Cybersecurity: Finally Some Law – Understanding Canadian Standards Post-Ashley Madison

This is the first bulletin of a two part series reviewing recent Canadian and U.S. regulatory guidance on cybersecurity standards in the context of sensitive personal information. In this first bulletin, the authors introduce the subject and the existing regulatory framework in Canada and the U.S., and review the key cybersecurity insights learned from the Office of the Privacy Commissioner of Canada and the Australian Privacy Commissioner's investigation into the recent data breach of Avid Life Media Inc.

A. Introduction

Privacy legislation in Canada, the U.S. and elsewhere, while imposing detailed requirements on issues such as consent, often reverts to high level principles in outlining privacy safeguards or security obligations. One concern of the legislators has been that by providing more detail, the laws could make the mistake of making a "technology pick," which – given the pace of evolving technology – could very well be out of date in a few years. Another concern is that what constitutes appropriate security measures can very contextual. Nevertheless, however well-founded those concerns, the result is that organizations seeking direction from the law as to how these safeguard requirements translate into actual security measures are left with little to no clear guidance on the issue. 

The Personal Information Protection and Electronic Documents Act ("PIPEDA") provides guidance as to what constitutes privacy safeguards in Canada. However, PIPEDA simply states that (a) personal information should be protected by security safeguards appropriate to the sensitivity of the information; (b) the nature of the safeguards may vary depending on the sensitivity, amount, distribution and format of the information and the method of its storage; (c) the methods of protection should include physical, organizational and technological measures; and (d) care must be used in the disposal or destruction of personal information.[1]  Unfortunately, this principles-based approach loses in clarity what it gains in flexibility.   

On August 22, 2016, however, the Office of the Privacy Commissioner of Canada (the "OPC") and the Australian Privacy Commissioner (together with the OPC, the "Commissioners") provided some additional clarity as to privacy safeguard requirements in their published report (the "Report") on their joint investigation of Avid Life Media Inc. ("Avid").[2] 

Contemporaneously with the Report, the U.S. Federal Trade Commission (the "FTC"), in LabMD, Inc. v. Federal Trade Commission (the "FTC Opinion"),[3] published on July 29, 2016, provided its guidance on what constitutes "reasonable and appropriate" data security practices, in a manner that not only supported, but supplemented, the key safeguard requirements highlighted by the Report.

Thus finally, between the Report and the FTC Opinion, organizations have been provided with reasonably detailed guidance as to what the cybersecurity standards are under the law: that is, what measures are expected to be implemented by an organization in order to substantiate that the organization has implemented an appropriate and reasonable security standard to protect personal information.

B. The Ashley Madison Report

The Commissioners' investigation into Avid which generated the Report was the consequence of an August 2015 data breach that resulted in the disclosure of highly sensitive personal information. Avid operated a number of well-known adult dating websites, including "Ashley Madison," "Cougar Life," "Established Men" and "Man Crunch." Its most prominent website, Ashley Madison, targeted people seeking a discreet affair. Attackers gained unauthorized access to Avid's systems and published approximately 36 million user accounts. The Commissioners commenced a Commissioner-initiated complaint soon after the data breach become public.

The investigation focused on the adequacy of the safeguards that Avid had in place to protect the personal information of its users. The determining factor for the OPC's findings in the Report was the highly sensitive nature of the personal information that was disclosed in the breach. The disclosed information contained profile information (including relationship status, gender, height, weight, body type, ethnicity, date of birth and sexual preferences), account information (including email addresses, security questions and hashed passwords) and billing information (users' real names, billing addresses, and the last four digits of credit card numbers).The release of such data presented the possibility of reputational harm, and the Commissioners in fact found cases where such data was used in extortion attempts against individuals whose information was compromised as a result of the data breach.

The Report ultimately concluded that Avid did not implement reasonable and appropriate security safeguards, contravening PIPEDA Principles 4.1.4 and 4.7.[4]

C. The FTC Opinion

The FTC also provided its guidance on what constitutes "reasonable and appropriate" data security practices with the FTC Opinion, published on July 29, 2016.

In the U.S., the Federal Trade Commission Act allows the FTC to prohibit "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce" if the "act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."[5]

In the FTC Opinion, the FTC provides a helpful outline of how the FTC has extensively challenged "unreasonable and inappropriate" data security practices under this unfairness authority:

"The touchstone of the Commission's approach to data security is reasonableness: a company's data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. ... [T]he Commission has made clear that it does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law."

The FTC Opinion concerned LabMD, Inc. v. Federal Trade Commission, a case where an employee of LabMD, Inc. ("LabMD") exposed the personal insurance information of 9,300 customers through a peer-to-peer file sharing network. Here, the FTC ruled that LabMD's data security practices failed to provide reasonable and appropriate security for the sensitive personal information on its computer network, and that this failure was likely to cause substantial injury that consumers could not have reasonably avoided, and that was not outweighed by benefits to consumers or competition.

