A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services.
Just before the Christmas holidays, Toronto-based Avid Life Media Inc. (ALM) agreed to pay US$1.6 million and implement a comprehensive data-security program, including third-party assessments, to settle claims by the FTC who worked in collaboration with 13 U.S. states. According to the FTC complaint, until August 2014, operators of the site “lured” customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members.
ALM, now known as ruby Corp., still faces a slew of class actions stemming from the data breach, and in a move to dismiss the claims, it is arguing that that plaintiffs agreed to an arbitration clause and a class action waiver when they signed up. Plaintiffs attorney counter that the arbitration provision is “buried after pages of legalese.” (Over the past decade thousands of U.S. businesses have used arbitration “to create an alternative system of justice” that tends to favour businesses, according to an investigation by the New York Times).
Closer to home, Canada’s privacy watchdog says that more enforcement powers would have been “useful” to deal with the numerous privacy violations committed by ALM.
A joint year-long probe by Canadian and Australian privacy commissioners, launched after the massive data breach, found that ALM had inadequate or nonexistent security safeguards and policies while marketing itself as a discreet and secure way for consenting adults to have affairs. The company even went so far as to use fictitious security trustmarks on Ashley Madison’s homepage to reassure users and convey the impression that that the website had a high level of security and discretion.
Under a compliance agreement with the Office of the Privacy Commissioner of Canada (OPC) and an enforceable undertaking with the Office of the Australian Information Commissioner (OAIC), the company agreed to conduct a comprehensive review of its information security systems, strengthen its security framework, document its efforts, ensure adequate training of staff, and provide a report from an independent third party documenting the measures it has taken to come into compliance.
“Theoretically this is the kind of case where additional enforcement powers would have been useful,” said federal Privacy Commissioner Daniel Therrien. “It’s not that in the absence of these powers we do not have influence. But other jurisdictions in the U.S. and Europe have order-making powers and can impose fines so clearly the question whether the OPC should have these powers arises.”
At present, under the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy commissioner can only make non-binding recommendations and has no power to make orders unlike provincial privacy commissioners in Alberta, British Columbia, Ontario and Quebec.
Ann Cavoukian, a three-term Ontario privacy commissioner, is in favour of granting the federal privacy commissioner with more enforcement powers. “When I was Commissioner I felt so grateful and fortunate that I had order-making powers because that gave me the stick I never had to use,” said Cavoukian, the executive director of the Privacy and Big Data Institute at Ryerson University. “Having the stick allowed me to get an organization to agree to things informally because they knew I could pursue this in a much more serious manner.”
But while Ottawa privacy lawyer Kris Klein too bemoans the fact that the OPC does not have powers that have “bite,” he commends the federal privacy watchdog for using the high profile case as a springboard to serve a strong reminder to business and organizations that they must put in place safeguards that take into account the sensitivity and amount of information that they collect and use. The comprehensive report, unlike the vast majority of reports penned by the OPC, also provides solid guidance that will help privacy lawyers, added Klein. “The report is extremely helpful as it helps privacy practitioners better understand what the privacy commissioner expects in terms of information security standards,” said Klein of Nnovation LLP. “So going forward I’ve got a lot more concrete things to point to when I’m advising clients as to what should and shouldn’t be done from a security perspective when it comes to dealing with personal information.” That is a harbinger of things to come, said Therrien. “One of my objectives is to increase the privacy of Canadians and to give practical guidance to companies as we have done here,” added Therrien.
Privacy experts are however concerned that many organizations will not pay heed to the findings and guidance yielded by the report because they don’t manage personal information as sensitive as the one collected and used by Ashley Madison. That would be a mistake, said Cavoukian. “Many companies obviously won’t be exactly in the same situation in terms of the sensitivity of the data collected in this site but in this day and age of cybersecurity attacks that occur almost on a daily basis, if you are dealing with any personal information, meaning any data that contains personal identifiers either directly or indirectly, security has to be top of mind,” said Cavoukian.
The report was “careful to point out” that a data breach or a security compromise does not necessarily mean that an organization failed to establish adequate safeguards under PIPEDA, noted Klein. In order to determine whether a PIPEDA contravention took place, the OPC will perform a contextual analysis that will examine whether the safeguards in place at the time of the data breach were “sufficient” given the sensitivity of the information. That is a finding that will reassure organizations, particularly American ones, as many are wary of having to deal with a regulator when a data breach occurs, “particularly in situations where they feel they have been victimized,” said Klein.
Organizations should also be aware that the OPC’s definition of harm is broad, extending beyond financial loss to individuals due to fraud or identify theft, said Fazila Nurani, a privacy and information management lawyer. The OPC also takes into account subjective types of harm such as reputational harm as it could potentially have a profound impact on an individual’s ability to access and maintain employment, relationships or even safety depending on the information, said the report. “This is such an important point,” noted Nurani. “The courts have started to recognize that privacy is a right in and of itself regardless of whether you have been financially impacted or not – and the regulator in this case is on the same wavelength.”
Retention policies were also examined by the OPC in the report. ALM’s practice was to keep all information contained in inactive or deactivated profiles indefinitely in case an individual wished to reactivate their profile in the future, despite the fact that 99.9 per cent of people who did reactivate their account did so within 29 days of deactivation. The OPC makes it clear that retention policies should be based on a “demonstrable rationale” and timeline. “A lot of organizations just don’t put enough time into developing retention policies,” remarked Nurani. “They just keep the information indefinitely on an electronic system so the guidance about retention is a really big takeaway for business.”
But perhaps the most important lesson that can be drawn from the Ashley Madison case is the importance of adopting clear and appropriate processes, procedures and systems to handle information security risks, supported by internal or external expertise, said Therrien. Organizations whose business model rely on vast amounts of personal information should “think hard” about what kind of information it collects, assess the risks it poses – and plan accordingly, said Therrien. Documenting security policies and procedures is key as it provides clarity around security-related expectations for staff as is conducting regular and documented risk assessments, added Therrien.
“To be systematic about it means that you’re more likely to take effective measures to reduce the risk of a privacy breach,” said Therrien. “If you are not systematic then things will fall through the cracks, and you will be more at risk of these privacy breaches. Hopefully people will listen because clearly this is not (an) isolated (case).”