1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

In 2013, President Obama issued Executive Order 13636 and directed the Director of the National Institute of Standards and Technology (NIST) to “lead the development of a framework to reduce cybersecurity risks to critical infrastructure” (Cybersecurity Framework).  The Cybersecurity Framework was published in February 2014.  A number of industries are integrating the Cybersecurity Framework, including by creating industry-focused Framework Profiles (Profiles) as described in the Cybersecurity Framework.

This month, NIST and the United States Coast Guard (USCG) released a “Maritime Bulk Liquids Transfer Cybersecurity Framework Profile” (Bulk Liquids Transfer Profile) to address the vulnerabilities in the transfer process of bulk hazardous liquids in the maritime industry.  These transfers are often a part of a sophisticated supply chain that uses multiple networked systems, and is therefore vulnerable to attack.   The new profile serves to assist in cybersecurity risk assessments for those entities involved in maritime bulk liquids transfer operations as overseen by the USCG, and is intended to act as “non-mandatory guidance to organizations conducting” maritime bulk liquids transfer operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations 33 CFR 154-156.

The stated benefits of creating the new Bulk Liquids Transfer Profile include:

  • Compliance reporting becoming a byproduct of running an organization’s security operation;
  • Adding new security requirements will become more straightforward;
  • Adding or changing operational methodology will be less intrusive to ongoing operations;
  • Minimizing future work by future organizations;
  • Decreasing the chance that organizations will accidentally omit a requirement;
  • Facilitating understanding of the bulk liquid transfers environment to allow for consistent analysis of cybersecurity-risk; and
  • Aligning industry and USCG cybersecurity priorities.

Other benefits include strengthening strategic communications between:

  • Risk executives and operational technology integration of cybersecurity capabilities;
  • Personnel involved in cybersecurity governance processes and operational technology oversight; and
  • Enterprises who are just becoming aware of cybersecurity recommended practices with subject matter expertise and the collective wisdom of industry experts.

The new profile can be found here.

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress

On October 21, 2016, a domain name service host and internet management company experienced at least two waves of a distributed denial of service (DDoS) attack that impacted at least 80 websites, including those belonging to Netflix, Twitter and CNN.  The attack was launched by infecting millions of American’s Internet of Things (IoT) connected devices with a variation of the Mirai malware.  The Mirai malware primarily targets IoT devices such as routers, digital video records and webcams / security cameras by exploiting their use of default usernames and passwords and coordinating them into a botnet used to conduct DDoS attacks.  The U.S. Federal Bureau of Investigation (FBI) does not have confirmation of a group or individual responsible for the attack.  In September 2016, two of the largest IoT DDoS attacks using the same malware disrupted the operations of a gaming server and computer security blogger website.

In light of these attacks, there has been an increased focus on IoT security at the FBI, the U.S. Department of Homeland and Security (DHS), the National Institute of Standards and Technology (NIST) and Capitol Hill.

FBI Guidance

Five days after the October 21, 2016 attack, the FBI issued a Private Industry Notification, providing a list of precautionary measures stakeholders should take to mitigate “a range of potential DDoS threats and IoT compromise,” including but not limited to:

  • Having a DDoS mitigation strategy ready ahead of time and keeping logs of any potential attacks;
  • Implementing an incident response plan that includes DDoS mitigation.  The plan may involve external organizations such as law enforcement;
  • Implementing a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location;
  • Reviewing reliance on easily identified internet connections for critical operations, particularly those shared with public facing web servers;
  • Ensuring upstream firewalls are in place to block incoming UDP packets;
  • Changing default credentials on all IoT devices; and
  • Ensuring that software or firmware updates are applied as soon as the device manufacturer releases them.

A copy of the FBI Notification can be found here.

DHS Guidance

On November 15, 2016, the DHS issued its own non-binding guidance for prioritizing IoT security, aimed at IoT developers, IoT manufacturers, service providers, industrial and business-level consumers.  According to the DHS, there are six non-binding principles that, if followed, will help account for security as stakeholders develop, manufacture, implement or use network-connected devices.

Principle #1 – Incorporate Security at the Design Phase

The DHS notes that security should be evaluated as an integral component of any network-connected device.  Building security “in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed.”  To that end, the DHS suggests the following practices:

  • Enable security by default through unique, hard to crack default user names and passwords.
  • Build the device using the most recent operating system that is technically viable and economically feasible.
  • Use hardware that incorporates security features to strengthen the protection and integrity of the device.
  • Design with system and operational disruption in mind.

Principle #2 – Advance Security Updates and Vulnerability Management

Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been sent to market.  The DHS notes these flaws can be mitigated through patching, security updates, and vulnerability management strategies.  Suggested practices include:

  • Consider ways to secure the device over network connections or through automated means.
  • Consider coordinating software updates among third-party vendors to address vulnerabilities and security improvements to ensure consumer devices have the complete set of current protections.
  • Develop automated mechanisms for addressing vulnerabilities.
  • Develop a policy regarding the coordinated disclosure of vulnerabilities, including associated security practices to address identified vulnerabilities.
  • Develop an end-of-life strategy for IoT products.

Principle #3 – Build on Proven Security Practices

According to the DHS, many tested practices used in traditional IT and network security can be applied to IoT, and can help identify vulnerabilities, detect irregularities, respond to potential incidents and recover from damage or disruption to IoT devices.  The DHS recommends NIST’s framework for cybersecurity risk management, which has widely been adopted by private industry and integrated across sectors.  Other suggested practices include:

  • Start with basic software security and cyber security practices, and apply them to the IoT ecosystem in flexible, adaptive and innovative ways.
  • Refer to relevant Sector-Specific Guidance, where it exists, as a starting point from which to consider security practices (e.g., the National Highway Traffic Safety Administration recently released guidance on Cybersecurity Best Practices for Modern Vehicles and the Food and Drug Administration released draft guidance on Postmarket Management of Cybersecurity in Medical Devices).
  • Practice defense in depth.
  • Participate in information sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public  and private partners.

Principle #4 – Prioritize Security Measures According to Potential Impact

The DHS recognizes that risk models differ substantially across the IoT ecosystem, and the consequences of a security failure will vary significantly.  The DHS therefore recommends:

  • Knowing a device’s intended use and environment, where possible;
  • Performing a “red-teaming” exercise where developers actively try to bypass the security measures needed at the application, network, data or physical layers; and
  • Identifying and authenticating the devices connected to the network, especially for industrial consumers and business networks.

Principle #5 – Promote Transparency Across IoT

Where possible, the DHS recommends that developers and manufacturers know their supply chain, and whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization.  This increased awareness could help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies.  Recommended practices include:

  • Conduct end-to-end risk assessments that account for both internal and third party vendor risks, where possible.
  • Consider the creation of a publicly disclosed mechanism for using vulnerability reports.
  • Consider developing and employing a software bill of materials that can be used as a means of building shared trust among vendors and manufacturers.

Principle #6 – Connect Carefully and Deliberately

The DHS notes that consumers, particularly in the industrial context, should “deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.”  To that end, suggested practices include:

  • Advise IoT consumers on the intended purpose of any network connections
  • Making intentional connections.
  • Build in controls to allow manufacturers, service providers, and consumers to disable network connections or specific ports when needed or desired to enable selective connectivity.

A copy of the DHS guidance can be found here.

NIST Guidelines

On November 15, 2016, NIST released its own guidance advising IoT manufacturers and developers to implement security safeguards and to monitor those systems on a regular basis.  NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems.  The new NIST Special Publication 800-160 is the product of four years of research and development, and focuses largely on engineering actions that are required to ensure connected devices are able to prevent and recover from cyber attacks, and lays out dozens of technical standards and security principles for developers to consider.

A complete copy of the NIST guidance can be found here.

