Public censure can lead to the worst outcomes for businesses responsible for data privacy failings, says expert

Out-Law News | 25 Aug 2016 | 12:04 pm | 2 min. read

A public censure from a data protection authority can lead to the worst outcomes for businesses responsible for data privacy failings, an expert has said.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind, said the impact a public censure can have on consumer trust in an organisation and on its profitability can be greater than any regulatory penalties it might be issued with.

Dautlich was commenting after privacy watchdogs in Australia and Canada closed a joint investigation into the circumstances behind the Ashley Madison data breach, which saw personal data of millions of the website's users posted on the internet. The authorities found that Toronto-based Avid Life Media (ALM), the company behind the website, was responsible for a series of breaches of privacy laws in both countries.

The Office of the Privacy Commissioner of Canada (OPC) and the Office of the Australian Information Commissioner (OAIC) have both accepted commitments from Avid Life Media to take steps to improve information security and comply with local legislation.

"By entering into a compliance agreement with the Canadian commissioner and enforceable undertaking with the Australian commissioner, the company will be subject to penalties should they fail to comply with privacy laws in a timely fashion," Dautlich said. "Perhaps most damaging to the business however, will be the reputational consequences of having been formally censured by the two watchdogs and the long-term impact on the business’ bottom line as a result."

"Ashley Madison’s shortcomings were generally avoidable through relatively straightforward measures, and the cost of the consequences which it has now incurred are far greater than the cost of prevention would have been," he said.

In their report, the privacy watchdogs flagged failings in data security that Avid Life Media was responsible for.

"Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security," the Canadian and Australian authorities said in their report. "Certain security safeguards in some areas were insufficient or absent at the time of the data breach."

The OPC and OAIC also said that a fake security trust-mark had been displayed on the Ashley Madison website and that it had therefore tried to deceive users of the website into believing that it applied high standards of data security that had been independently endorsed.

In doing this, the company failed to ensure that it obtained valid consent from users for the collection and processing of their data, the report said.

"Given the nature of the services being offered by the Ashley Madison website (that is, facilitating affairs) and the discretion sought and expected by users, it is reasonable to expect that some individuals might have chosen not to share their personal information with ALM if they had not been misled at registration by the fictitious security trust-mark, and if they had been made aware that ALM would retain their information indefinitely unless they paid a fee for deletion," the report said.

Canada' privacy commissioner Daniel Therrien said it is "unacceptable" for organisations to hand large amounts of sensitive personal data without having in place "a comprehensive information security plan".

The OPC and OAIC said there were lessons for all organisations to learn from the Ashley Madison case. One of the lessons is that businesses should ensure they have "a coherent and adequate governance framework" to support privacy safeguards.

"To meet their obligations under [Canadian privacy laws], any organisation that holds large amounts of PI (personal information) must have safeguards appropriate to, among other factors, the sensitivity and amount of information collected," the authorities said.

"Moreover, such safeguards should be supported by an adequate information security governance framework, to ensure that practices are 'appropriate to the risks' and 'consistently understood and effectively implemented.' In the context of ALM, the investigation concluded that the lack of such a framework was an 'unacceptable shortcoming' which 'failed to prevent multiple security weaknesses'," they said.

The watchdogs said organisations that hold sensitive personal data or large volumes of personal information of any kind should implement a range of "information security measures". These include operating a security policy, accounting for information security issues within risk management processes, and providing adequate privacy and security training for all staff.