D. Key Privacy Security Insights

1. The Report: Security Safeguards Due Diligence

In the Report, the OPC provides guidance on the level of diligence expected of an organization when determining adequate security safeguards under Principle 4.7 of PIPEDA, namely that:

1. Sensitivity of Data: an organization needs to understand the sensitivity of the personal information that they collect, use and disclose, and the corresponding required level of safeguards under PIPEDA;
2. Security Risk Policy: an organization should adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise, whether such expertise is internal or external;
3. Safeguard Assessment: an organization should conduct a meaningful assessment (i.e. one that doesn't just focus solely on the risk of financial loss to individuals due to fraud or identity theft, but also on their physical and social well-being) of the required level of safeguards for any given personal information; and
4. Risk Balance: safeguards should be adopted by an organization with due consideration of the risks faced.

Based on the foregoing diligence, the Report provides specific insight into what the OPC would require as adequate safeguards under PIPEDA where an organization collects, uses or discloses sensitive personal information.

2. The Report: Implementation of an Information Security Governance Framework

In the Report, the Commissioners found that an organization that holds large amounts of personal information of a sensitive nature must address information security with an adequate and coherent governance framework. Such an adequate and coherent information security governance framework should ensure that the security practices, systems and procedures are consistently understood and effectively implemented.

(i) Safeguards that Avid had in Place

Notwithstanding perhaps the general impression left by the media, Avid did appear to have implemented a general security framework. According to Avid, Avid had the following data protections in place at the time of the data breach:

1. Physical safeguards:
   1. Office servers were located and stored in an isolated, locked room with access limited by keycard to authorized employees.
   2. Production servers were stored in a cage at Avid's hosting provider's facilities, with entry requiring a biometric scan, an access card, photo ID, and a combination lock code.
2. Technological safeguards:
   1. Network protections included network segmentation, firewalls, and encryption on all web communications between Avid and its users, as well as on the channel through which credit card data was sent to Avid's third party payment processor.
   2. All external access to the network was logged.
   3. All network access was via VPN, requiring authorization on a per user basis requiring authentication through a 'shared secret.'
   4. Anti-malware and anti-virus software were installed.
   5. Particularly sensitive information, specifically users' real names, addresses and purchase information, was encrypted, and internal access to that data was logged and monitored (including alerts on unusual access by Avid staff).
   6. Passwords were hashed using the BCrypt algorithm (excluding some legacy passwords that were hashed using an older algorithm).
3. Organizational safeguards:
   1. Avid had commenced staff training on general privacy and security a few months before the discovery of the incident.
   2. Avid engaged a Director of Information Security to develop written security policies and standards.
   3. Avid had instituted a bug bounty program in early 2015 and conducted a code review process before making any software changes to its systems, where each code review involved quality assurance processes which included review for code security issues.

(ii) Safeguards that Avid should have had in Place

However, according to the Report, the Avid security framework failed to meet the standard of an "adequate and coherent" framework, as it lacked:(a) documented information security policies and practices; (b) an explicit risk management process; and (c) adequate training to ensure all staff properly carried out their privacy and security obligations.

(a) Documented Information Security Policies and Practices

The Report noted that having documented security policies and procedures was "a basic organizational security safeguard," given that such explicit policies (A) provide clarity about security expectations, which in turn facilitates consistency of security coverage, (B) help to avoid gaps in security coverage, (C) send the key signals to employees about the importance of information security, and (D) given their formalized form, facilitate the updating of such policies to reflect the evolving threat landscape.

However, in their investigation, the Commissioners found that:

1. Although Avid had hired a Director of Information Security to develop written security policies and standards, these policies and standards were not in place at the time of the data breach.
2. Avid's existing undocumented security policies and standards did not cover both preventive and detective measures, such as commonly used detective countermeasures that could facilitate detection of attacks or identify anomalies indicative of security concerns.
3. Some detection and monitoring systems were in place, but these were focused on detecting system performance issues and unusual employee requests. Avid had not implemented:
   1. an intrusion detection system or prevention system;
   2. a security information and event management system, or
   3. data loss prevention monitoring.
4. While VPN logins were tracked and reviewed on a weekly basis, login behaviour was not adequately monitored for indications of intrusion or other unauthorized activity.

(b) An Explicit Risk Management Process

In regards to a risk management process, the Report stated that:

"Conducting regular and documented risk assessments is an important organizational safeguard in and of itself, which allows an organization to select appropriate safeguards to mitigate identified risks and reassess as business and threat landscapes change. Such a process should be supported by adequate external and/or internal expertise, appropriate to the nature and volume of personal information held and the risks faced."

Avid claimed that, although no risk management framework was documented, it had a security program that was based on an assessment of potential threats. Its risk management framework consisted of:

1. Patch management and quarterly vulnerability assessments (as required to be PCI-DSS compliant).
2. A full time Director of Information Security.

