On August 22nd, the Office of the Privacy Commission of Canada, in conjunction with the Australian Privacy Commissioner, released their report on the now famous Ashley Madison data breach.
In the report, the commissioners found that Ashley Madison “did not have appropriate safeguards in place considering the sensitivity of the personal information under PIPEDA, nor did it take reasonable steps in the circumstances to protect the personal information it held under the Australian Privacy Act.” In particular, the investigation identified that, although the company did have some security safeguards, Ashley Madison had no way of determining if the policies were actually being followed.
Ashley Madison has agreed to implement all of the recommendations within the next six to twelve months. The Privacy Commission will monitor its progress. Many of the recommendations represent best practices that all organizations with a web presence should adopt.
It will be difficult for Ashley Madison to be loyal to at least one of the recommendations. If it doesn’t comply, it will be interesting to see if there are any strong sanctions ordered.
The report highlighted what was probably one of the largest indiscretions Ashley Madison committed – they retained personal information of their users indefinitely.
Indefinite retention (i.e. keep everything forever) is the norm in most organizations, because it is the easiest to implement. However, as the Privacy Commissioner’s report clearly shows, it creates a major risk. If you don’t want your organization’s name publicized the way Ashley Madison’s was, consider now how to stop keeping everything forever. It may be difficult to achieve, but once in place, the benefits will outweigh the costs.