If (like me!) you only heard of Ashley Madison when you heard the news that a database of 36 million people actively looking for “married dating and discreet encounters” had been hacked. The discreet encounters were attracting indiscreet publicity. This week sees the publication of the joint report from the Australian and Canadian Privacy (Data Protection) Commissioners on their investigation of the Ashley Madison data breach. It's a long report. Unsurprising to many, given its business model, Ashley Madison wasn’t taking its data protection responsibility very seriously. It was, however, taking the marketing of its trustworthiness very seriously. Apparently, the company did understand that privacy was important to its customers and to its business. Its marketing message was one of discretion and privacy. The site had multiple trust certificates including one that was fabricated. This is a company that knew its business depended on its reputation and its reputation depended on having good data protection and data security practices across the organisation – and despite that they failed to take data protection seriously. The 40-pages of findings from Australia and Canada show that! There are important lessons in the Ashley Madison report that every company can learn from. Here are my top 10!
#1 - You must have documented security policies
When Ashley Madison was attacked it didn’t have a documented security policy in place. This is bad – it allows gaps in practices to occur and it makes it difficult for an organisation to respond to new threats since they don’t have a baseline set of practices in place. Most importantly perhaps, a documented security policy sends a clear signal to staff about how seriously a company takes security.
#2 - Security policies need to be based on a risk assessment
To make matters worse Ashley Madison did not have a documented risk management framework in place. It had not carried out any formal risk management assessment of the data it held and therefore the security measures it put in place were not in response to identified risks. As a result, the security measures they did have were looking in the wrong place and they failed to pick up on this breach over an extended period of time. Data protection legislation requires companies to put in place “appropriate safeguards” and a risk assessment is the first step to determine what is appropriate for a particular company. A Privacy Impact Assessment(PIA) or in GDPR terminology Data Protection Impact Assessment(DPIA) is a data focussed risk assessment that helps a company to identify, assess and mitigate the risks that are relevant to their business.
#3 - Good employee access and authentication policies are necessary
There was some good practice in segregating the network, having firewalls, logging access attempts and encrypting much of the data as well as encrypting communications between Ashley Madison and its users. However, the Achilles heel was their authentication and password security practices. In particular, access to data servers via VPN was authenticated in part by use of a “shared secret” – a code phrase that was shared across a team of employees and stored on a google drive that any employee could access. While access attempts were logged they were not monitored. Two-part authentication should have been implemented as a matter of course. Data protection is not always intuitive. The fact that security was breached in itself does not necessarily mean a company is non-compliant with data protection law. Non-compliance happens when the security measures are not sufficient given the nature of the data to be protected. The tools and technology exist to do a much better job of ensuring security than Ashley Madison was doing. This was a company that was knowingly handling highly sensitive information and turning over roughly $100M annually on the basis of that sensitive data. They certainly had access to appropriate budgets to hire appropriate expertise and invest in the appropriate technology to prevent a breach of this scale.
#4 - Training is key
Ashley Madison did develop a training program. But only 25% of its employees had been trained at the time of the breach. Ashley Madison claimed that staff were aware of their obligations despite the lack of formal training – but the commissioners found that this was not the case. It's not good enough to assume that employees know what to do, it has to be backed up with formal training and refresher courses when policies change or when staff move roles. To be really effective training has to be based on the policies that are put in place by the company.
#5 - Don’t forget about data retention/deletion
The Ashley Madison case made headlines for the very dubious practice of charging users to delete their information – and then failing to delete it. Data protection law pretty much everywhere requires that data is not retained for longer than it is required. And newer legislation is giving users more power to request erasure of their personal data and putting more responsibility on data controllers to ensure it is erased everywhere it has been shared. Anyone collecting personal data needs to have a data retention policy – and then adhere to it.
#6 - And remember, you can’t charge a user to delete their data!
This is very significant – Ashley Madison claimed that they implemented a “full delete” of users data due to user demand and the feature cost a lot to implement. Charging users to delete their data was an attempt to recoup that cost. Companies should consider the cost of collecting and handling data. That cost needs to be built into a company’s business model. If you collect data, make sure you understand the risk and costs associated with that data and assess whether the data will provide a return on the investment you make into managing it.
#7 - You need to verify data is accurate and keep it up to date.
This is a strange and unusual one in this day and age. Ashley Madison did not attempt to verify the email address of users who signed up for its services. This was a conscious decision on their part and I think rather unusual – I haven’t come across any website recently that hasn’t sent me a link to click through to verify I am who I say I am. While it's unusual, it does highlight the data protection requirement to keep data accurate and up to date. Omitting basic steps like validating an email address is a big red flag to your users that you are not treating their data with respect.
#8 - Data protection requires user transparency
#9 - The true cost of a data breach
Ashley Madison as a company appears to be surviving – but at a cost. It has a new CEO. It has been forced into a massive and very expensive rebranding exercise in order to distance the company from the bad publicity. Its seeking acquisition and attempting to “rebuild Praecellens Limited (Ashley Madison) as the world’s most open-minded dating community”. I bet it hasn’t been a great year at the Toronto HQ for the 100 or so employees working there. The numbers aren’t easily found (if anyone can find them please let me know, I’d love to know what they are) but I bet revenue and profit and company value is a fraction of what it was. The true cost of a data breach is the reputational damage to the company. That is sometimes recoverable, sometimes not.
#10 - The true cost of data handling
Every piece of data that you collect for your business has a cost. That cost depends on the nature of the data, the scale of it, how long you retain it for and whether you share it on to 3rd parties. The cost comes in the form of developing and implementing data handling policies, physical storage and security, putting in place measures to maintain the accuracy of the data and delete it when it is no longer in use. The Ashley Madison saga is a timely reminder that data is not a free commodity. Businesses need to budget appropriately for their data handling and examining the ROI that data is providing to the business.