Congressional Hearing

One day after the DHS and NIST guidance was released, on November 16, 2016, the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.”  The witnesses were Dale Drew of Level 3 Communications, Kevin Fu of Virta Labs and the University of Michigan, and Bruce Schneier from the Berkman Klein Center at Harvard University.

The witnesses uniformly recommended that while the DDos attack in October was just on popular websites, and not critical infrastructure, attacks toward critical infrastructure, including public safety and hospital systems, are likely.  Each witness stressed the importance of addressing the vulnerabilities at the onset of developing technology, and urged greater oversight by lawmakers.

A video of this hearing can be found here.

Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

On July 26, 2016, President Obama issued a new Presidential Directive setting forth the framework for how the United States (US) federal government will respond to “cyber incidents,” whether involving government or private sector entities.  The new directive (PPD-41):

  • Outlines guiding principles governing the federal government’s response to “cyber incidents”;
  • Sets forth the concurrent lines of effort federal agencies shall undertake in responding to any “cyber incident,” whether private or public;
  • Identifies the ways the federal government will coordinate its activities in responding to “significant cyber incidents,” including the establishment of lead US federal agencies; and
  • Requires the US Departments of Justice (DOJ) and Homeland Security (DHS) to maintain updated contact information for public use to assist entities impacted by “cyber incidents” in reporting those incidents to the proper authorities.

Definitions

  • Cyber Incident: PPD-41 defines “cyber incident” as an event “occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
  • Significant Cyber Incident: PPD-41 defines a “significant cyber incident” as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

Guiding Principles

In carrying out its incident response activities, the federal government is to be guided by the following principles:

  • Shared Responsibility: Individuals, the private sector, and government agencies have a “shared vital interest and complementary roles and responsibilities” in protecting the US from malicious cyber activity and managing cyber incidents and their consequences.
  • Risk-Based Response: The federal government will determine its response actions on an “assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.”
  • Respecting Affected Entities:  Federal government responders will “safeguard details of the incident,” to the extent permitted under law, as well as “privacy and civil liberties, and sensitive private sector information[.]”  In the event a “significant” federal government interest is served by a public statement concerning the incident, federal responders are to coordinate their approach with the affected entity.
  • Unity of Governmental Effort:  The efforts of the various governmental entities must be coordinated to “achieve optimal results.”  Therefore, whichever federal agency “first becomes aware of a cyber incident will rapidly notify other relevant” federal agencies in order to facilitate a unified response, and will coordinate with relevant state, local, tribal and territorial governments to coordinate the same.
  • Enabling Restoration and Recovery: Federal response activities are to be conducted “in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident[.]”

Concurrent Lines of Effort

In responding to a cyber incident, federal agencies are required to take three “concurrent lines of effort:”

  1. Threat response;
  2. Asset response; and
  3. Intelligence support and related activities.

Where a federal agency is the affected entity, it shall undertake a fourth concurrent line of effort “to manage the effects of the cyber incident on its operations, customers and workforce.”

Threat Response

Threat response activities include:

  • Conducting appropriate law enforcement and national security investigative activity at the affected entity’s site;
  • Collecting evidence and gathering intelligence;
  • Providing attribution;
  • Linking related incidents;
  • Identifying threat pursuit and disruption opportunities;
  • Developing and executing courses of action to mitigate the immediate threat; and
  • Facilitating information sharing and operational coordination.

Asset Response

Asset response activities include:

  • Furnishing technical assistance to affected entities to protect their assets;
  • Mitigating vulnerabilities;
  • Identifying other entities that may be at risk;
  • Assessing potential risks to sector; and
  • Facilitating information sharing and operational coordination.

Intelligence Support and Related Activities

Intelligence support and related activities will facilitate:

  • The building of “situational threat awareness and sharing of related intelligence;”
  • The integrated analysis of threat trends and events;
  • The identification of knowledge gaps; and
  • The ability to degrade or mitigate adversary threat capabilities.

Impacted Government Agency

An affected federal agency will engage in a fourth concurrent line of effort to manage the impact of a cyber incident, which may include:

  • Maintaining business or operational continuity;
  • Addressing adverse financial impacts;
  • Protecting privacy;
  • Managing liability risks;
  • Ensuring legal compliance;
  • Communicating with affected individuals; and
  • Dealing with external affairs.

Architecture of Federal Government Response Coordination For Significant Cyber Incidents

PPD-41 directs the federal government to coordinate its activities in response to a “significant cyber incident” in three ways: (1) National Policy Coordination; (2) National Operational Coordination; and (3) Field-Level Coordination.

National Policy Coordination

The National Security Staff’s Cyber Response Group (NSC CRG) will “coordinate the development and implementation” of the US “policy and strategy with respect to significant cyber incidents affecting the” US or “its interests abroad.

The NSC CRG is a White House led Assistant Secretary level interagency policy coordination group that coordinates policy related issues for the National Security Council and the Homeland Security Council review as outlined in Presidential Policy Directive-1.

National Operational Coordination

  • Agency Enhanced Coordination Procedures: Each federal agency that regularly participates in the CRG shall “establish and follow enhanced coordination procedures as defined in the annex” to PPD-41 “in situations in which the demands of responding to a significant cyber incident exceed its standing capacity.”
  • Cyber Unified Coordination Group:  A Cyber Unified Coordination Group (UCG) will serve as the “primary method for coordinating between and among” federal agencies “in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts.”  The Cyber UCG will be formed at the direction of the National Security Council when two or more federal agencies request its formation.  A Cyber UCG will also be formed when a “significant cyber incident affects critical infrastructure owners and operators” identified by the DHS.
  • Federal Lead Agencies:  In order to ensure the Cyber UCG “achieves maximum effectiveness in coordinating responses to significant cyber incidents,” the following agencies will serve as federal lead agencies:
    • Threat Response: The DOJ, acting through the FBI and National Cyber Investigative Task Force, will lead the government’s “threat response” activities.
    • Asset Response: The DHS, acting through the National Cybersecurity and Communications Integration Center, will lead the government’s “asset response” activities.
    • Intelligence Support: The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will lead the government’s “intelligence support” activities.

Field-Level Coordination

Field-level representatives of the federal asset or threat response lead agencies “shall ensure that they effectively coordinate their activities within their respective lines of effort with each other and the affected entity.”

Unified Public Communications

PPD-41 requires the DHS and DOJ to “maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant” federal agencies about a cyber incident.

To read the full text of PPD-41, click here

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

The Ashley Madison Breach: Canada-Australia Report of Investigation and Takeaways for all Organizations

On August 23, 2016, the Office of the Privacy Commissioner of Canada (OPC) released its joint report with the Office of the Australian Information Commissioner (OAIC) regarding its investigation of the 2015 Ashley Madison breach.

The report articulates several takeaways for all organizations. However, if there is one key lesson to be learned, it is that the OPC considers a solid information compliance and governance program to include documented policies and procedures. Organization’s safeguards should be adopted with “due consideration of the risks faced” and with a formal framework in order to ensure its proper management.

The following summarizes the report by the OPC and OAIC including several takeaways for all organizations.

The Breach

As many recall, on June 12 2015, a group identified as ‘The Impact Team’ hacked Avid Life Media, Inc. (ALM), headquartered in Toronto, Canada and operator of Ashley Madison and several other dating websites.

It is believed the intrusion took place over several months, beginning with the compromise of an employee’s valid account credentials and used to understand ALM’s systems until ALM’s information technology team detected unusual behavior on July 12. The next day, ALM computers projected warning notices from The Impact Team stating ALM had been hacked and threatened to expose the personal information of Ashley Madison users unless ALM shut down the website. The Impact Team published its actions and threats to the internet on July 19. The OPC contacted ALM soon after, and ALM voluntarily reported the details of the breach. On August 18 and 20, 2015, after its demands were not met, The Impact Team published information allegedly hacked from ALM of approximately 36 million Ashley Madison users from around the world.

