s systems and information practices, as well as the economic imperative to make larger data sets available for analytical investigation. The result is that many organizations fail to comply with this PIPEDA principle.

Insurance Provider Improperly Retains Information

In PIPEDA Report of Findings #2014-019  (recently posted by the OPC), the OPC considered a complaint by an individual about the retention of his personal information by an insurance provider. Eight years earlier, the insurance provider quoted automobile and home insurance for the individual. When the individual made an access request for his personal information years later, he found that the insurer still had this information on record even though the individual had not enrolled for any insurance. This was in violation of the insurance provider’s own record retention period of seven years.

The individual complained not only about the failure to comply with the insurance provider’s own retention period but also the length of that retention period. Like many organizations, the insurance provider appeared to be using a seven-year period as a guide based on a combination of factors such as statutory requirements, limitation periods on litigation, and other considerations. Even though the insurance had a retention period, the insurance provider had not updated its electronic systems to allow for the purging of electronically held information that exceeded its ordinary retention period (although a project was underway). As many readers will understand, the purging of electronic data contained in complex and interrelated databases is not simple and must be handled carefully to avoid the destabilization of those databases. Many organizations are in a similar position as the insurance provider that found itself investigated by the OPC.

In reviewing the complaint, the OPC concluded that:

  • The insurance provider had breached its own records retention policy, which was a violation of PIPEDA; and
  • The insurance provider was unable to explain why a seven-year period was rationally linked to purposes such as fraud detection and prevention, or laws imposing retention obligations.

The result was that the complaint was held to be well-founded. The insurance provider’s response to the OPC’s recommendations was to agree to only retain insurance quotations for three years to “more appropriately reflect fraud prevention requirements”. The OPC apparently accepted that a three-year retention period was rationally linked to fraud detection and prevention in the insurance industry.

Takeaways

The OPC’s Report of Findings contains a number of takeaways for organizations struggling with retentions periods:

  • The failure to follow an organization’s record retention policy is a violation of PIPEDA. Therefore, make sure your electronic systems can support your record retention policy. Also, ensure your employees follow your record retention policy.
  • The choice of a retention period cannot be arbitrary but should be based on a rational connection between the data and either (i) a purpose for which the information was collected or created or (ii) a specific legal obligation. Organizations should document the reasons for retention periods. Convenience will not persuasive. Instead, consider why the records really must be kept and document those reasons.
  • Information can be kept indefinitely if it is anonymized. Build a robust de-identification program into your systems. It is frequently difficult to “bolt-on” de-identification onto existing systems; therefore, look for opportunities when your organization is upgrading or converting systems.

Intriguingly, in a throw-away line (see the “Lessons Learned”), the OPC recognized that information might be retained for longer than is necessary to fulfill the purposes for which it was collected if the individual consents to a longer retention period.  It is unclear what the OPC means here. It would be difficult to justify retention as being “appropriate” if it exceeded what is necessary to satisfy the purposes for which it was collected and any longer retention period required by law.

However, this statement by the OPC signals a willingness, perhaps, for the OPC to consider an organization’s transparency with respect to how long it keeps personal information and whether the individual consented to that retention period. Organizations may wish to consider obtaining express agreement to retention periods and then following those retention periods, in order to avoid later complaints.

, ,

The thorny issue of retention periods – Insurers Beware