Australia, Canada Say Ashley Madison Infidelity Website Violated Privacy Laws
Infidelity website Ashley Madison parent ruby violated privacy laws in Australia and Canada by falsely presenting itself as a secure service while having inadequate cybersecurity, a panel reported Tuesday. Ashley Madison and other services owned by ruby -- then known…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
as Avid Life Media -- were hacked last year, resulting in the theft of sensitive and personal records of about 40 million people (see 1507200017). The offices of Australian Information Commissioner and of Canada Privacy Commissioner identified violations of privacy laws, particularly because the company's lack of a comprehensive privacy and cybersecurity framework despite ruby's awareness that discretion and security were key to Ashley Madison's business model. The website marketed itself as a “100% discreet service” and used a fabricated security trustmark online to back up its security claims, the privacy offices said. They said cybersecurity protections “were insufficient or absent and, although [ruby] did have some personal information security protections in place, the company fell short when it came to implementing those security measures.” There were “inadequate” authentication processes for ruby employees who accessed the company's systems remotely, and the company had “poor” key and password management practices, the privacy offices said. Ruby encrypted all web-based communications but stored the encryption keys on its systems in “plain, clearly identifiable text” that put the keys at risk of unauthorized disclosure, the privacy offices said. Stored passwords displayed as “clearly identifiable text” in emails, while text files containing the passwords were stored on ruby's systems, the privacy offices said. They said ruby retained personal information on users who left, and failed to ensure email addresses on file were accurate. “Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” said Canada Privacy Commissioner Daniel Therrien in a news release. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.” The firm cooperated with and entered into a court-enforceable compliance agreement on recommendations for improvements. “We hope that by openly speaking about the breach and our commitments to the [privacy offices], we can help other organizations and business leaders who are facing increased cyber security challenges,” said CEO Rob Segal in a statement. “The company has cooperated with the Commissioners throughout their investigation and will continue to share information with them as we honour the terms of the compliance agreement and enforceable undertaking.”