The security steps the company must take are relatively vague. For example, the outside audits must certify that the security program “is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected…”
Still, given that a certified outsider must make that determination, it creates a significant and long-lasting burden.
The Ashley Madison breach came to light last August when a group that disapproved of the adulterous nature of the company’s services posted 9.7GB of data pertaining to its customers.
The data posted by a group calling itself The Impact Team included customer birthdates, marital status, answers to security questions, sexual preferences and some credit card numbers and billing addresses. It also included information about customers who had paid $19 to have their data fully deleted, according to the complaint.
Sign up for CIO Asia eNewsletters.