The Personal Information Exposed

The sensitive personal information exposed by The Impact Team fell into three main categories:

  1. Profile information that described the users, including names, physical descriptions, date of births, experiences sought through Ashley Madison, details relating to intimate desires, personal and sexual interests.
  2. Account information such as e-mail addresses, security questions and answers and hashed passwords.
  3. Billing information for users who made purchases on Ashley Madison, including real names, billing addresses and the last four digits of credit cards. (Note: As billing information was stored by ALM’s third party processor, it is strongly believed the third party processor was also hacked by The Impact Team).

The sophisticated and targeted hack made it a challenge to determine the extent of the access gained by The Impact Team. ALM reported to the OPC and OAIC, as well as notified affected individuals, that exposed information could also include photos and communications between users.

Canadian and Australian Joint Investigation

The OPC and OAIC did not focus or report any conclusions with respect to the cause of the breach itself. The report is an assessment of the practices by ALM against its obligations under both the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act. The OAIC established an “Australian link” (s.5B(1A) of the Australian Privacy Act)) with the foreign-based ALM as a result of ALM’s targeting of its services to Australians, the collection of personal information of Australian residents and advertising in Australia. The collaboration was made possible by the OPC’s and OAIC’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement

Report of Findings and Takeaways for all Organizations

  1.  Safeguards

Under both PIPEDA and the Australian Privacy Act, organizations must protect personal information by safeguards appropriate to the sensitivity of the information from loss and unauthorized access, use, disclosure, etc. Both jurisdictions require a similar assessment of the risk of harm to individuals. The Commissioners agreed the key risk for users of Ashley Madison was reputational harm.

Discretion and secrecy in being a member of AshleyMadison.com was a central marketing and legal representation to its users. ALM also stated to the OPC and OAIC that protection of its customer’s confidence was a core element of its business. ALM advertised a series of trust-marks including “Trusted Security Award”, “100% Discreet Service” and “SSL Secure Site” on the front page of AshleyMadison.com. It was later discovered some trust-marks were fabricated. Further, the Terms of Service warned users that security and privacy of information could not be guaranteed, a statement many organizations include in their policies. However, the OPC and OAIC found the qualifier in the Terms of Service did not absolve ALM of its obligations.

The Commissioners found ALM lacked appropriate safeguards considering the sensitivity of the personal information. The safeguards adopted by ALM allegedly did not consider the risks individuals could face as a result of unauthorized access.

Key elements ALM’s safeguards allegedly lacked included:

  • a comprehensive information security program expected of an organization collecting and processing such sensitive personal information.
  • documented information security policies and procedures for managing network permissions including critical gaps in security coverage indicative of the absence of documented policies and practices.
  • an adequate intrusion detection system or prevention system , including a security information and event management system in place, or data loss prevention monitoring
  • adequate training for all staff and senior management

Takeaways regarding safeguards for all organizations

  • Organizations should have documented privacy and security practices as part of their compliance program
  • The sensitivity of the personal information collected must be considered when determining and developing an organization’s information and security program
  • Organizations should conduct regular and documented audits and risk assessments
  • Documenting your privacy and security practices can assist your organization identify gaps
  • Training of all employees, including senior management is part of a functional and robust compliance program.

        2. Indefinite Retention and Paid Deletion of User Accounts

Both PIPEDA and the Australian Privacy Act place require limits on the length of time that personal information may be retained and require organizations take reasonable steps to destroy or de-identify information no longer needed for any purpose.

The investigation highlighted that information of deactivated accounts as well as accounts that have not been used for a prolonged period were retained by ALM indefinitely. Further, at the time of the breach, Ashley Madison provided users with two methods to close an account; a basic de-activation that would allow users to re-activate their accounts in the future should they choose to, and a full deletion for a fee of CAD $19 that would delete all personal information within 48 hours (Note: This fee was not disclosed in ALM’s privacy policy or terms of service). However, it was alleged that ALM did not delete all personal information and retained certain financial information in the event of charge backs for a period of up to 12 months following the purchase of a full deletion. ALM presented statistics to the OPC and OAIC that if any chargebacks were to occur, they would happen within 6 months from the date of purchase. Among those affected by the breach were individuals who purchased the full deletion and likely believed their information was destroyed.

