This fall, the Office of the Privacy Commissioner of Canada (the “OPC”) and the Australian Privacy Commissioner released a joint report summarizing their findings following an investigation into the Ashley Madison cyber-attack. The report discusses the shortcomings of Ashley Madison’s security policies and procedures that led to the breach. The report sends a strong signal to private organizations that the OPC is serious about enforcing the privacy principles of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). It also underscores the importance for policy underwriters and insurance brokers to scrutinize the insured’s ongoing compliance with PIPEDA.
Last summer, Avid Life Media Inc. (“AML”), a Canadian private company that operates a number of adult dating websites (including Ashley Madison), became the target of a major cyber-attack resulting in the disclosure of the personal information of 36 million accounts. The hacker demanded that ALM shut down the Ashley Madison website as well as another website. Failure to comply would result in the hacker publishing the stolen data online. ALM ignored the hacker’s demands, and the stolen data was ultimately posted online (including names, addresses, credit card information and other personal information). As a result of the breach, many Ashley Madison users claimed to have suffered significant reputational and financial harm, and ALM now faces a $578 million class action lawsuit brought by the affected individuals.
As a result of the breach, the OPC launched an investigation, following which it issued a joint report with its Australian counterpart that outlined several key takeaways, which can apply to any organization that collects, uses and discloses personally identifiable information: (i) information security; (ii) retention and deletion of information, (iii) accuracy of email addresses; and (iv) misleading security claims.
As a general proposition, the level of protection required for the collection, use and disclosure of personally identifiable information under PIPEDA varies depending on the circumstances. It takes into account the nature and the sensitivity of the data as well as the potential harm to individuals from unauthorized access, disclosure, copying, use or modification.
The OPC’s definition of potential harm is broad, encompassing not only risk of financial loss to individuals, but also risk to their physical and social well-being, including potential impact on relationships, reputational risks, embarrassment and humiliation. Accordingly, when collecting personal information, organizations should consider the potential harm that disclosure of that information would cause and design their information security policies and procedures accordingly.
In ALM’s case, while users were warned that the security or privacy of their information could not be guaranteed, and any access or transmission of personal information through the use of the Ashley Madison website was done at the user’s own risk, the OPC found that this type of a disclaimer is not sufficient to absolve an organization of its legal obligations. Further, given the highly sensitive nature of the personal information collected by ALM, any disclosure of that information would pose a significant risk of harm to users. Accordingly, the OPC concluded that AML should have employed higher information security standards.
Retention and Deletion
Under PIPEDA, organizations have an obligation to retain personal information only as long as required for the purposes for which it was collected (subject to legal or contractual restrictions and reasonable notice).
In this case, ALM retained for an indefinite period the personal information of users who had deactivated their accounts or whose accounts were inactive. Users who exercised their ‘full delete’ option and paid the requisite fee could have their personal information destroyed or erased. While PIPEDA is silent on whether organizations can charge a fee to do so, the OPC found that charging a fee to withdraw consent contravenes PIPEDA.
At the time of registration, ALM required that all registrants provide an email address. However, the authenticity of the email addresses provided was not verified. The absence of email address verification created unnecessary reputational risks for non-users — allowing, for example, the creation of a potentially reputation-damaging fake profile using a real email address. Following the breach, non-users whose email addresses may have been released by the hacker with ALM may be harmed and also have a claim against the organization for maintaining their personal information without their consent. This situation is a clear reminder that organizations managing sensitive data and collecting email addresses should implement an email verification process.
It is not uncommon for organizations to display a seal or icon claiming to have a certain level of security. At the time of the breach, the Ashley Madison website was displaying a fabricated “Trusted Security” icon, giving a misleading impression to users about the organization’s security level. The OPC found that false or misleading statements, including fake or misleading seals or icons, may impact the validity of the consent obtained from users, as it may create false assurances which may materially influence an individual’s decision to use a particular service.
In an era where cyber-attacks are increasing in frequency, sophistication and magnitude, the OPC’s joint report is particularly enlightening as it underscores the Privacy Commissioner’s expectation of organizations when it comes to compliance with PIPEDA in the context of cyber-attack.
Recognizing that an increasing number of organizations are actively seeking cyber coverage as a risk mitigation strategy, underwriters and insurance brokers should ensure that the basic requirements under PIPEDA are not only implemented by the insureds, but also routinely reviewed with appropriate modifications being made. For example, at the time a policy is being issued or renewed, the insured should be required to provide detailed information about its governance structure and security measures. This information should be accompanied by an honest discussion about the nature of the information held by the organization and the potential impact of that information being comprised as a result of a cyber-attack. In some instances, it may be helpful to retain external counsel and/or consultants to conduct an independent assessment of the insured’s compliance with PIPEDA. The report generated through this process can inform the underwriting process (or the conduct of compliance audits after a policy is issued).