The two offices have released joint findings highly critical of the dating website’s privacy and personal data security practices — and include court-enforceable commitments by Ashley Madison’s parent company, Avid Life Media Inc (ALM — recently rebranded as ‘Ruby Corp’). In August 2015, ALM was the target of a data breach which involved information claimed to have been stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.
Commissioners Pilgrim and Therrien opened a joint investigation into the breach in August 2015.
“The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information,” said Commissioner Pilgrim.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model.”
The Commissioner noted that the report identifies numerous actions and improvements that ALM will need to take to address the issues identified through the investigation process. In response, ALM has offered binding commitments to each Commissioner, which are court enforceable, to improve its personal information practices and governance.
This result provides closure on one of the world’s most widely reported data breaches, and is the first time the Australian and Canadian Commissioners have jointly enforced privacy protections.
“Privacy and data are global challenges and international cooperation like this will become a key tool for the future of privacy enforcement,” said Commissioner Pilgrim. “Certainly, my office will always look to pursue Australians’ privacy rights, no matter where that leads.”
The Commissioner also noted that, while providing answers for customers affected by the August 2015 breach, the report also highlights an important lesson for all users of online services.
“While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies.
“The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands. Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is ‘breach-proof’.”
All individuals have the right to expect that their personal information will be managed in accordance with the Australian Privacy Act 1988. If individuals have concerns about how an organisation has handled their personal information, they can contact email@example.com or 1300 363 992 for information.
About the report
The Office of the Australian Information Commissioner (OAIC) and the OPC’s joint investigation was conducted in accordance with the Australian Privacy Act 1988 and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). The collaboration was made possible by the OAIC and OPC’s participation in the Asia-Pacific Economic Cooperation Cross-border Privacy Enforcement Arrangement and pursuant to ss 11(2) and 23.1 of PIPEDA and s 40(2) of the Australian Privacy Act.
The full report and enforceable undertaking is available on the OAIC website: