E+Co Alerts

25
Aug

The Ashley Madison affair – Privacy and confidentiality under Australian law

Screen Shot 2015-08-25 at 17.54.01 In July 2015, a major compromise to the data security of the Ashley Madison website resulted in the personal information of some 37 million users being made public by a group yet to be properly identified, but which call themselves ‘the Impact Team’.

Ashley Madison (www.ashleymadison.com) styles itself as “the most successful website for finding an affair and cheating partners”. As at 25 August 2015, it claims over 39,470,000 members.

It seems that the Impact Team had threatened to post user details online unless Avid Life Media shut the service down. When the company failed to do so, the hackers started to publish online the personal information of the service’s users, including their names, emails (including some work emails), sexual preferences, credit card details, as well as the website source code itself. This confidential information was made available for download using peer-to-peer services such as BitTorrent.

Since the disclosure, there have been claims of related suicides and multi-hundred-million-dollar lawsuits being launched. Ashley Madison’s Canadian parent company, Avid Life Media, has offered a bounty of C$500,000 (A$525,000) for information on the hackers, who have tried to position their unauthorised publication as ‘white hat hacking’ (i.e. as a statement about Ashley Madison’s failure to keep the user data secure).

Amidst the hysteria and global attention this has garnered, it is worth pausing to consider what this means in legal terms in Australia.

Some legal observations from an Australian point of view

Considering this from the point of view of Australian users of the Ashley Madison service, some high level observations:

•   As the Ashley Madison site collects personal information in Australia, following amendments from March 2014, the site is deemed to be a business carried on in Australia for the purposes of the Privacy Act.

•   Through Australian Privacy Principle 11, the Privacy Act requires entities to take active measures to ensure the security of personal information they hold, and take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Generally speaking, as the amount and/or sensitivity of personal information that increases, so too does the level of care required to protect it.

•   On 20 August 2015, the Office of the Australian Information Commission (‘OAIC’) revealed that it had commenced investigating whether Avid Life Media met its obligations under the Australian Privacy Act to take reasonable steps to ensure the security of its customers’ personal information.

•   Clause 9 of Ashley Madison’s privacy policy (at https://www.ashleymadison.com/app/public/privacy.p), states:

  “We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.

•   The OAIC publishes a ‘guide to securing personal information’ (see – http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-securing-personal-information#internal-practices-procedures-and-systems) which provides guidance on reasonable steps entities are required to take under the Privacy Act to protect personal information they hold. Following the Ashley Madison leak, any organisation handling sensitive personal information of online users should take heed of this guide.

•   Under the Privacy Act, even where the hosting of the personal information is outsourced to a third party (such as Amazon Web Services) the outsourcer is still deemed to be handling the personal information and responsible for it.

•   Beyond the question of whether Avid Life Media did enough to protect the sensitive personal and financial information of its users, the Privacy Act also regulates entities that collect unsolicited personal information. However, unless the Impact Team carries on business in Australia, it may not be regulated by the Australian Privacy Act.

•   Beyond the application of privacy principles under Australian law, it is well established principle of equity that a person acquiring information in confidence has a duty to maintain that confidence:

  “It is a well-settled principle of law that where one party (‘the confidant’) acquires confidential information from or during his service with, or by virtue of his relationship with another (‘the confider’), in circumstances importing a duty of confidence, the confidant is not ordinarily at liberty to divulge that information to a third party without the consent or against the wishes of the confider.” (Attorney-General v Guardian Newspapers [No. 2] [1998] 2 WLR 805)

•   The Impact Team can be liable for breach of confidence under Australian law for disclosing confidential information of Australian users. A question to consider next is where the disclosure of Australian users’ information occurred, and whether Australian courts would be a proper venue for group action by a class of interested (or at least rather curious) Ashley Madison users.

James Edwards
Principal
James@ecolegal.com.au

About James Edwards
James is the founder and principal of Edwards + Co, and advises businesses on legal and commercial issues in a world enabled, disrupted and re-assembled by the internet of everything.

Leave a Reply

Your email address will not be published.