The OPC and OAIC had the following findings regarding retention and deletion:

  • ALM had data that the vast majority of users who deactivated their account reactivated it within 29 days. As such, ALM was unable to justify an indefinite retention period of users who deactivated their accounts. Further, it was not clear to users that information would be retained indefinitely.
  • Accounts that have been inactive for prolonged periods were retained indefinitely. While such account users did not provide an affirmative indication of their intent to no longer use their account, justification to retain the personal information diminishes over an extended period of time. Lack of clear retention limits and inability to justify retaining inactive profiles indefinitely contravened PIPEDA and the Australian Privacy Act.

The OPC and OAIC varied in their conclusions regarding the retention of information of users who purchased the full delete option.

  • Under the Australian Privacy Act, ALM is required to destroy or de-identify personal information once it no longer needs it for any primary purpose (deliver its online dating services) and can only retain data for a secondary purpose (reasonably believes is necessary for charge backs to address the risk of fraud ) for a limited time period. ALM provided sound business and legal reasons to retain the financial data to which the OAIC found ALM provided a reasonable basis to retain the financial information for 12 months.
  • The OPC also found ALM satisfied its retention of financial information to prevent chargebacks for 12 months following a full delete (Note: ALM has reduced the retention period to 6 months since the breach), however the OPC found ALM contravened PIPEDA as a result of photo’s that were retained by error following a full deletion.

The OPC found ALM’s practice of charging a CAD $19 fee for withdrawal of consent and full deletion contravened PIPEDA, as ALM did not disclose the fee at the time of sign up, as well, the OPC is not convinced ALM met the high burden to request such a fee. ALM no longer charges a fee for full deletion.

Takeaways regarding deletion and retention for all organizations

  • While PIPEDA is silent on whether organizations may charge a fee to delete their personal information, the OPC has established a high bar in demonstrating such a fee is reasonable.
  • If a fee were reasonable, it must be clearly disclosed and communicated prior to an individual providing consent.
  • Organizations should document retention policies based on a demonstrable rationale and timeline
  • Organizations must clearly disclose and communicate such retention timelines to individuals
  • Organizations should review and audit their practices to ensure information is being deleted and de-identified accordingly.

         3. Accuracy of Email Addresses

Both PIPEDA and the Australian Privacy Act require organizations to take steps to maintain the quality and accuracy of the personal information they collect and use.

ALM collects e-mail addresses in order to create accounts and send confirmation, support and marketing e-mails. ALM’s practice was not to verify e-mail addresses as manner to enhance privacy. Also, ALM feared it would discourage some individuals from signing up. A subset of e-mail addresses involved in the breach belonged to people who never used Ashley Madison. ALM admitted it was aware that some users do no provide their real e-mail addresses when they register, and as such, was in possession of e-mail addresses that belonged to non-users.

Given the sensitivity of the Ashley Madison service and the possible harm a non-user could face, the OPC and OAIC found ALM did not take reasonable steps to ensure the e-mail addresses were accurate. The Commissioners did not agree with ALM’s argument that making the e-mail address field mandatory, but not verified, is a practice of enhancing the privacy of its users. The Commissioners found such approach creates an unnecessary risk in the lives of non-users in order to provide users with a possibility of denying their association with Ashley Madison. The Commissioners highlighted other options available to ALM to address this issue and emphasized that ALM has a responsibility for all information it collects, including considering the personal information provided from a user that does not belong to them (a user providing an e-mail address that is not theirs to register) and must consider the possible harm of the non-user.

