As the majority of readers are no doubt aware, the big news in the data protection sphere over the last few weeks has been the extremely highly-publicised data breach suffered by dating website Ashley Madison. The website, owned by Canadian company Avid Life Media, was set up to facilitate participation in extra-marital affairs and has a user base of around 40 million.
Most of those 40 million users were affected by the breach and it is estimated that 1.2 million of these users are based in the UK. Despite this, it is not clear whether the UK legislation, the Data Protection Act (DPA), or equivalent legislation implementing the European Data Protection Directive (the Directive) would apply to Ashley Madison given that the website's owner is based in Canada. The terms and conditions of the website, for European users, state that Ashley Madison is governed by Cypriot law, but it is unclear as to whether or not Ashley Madison actually has a presence in Cyprus. The Directive does provide for non-EU organisations to be subject to European laws in certain circumstances but it is unclear as of yet how those circumstances might apply in this case.
If the DPA does apply to Ashley Madison, it is beyond doubt that the site has committed numerous breaches of the legislation. But even if Ashley Madison is not subject to the requirements of the DPA, there are several lessons that UK organisations can learn from Ashley Madison's data protection plight.
Ashley Madison's breach highlights the need to ensure that all personal data is adequately secured and protected from unauthorised access and disclosure. In the UK this is enshrined by the seventh data protection principle: organisations must take appropriate technical and organisations security measures to protect personal data. In deciding what measures are "appropriate", organisations should consider the nature of the information and the potential harm that could result from its unauthorised disclosure.
Although the type of information leaked in the Ashley Madison case (names, email addresses, credit card details and photographs) may not in itself be considered to be sensitive, when disclosed in the context of a dating website designed for married people, the information can take on a sensitivity that might not otherwise be there. Information about an individual's sexual life is also deemed "sensitive personal data" under the DPA. The harm that could result from unauthorised access to this type of information is also, as the fallout has shown, potentially extremely severe.
Therefore, this type of information should have been afforded the highest level of protection. Ashley Madison did at least encrypt all users' passwords and not store full credit card details. Unfortunately, at the time of writing this article, reports were coming in that whilst the users' passwords were encrypted using a reasonably secure algorithm, the tokens required to decrypt the passwords were encrypted using a less secure algorithm. This weakness in the tokens' security has allowed hackers to decrypt a significant number of passwords.
Given the sensitive nature of the information held, all data, including the tokens should have been encrypted using a secure algorithm and tiered access rights should have been implemented, allowing employees access only to information they needed to perform their roles. There has been some speculation that the team that leaked the information may have had inside help from either an employee or a contractor.
Ashley Madison may also have benefitted from a privacy impact assessment, or PIA, right at the outset of the site's existence. This would have enabled it to identify the specific risks associated with the type of information being used and put in place measures to mitigate those risks.
A further area where Ashley Madison appears to have fallen down relates to the accuracy of personal information. Many individuals whose email addresses were included within the leaked information claim never to have visited the site, let alone signed up to and used it. Whilst arguments of "that's what they all say" are all too easy to raise, it has emerged that Ashley Madison made no attempt to validate individuals' email addresses when they signed up to the site. Any person could, in theory, sign up to the site using someone else's email address and/or personal details.
This means that email addresses held about the users of the site were potentially inaccurate and could expose non-users of the site to harm by incorrectly associating them with the site. This shows how important it is to ensure, when information is first collected, that the information is accurate. This could be, for example, by way of a verification email to the email address used to sign up, with the recipient having to click a link to verify the email address before membership can commence. This is a simple mechanism that could have helped Ashley Madison to avoid such a disastrous breach.
Ashley Madison has been further accused of holding onto individuals' personal data for excessively long periods of time. The obligation under both the DPA and the Directive is to retain data for no longer than is necessary for the purpose(s) for which it was collected.
By all accounts, Ashley Madison's data retention practices left much to be desired. Information on credit card transactions going back nearly eight years was kept on file for no justifiable reason, information on many accounts which users had requested to be deleted was still retained and Ashley Madison has no appropriate data retention policy in place. This resulted in a great deal of information being kept for far longer than was necessary.
Businesses should ensure that they have a watertight data retention policy setting out when data should be deleted and when data is permitted to be retained. The policy itself might help towards compliance but is unlikely to be enough on its own; it should be properly complied with and enforced across the business.
In addition to a clear retention policy, individuals have the right to request that the organisation controlling the use of their data (such as Ashley Madison) ceases processing personal data (which includes the deletion of personal data) where the processing would cause unwarranted harm or distress. Where the organisation fails to do so, individuals are entitled to apply for a Court Order to compel the organisation to comply.
Up until recently, the position in the UK regarding liability for compensation under the DPA was that damages for distress could not be recovered unless there was financial loss as well. The Ashley Madison breach is a prime example of a situation where financial loss may be difficult to prove (although any individual who has lost a job as a result of the breach could have a shot) but where the distress suffered could be enormous. The recent case of Google v Vidal-Hall reversed the position, and held that damages for distress can now be recovered without having to show that the individual suffered financial loss or physical/mental injury as a result of the breach.
If this were to apply to Ashley Madison, the consequences could be dire for the business. The level of distress suffered by individuals whose information was leaked is potentially huge. Several high-profile figures have been linked to the site in the wake of the breach and, even more worryingly, it is alleged that two individuals have since committed suicide as a result of the breach. It is not difficult to imagine the potential scale of pay-outs for distress.
In addition, the FTC is involved in an investigation into the breach, and they have the power to issue substantial fines far in excess of the UK's Information Commissioner's limit of £500,000.
For the owners, the timing of the breach was also disastrous, as it effectively ended their plans to proceed with an initial public offering, seeking an investment of US$57 million.
Since the Google v Vidal-Hall case, it has become even more important from a commercial point of view for organisations to comply with all data protection obligations. Particularly where information is sensitive, there is potential for real distress to be caused to individuals as a result of unauthorised access to that information and businesses could be ordered to pay compensation for that distress alone.
The message to take away from the Ashley Madison case is clear: data protection breaches can not only be catastrophic for a business, but can be life-changing for individuals as well. In light of the Ashley Madison breach, organisations, particularly those who handle sensitive personal data, would be well-advised to review their security measures, verification systems and retention policies to avoid becoming the next data breach victim and the financial and reputational consequences that inevitably follow.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.