Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said the impact a public censure can possess on consumer trust in an organisation and on its profitability can be greater than any regulatory penalties it may be issued with.

Dautlich was commenting following privacy watchdogs in Australia and Canada closed a joint investigation into the circumstances behind the Ashley Madison data breach, which saw personal data of millions of the website’s users posted on the internet. The authorities found that Toronto-based Avid Life Media (ALM), the company behind the website, was responsible for a series of breaches of privacy laws in both countries.

The Office of the Privacy Commissioner of Canada (OPC) and the Office of the Australian Information Commissioner (OAIC) possess both accepted commitments from Avid Life Media to seize steps to improve information security and comply with local legislation.

“By entering into a compliance agreement with the Canadian commissioner and enforceable undertaking with the Australian commissioner, the company will be subject to penalties should they fail to comply with privacy laws in a timely fashion,” Dautlich said. “Perhaps most damaging to the business however, will be the reputational consequences of having been formally censured by the two watchdogs and the drawnout-term impact on the business’ bottom line as a result.”

“Ashley Madison’s shortcomings were generally avoidable through relatively straightforward measures, and the cost of the consequences which it has now incurred are far greater than the cost of prevention would possess been,” he said.

In their report, the privacy watchdogs flagged failings in data security that Avid Life Media was responsible for.

“Although ALM had a range of personal information security protections in place, it did not possess an adequate overarching information security framework within which it assessed the adequacy of its information security,” the Canadian and Australian authorities said in their report. “Certain security safeguards in some areas were insufficient or absent at the season of the data breach.”

The OPC and OAIC also said that a fake security trust-mark had been displayed on the Ashley Madison website and that it had therefore tried to deceive users of the website into believing that it applied big standards of data security that had been independently endorsed.

In doing this, the company failed to ensure that it obtained valid acquiesce from users for the collection and processing of their data, the report said.

“Given the nature of the services being offered by the Ashley Madison website (that is, facilitating affairs) and the discretion sought and expected by users, it is reasonable to expect that some individuals may possess chosen not to share their personal information with ALM if they had not been misled at registration by the fictitious security trust-mark, and if they had been made aware that ALM would retain their information indefinitely unless they paid a fee for deletion,” the report said.

Canada’ privacy commissioner Daniel Therrien said it is “unacceptable” for organisations to hand big amounts of sensitive personal data without having in place “a comprehensive information security plan”.

The OPC and OAIC said there were lessons for every organisations to acquire from the Ashley Madison case. unit of the lessons is that businesses should ensure they possess “a coherent and adequate governance framework” to support privacy safeguards.

“To meet their obligations below [Canadian privacy laws], any organisation that holds big amounts of PI (personal information) must possess safeguards appropriate to, among other factors, the sensitivity and amount of information collected,” the authorities said.

“Moreover, such safeguards should be supported by an adequate information security governance framework, to ensure that practices are ‘appropriate to the risks’ and ‘consistently understood and effectively implemented.’ In the context of ALM, the investigation concluded that the lack of such a framework was an ‘unacceptable shortcoming’ which ‘failed to prevent multiple security weaknesses’,” they said.

The watchdogs said organisations that grasp sensitive personal data or big volumes of personal information of any helpful should implement a range of “information security measures”. These include operating a security policy, accounting for information security issues within risk management processes, and providing adequate privacy and security training for every staff.