However, the Commissioners found that Avid:

1. did not have a documented risk management framework "guiding how it determined what security measures would be appropriate to the risks it faced," and
2. could not "provide evidence that it had undertaken any structured assessment of the overall threats facing it, or that it had assessed its information security framework through standard exercises such as internal or external audits or evaluations."

Also, in an observation which is sure to increase the heartbeat of third party security consultants, the Commissioners appeared to criticize "the adequacy of [Avid's] decision-making on selecting security measures" in at one point considering the retention of external cybersecurity expertise to assist in security matters, but ultimately electing not to do so.

(c) Adequate Training to Ensure All Staff Properly Carried Out their Privacy and Security Obligations

The Report also highlighted that formal training on information security and privacy responsibilities, "in all but the smallest organizations," is key to ensuring that obligations are properly and consistently understood and acted upon by employees. Security policies and practices must be properly and consistently implemented and followed by employees. Organizations should also provide such training to contractors with access to the organization's network.

Avid claimed that, although most employees had not been formally trained, employees were aware of their obligations where these obligations were relevant to their job functions.

The investigation by the Commissioners, however, found that, although privacy training had been delivered to senior management, senior IT staff, and newly hired employees, approximately 75% of Avid's staff had not received this training, and not all employees properly and consistently understood and acted upon their information security obligations.

The FTC also highlighted the importance of training in the FTC Opinion, which expressly referenced that there was an increased likelihood of a breach of consumer personal information if employees were not adequately trained.[6]With respect to LabMD specifically, the FTC found that, although LabMD had recognized the need for training, it did not provide any such training to its staff and instead "relied on the training that [its] employees received in their previous employment." This contributed to the FTC's ultimate finding that the LabMD security practices were unreasonable.

In summary, absent these three required elements of the governance framework (i.e. policies, risk management and training), the Commissioners found that Avid had been unable to assess the adequacy of its information security, leading to certain security safeguards being insufficient or absent at the time of the data breach.

3. The Report: Multi-factor Authentication and Strong Key and Password Management Practices

In reviewing these failures in policies, risk management and training – which collectively led to a failure of Avid to have implemented an adequate and coherent governance framework, the Commissioners also highlighted two specific requirements in connection with authentication and key/password management practices.

First, the Commissioners emphasized the importance of multi-factor authentication, a common industry practice for controlling remote administrative access. The practice requires at least two of the following factors to be provided in order to grant access to an organization's systems: something the user knows (knowledge), something the user has (possession), and something the user is (inherence). 

The lack of multi-factor authentication was identified under the Report as a significant concern and part of Avid's failure to provide appropriate and reasonable privacy security measures. Avid required three pieces of information – a username, a password, and a shared VPN passphrase – to access its systems remotely; however, each of these pieces of information only provided a single factor of authentication: something the user knows. Avid could have used biometric data, such as a fingerprint (something the user is), or, more easily, a physical key or login device, such as an RSA key on the user's mobile device (something the user has), to properly implement multi-factor authentication.

Second, the Commissioners focused on the need for strong key and password management practices, such as:

1. not storing authentication materials on shared network drives, and
2. ensuring that internal systems with access to administrative functions are themselves sufficiently protected,

in situations where an organization collects, uses or discloses sensitive personal information.

In addition to inappropriately sharing a single VPN passphrase between all users to access Avid's networks, the Commissioners found that (a) some passwords and encryption keys were stored as plain, clearly identifiable text in emails and files on employee systems, and (b) an Avid server had an SSH key that was not password protected, potentially enabling an attacker to connect to other servers without having to provide a password. The Report concluded that, based on these issues, Avid did not implement appropriate and reasonable key and password management practices.

In summary, the Report provides helpful guidance as to the required elements of a security governance framework, and highlights the important of robust authentication and key/password management practices.

E. Conclusion

The Report provides valuable insights into what is required in order for the privacy security measures of a Canadian organization to be considered to be reasonable and appropriate in connection with the collection, use or disclosure of sensitive personal information.

In the second bulletin of this series we will review additional guidance provided by the FTC in the FTC Opinion, and draw certain conclusions as to what Canadian and U.S. regulators consider to be reasonable and appropriate privacy security measures.
 

[1] Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

[2] PIPEDA Case Summary #2016-005 - Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner.

[3] LabMD, Inc. v. Federal Trade Commission, (11th Cir. Sept. 29, 2016).

[4] As well as Sections 1.2 and 11.1 of Australia's Privacy Act 1988 (Cth).

[5] 15 U.S.C. § 45(a) and 45(n).

[6] In the FTC Opinion, the FTC referenced the Health Insurance Portability and Accountability Act of 1996's Security Rule as an example, which requires that covered entities "[i]mplement a security awareness and training program for all members of [the] workforce (including management)."