Every now and then, a data breach is widely publicized by the media. Obviously, the Ashley Madison breach had all of the characteristics to attract such coverage. As you may recall, Ashley Madison is a website targeted at people seeking extra-marital affairs, operated by Avid Life Media Inc. [ALM], headquartered in Canada. On July 13th, 2015, a notice on ALM’s employees’ computers revealed that the business was hacked by “The Impact Team”. The hackers issued an ultimatum to ALM, urging them to take down the website. ALM refused, and the details of the 36 million users accounts were eventually published online.
The data breach, given its scale and impact, prompted a joint investigation between the Australian Office of the Information Commissioner and the Canadian Office of the Privacy Commissioner [OPC]. The document was published on August 23rd, 2016, on the OPC’s website and examines the safeguards in place by ALM at the time of the breach in light of the Canadian Personal Information Protection and Electronic Document Act [PIPEDA] and Australian Privacy Act 1988.
The case constitutes an opportunity to exemplify the legal obligations of businesses under PIPEDA, while illustrating the numerous issues that fast-growing and emerging companies are faced with when trying to keep up with their obligations. Here are five lessons drafted from the joint report which I believe to be valuable when evaluating how to protect your organization’s most valuable asset – data.
Not exactly. In fact, this is what ALM initially tried to do. But the OPC’s document is clear; consent, even assuming that it is informed and voluntary (which was not the case in the Ashley Madison affair), does not waive the organization’ responsibilities under PIPEDA.
The general principle under PIPEDA is that personal information must be protected by adequate safeguards. The nature of the safeguards depends on the sensitivity of the information. The context-based evaluation takes into account the potential risks to individuals (e.g. their social and physical well-being) from an objective standpoint (whether the corporation could reasonably have foreseen the sensibility of the information). In the Ashley Madison case, the OPC found that “level of security safeguards should have been commensurately high”.
The OPC specified the “need to implement commonly used detective countermeasure to facilitate detection of attacks or identity anomalies indicative of security concerns”. It’s not enough to be passive. Corporations with sensible information are expected to have an Intrusion Detection System and a Security Information and Event Management System implemented (or data loss prevention monitoring) (paragraph 68).
For businesses like ALM, a multi-factor authentication for administrative access to VPN should have been implemented. In order words, at least two types of identification approaches are necessary: (1) what you know, e.g. a password, (2) what you are such as biometric data and (3) something you have, e.g. a physical key.
As cybercrime becomes increasingly sophisticated, deciding on the proper solutions for your corporation is a difficult task that may be best left to experts. An all-inclusion solution is to opt for Managed Security Services (MSS) adapted either for larger corporations or SMBs. The objective of MSS is to identify missing controls and subsequently implement a comprehensive security program with Intrusion Detection Systems, Log Management and Incident Response Management. Subcontracting MSS services also allows enterprises to monitor their servers 24/7, hence significantly reducing reaction time and damages while keeping internal costs low.
Statistics are alarming; IBM’s 2014 Cyber Security Intelligence Index concluded that 95 percent of all security incidents during the year involved human errors. In 2015, another report found that 75% of large organisations and 31% of small businesses suffered staff related security breaches in the last year, up respectively from 58% and 22% from the previous year.
The Impact Team’s initial path of intrusion was enabled through the use of an employee’s valid account credentials. A similar scheme of intrusion was more recently used in the DNC hack most recently (use of spearphishing emails).
The OPC rightly reminded corporations that “adequate training” of employees, but also of senior management, ensures that “privacy and security obligations” are “properly carried out” (par. 78). The idea is that policies should be applied and understood consistently by all employees. Policies should be documented and include password management practices.
Here, OPC’s critic of ALM was stringent:
“[..], those safeguards appeared to have been adopted without due consideration of the risks faced, and absent an adequate and coherent information security governance framework that would ensure appropriate practices, systems and procedures are consistently understood and effectively implemented. As a result, ALM had no clear way to assure itself that its information security risks were properly managed. This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organization that holds sensitive personal information or a significant amount of personal information […]”. – Report of the Privacy Commissioner, par. 79
PIPEDA imposes an obligation of accountability that requires corporations to document their policies in writing. In other words, if prompted to do so, you must be able to demonstrate that you have business processes to ensure legal compliance. This can include documented information security policies or practices for managing network permission. The report designates such documentation as “a cornerstone of fostering a privacy and security aware culture including appropriate training, resourcing and management focus” (par. 78).
If you seek to establish a governance framework for your corporation, you may find helpful to rely on governance professional services and consulting. This can include the ground-up creation of corporate security policies, the secure architecture development of the organization’s infrastructure or formal assessment of privacy impact.
Accountability under PIPEDA also involves the necessity to conduct regular and documented risk assessments: corporations are required to have “an explicit risk management process – including periodic and pro-active assessment of privacy threats, and evaluations of security practices” (par. 78). Risk assessments are critical to decision-making and must be conducted in accordance with the latest technological developments, threats and industry standards.
One of the recommendations which I noticed to be recurrent thorough the joint report is that businesses without sufficient resources to carry out their obligation internally should refer to external expertise.
In this fast-evolving and complex industry, it is understandable to wonder whether your corporation’s cybersecurity, information protection, and policy handling are adequate. Could criminals access our data? Are our internal information systems secure enough that even ill-intentioned employee could not access confidential information? Are our policies sufficient to avoid legal liability should a data breach occur?
If you share these concerns, then it may be worth opting for a cybersecurity posture assessment to know where you currently are in terms of security and where you should go, a comprehensive gap analysis or a penetration testing to uncover potential vulnerabilities in your environment.
The Ashley Madison data breach accurately portrays the World Wide Web data protection nightmare. It led to disastrous consequences for both the corporation and the users. For the former, the financial blow-backs include the cost of implementing the OPC’s recommendations and proceeding to major internal changes in a constrained timeframe. Most importantly, however, it comprises the cost of a 578 million class action over data breach which was filed by two Canadian law firms.
Obviously, the reputation of the company was severely affected – a situation which was exacerbated by revelations included in the data breach. Among other things, in 2014 alone, it was reported that the company banked 1.7 million resulting from a 19$ full deletion fee which manifestly did not work (and was contrary to principle 4.3.8 of PIPEDA, according to which an individual may withdraw consent to hold personal information at any time, subject to legal or contractual restrictions and reasonable notice). Leaks also demonstrated that the vast majority of female accounts on the website were set up by administrators to lure male clients.
For users, the damages are plain enough with clear threats to their social and physical well beings, going as far as to include suicides and extortion.
The consequences of poor cybersecurity are far-reaching: financial blow-backs, lawsuits, lost of clientele, reputational damages and lastly, exposure of trade secrets, intellectual properties and/or internal practices. When the risks are as high as these, it is no surprise that the Office of the Privacy Commissioner recommends external expertise to guarantee compliance.