Takeaways regarding accuracy for all organizations

  • The level of accuracy required by organizations is impacted by the foreseeable consequences of inaccuracy
  • Organizations must take reasonable steps to ensure information in their possession is accurate
  • Organizations are responsible for all information in their control, including information that belongs to non-users, non-customers or other third parties who did not directly provide their information to the organization.
  • The requirement to maintain accuracy must include considering the interests of all individuals about whom the information might be collected, including non-users, non-customers and other third parties.

           4. Requirement for transparency and informed consent

PIPEDA states that consent is only valid if it is reasonable to expect the individual would understand the nature, purpose and consequences of the collection, use and disclose of the personal information to which they are consenting. PIPEDA also requires organizations to make their handling practices readily available and understandable to individuals.

The OPC analyzed two issues, first whether the privacy practices of ALM were adequate under PIPEDA, and two, whether the privacy practices at the time individuals were consenting to provide their information to ALM was adequate and not obtained through deception.

Generally, the OPC found that while ALM did provide some information about its security safeguards, account closure options and retention practices, critical elements of their practices that would be material to users’ decision to join Ashley Madison were not as clear as they should be. For example:

  • The fabricated “trusted security award” trust-mark
  • Language in the privacy policy and terms and conditions were not consistent regarding retention of personal information and could confuse a user or lead them to expect that inactivity can alone lead to the deactivation or deletion of their information
  • The required fee for a full deletion was not disclosed until after creating an account
  • Users who requested a full deletion were not informed until after they paid the fee that their information would in fact be retained for an additional 12 months

The OPC found ALM did not meet its obligations under PIPEDA to be open and transparent about its policies and practices of its management of personal information. The OPC further found the lack of clarity regarding certain practices could materially impact a prospective user’s informed consent to join Ashley Madison and allow the collection, use and disclosure of their personal information.

Takeaways regarding transparency for all organizations

  • Organizations must be cautious of the representations they make in their privacy policies and terms and conditions
  • Omission or lack of clarity of material statements may also impact the validity of consent. Organizations should make effort to ensure an individual understands the nature, purpose and consequences of their consent.
  • Organizations privacy policies, terms of service and other disclosure of practices should be clear and inform individuals prior to or at the time of consenting.

The Commissioners noted that ALM was cooperative during the investigation. ALM has entered into a compliance agreement with the OPC and an enforceable undertaking with the OAIC. The events of the hack and the report by the Commissioners provide important lessons for all organizations that collect personal information.

To read details of the compliance agreement with the OPC and the steps Avid Life Media has undertaken to take, click here.

The news release released by the OPC on August 23, 2016 can be found here.

The OPC’s summary of takeaways for all organizations can be found here.

To read the full joint report of the investigation by the OPC and OAIC click here.

The Ashley Madison Breach: Canada-Australia Report of Investigation and Takeaways for all Organizations

Legislative Alert: Bill S-4, an Act to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) passed in House of Commons.

Today, June 18, 2015, Bill S-4, the Digital Privacy Act was passed by Canada’s House of Commons vote. Bill S-4 was previously passed by Canada’s Senate.

The Digital Privacy Act includes important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These include:

Mandatory Breach Notification

When the amendments come into force (on a date yet to be determined), Canada will have a new federal data breach reporting law. An organization will be required to notify the Office of the Privacy Commissioner of Canada following a breach of security safeguards involving personal information under its control when there is a real risk of significant harm to individuals from the breach. Organizations will also be required to notify affected individuals in these circumstances.

Record Keeping

An organization will also be required to keep records of each and every breach of security safeguards involving personal information under its control and, upon request, provide the Office of the Privacy Commissioner, with access to that record.

Bill S-4 provides other provisions and amendments, including compliance agreements and fines, which Timothy Banks of Dentons LLP previously discussed [http://www.privacyandcybersecuritylaw.com/canadas-digital-privacy-rethink-fines-enforceable-compliance-agreements-and-more].

We will continue to report on Bill S-4 and compliance strategies over the coming months.

 

Legislative Alert: Bill S-4, an Act to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) passed in House of Commons.