Ten Takeaways from the Ashley Madison Data Breach

The most publicized data breach of 2015 involving a Canadian company definitely occurred when the Ashley Madison site was hacked into, exposed 31 million accounts last summer. Avid Life Media (since named Ruby Corp.) received a great deal of media attention due to the scale and sensitivity of the data that was accessed from its online infidelity site and publicly disclosed.

The Office of the Privacy Commissioner of Canada (OPCC) and the Australian Privacy Commissioner commenced a joint investigation and issued a detailed, extremely informative Report of Findings last week. Organizations, particularly those who collect, use or disclosure potentially sensitive information, are encouraged to review the full decision, however the OPC created a shorter executive summary version: Ashley Madison Investigation – Takeaways for all Organizations. This is a useful synopsis as it makes the findings easily and quickly available to all organizations. The takeaways are as follows:

  1. Harm beyond financial impacts needs to be considered. For example, reputational harm resulting from a data breach could have a long term effect on individuals.
  2. A good information security governance framework is needed to support safeguards. This helps to ensure that personal information-handling practices are appropriate to the risks associated with a breach, and that they are consistently implemented.
  3. Documenting security policies and procedures is a critical organizational safeguard that provides clarity around security-related expectations for staff.
  4. Conducting and documenting privacy risk assessments is also an important organizational safeguard as this identifies gaps that need to be addressed in order to minimize risk.
  5. Remote administrative access should only be allowed if multi-factor authentication is in place.
  6. Charging a fee for deletion of personal information (withdrawing consent) needs to be well thought out and clearly communicated prior to an individual providing consent in the first place.
  7. Retention policies and timelines need to be justifiable based on the purposes for keeping personal information.
  8. The foreseeable consequences of inaccuracy, including the potential damage to non-users of a service, need to be considered when determining the level of accuracy required.
  9. False or misleading assurances about your organization’s privacy practices call into question the validity of consent to the collection, use and disclosure of personal information.
  10. Failure to be open about personal information handling practices, including being unclear or omitting key practices, may also bring into question the validity of consent.

To determine whether you are living up to the 10 tips above, as outlined by the OPCC, or for assistance with completing a privacy risk assessment, contact PRIVATECH.