Ashley Madison hack: There is no such thing as guaranteed data security
This post was written by Michael Whitener, partner at VLP Law Group
The typical website privacy policy begins by telling you earnestly, “We understand privacy is important to you.” That assurance takes on special meaning if the website’s mission is to help philandering husbands and wives engage in covert affairs.
Such is the mission of Ashley Madison, an online dating service owned and operated by Avid Dating Life, Inc. that has attracted some 37 million registered members. As has been widely reported, the Ashley Madison servers were hacked earlier this week. The hackers claiming responsibility for the cyberattack are threatening to release the names, passwords and financial transactions of Ashley Madison members if the website is not shut down.
Every major data breach gives rise to questions of liability, and the Ashley Madison breach is no exception. The threshold question is: what security promises did Ashley Madison make to its members when they joined?
For an online service dedicated to facilitating hanky-panky, the Ashley Madison privacy policy and terms of service are remarkably buttoned down:
- Privacy policy. The privacy policy contains clear disclosures regarding the website’s collection, use and sharing of personally identifiable information – and yes, it says that “the protection of your privacy is very important.” With respect to security measures, the privacy policy promises: “We use industry standard practices and technologies including but not limited to ‘firewalls,’ encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.” As a Canadian (Toronto-based) company, Avid Life Media even cites Canadian data privacy law and claims to “fully adhere to it.”
- Terms of service. The terms of service back away from the bold promises of the privacy policy, saying “we cannot ensure the security or privacy of information you provide through the Internet and your email messages.” Moreover, there’s a comprehensive release of claims against Ashley Madison for any damages “related to the release or use of such information by third parties.” The disclaimer of warranties includes a disclaimer that the service is “secure.”
Despite the careful attempt in Ashley Madison’s terms of service to avoid liability for a data breach, the company faces two primary liability threats:
- Class action lawsuit. Already there are rumblings of a class action lawsuit being launched on behalf of Ashley Madison members whose personal information was breached. Gathering class action participants in this context faces the obvious challenge of requiring Ashley Madison subscribers to confess their membership; but Canadian law does allow for protection of class action participants’ identities. The lawsuit presumably would be based in part on the failure of Ashley Madison to maintain the security protections promised in its privacy policy, regardless of the liability limits in its terms of service. Compliance with the assurance of “strong data encryption” in particular will be scrutinized.
- Regulatory action. As a Canadian company, Ashley Madison may face sanctions under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires that organizations such as Ashley Madison implement security safeguards protecting personal information from loss, theft, and unauthorized access, disclosure, copying, use or modification. Sensitive information – which includes the credit card data that the Ashley Madison hackers reportedly obtained – requires heightened security measures. PIPEDA authorizes the federal Privacy Commissioner to both investigate complaints by individuals and initiate investigations on its own. While the Privacy Commissioner has not been as activist as the U.S. Federal Trade Commission in taking privacy-related enforcement actions, it is empowered under PIPEDA to impose fines and other sanctions.
Ashley Madison is reportedly working with law enforcement officials to track down the hackers, but that is scant comfort to the millions of Ashley Madison registrants, who must be working on their explanations and apologies to spouses and significant others, just in case the hackers make good on their threat to publicly “out” them.
If there’s a lesson to be learned, it’s that there is no such thing as guaranteed data security. For the individual, private lawsuits and regulatory action may result in payment of damages (and sanctions for lax data security practices), but data breached may be data lost, and possibly shared with the wider world. For the breached enterprise, the negative publicity and resulting loss of business can be fatal. That is especially the case when – as with Ashley Madison – the foundation of your business model is discretion and secrecy.
Michael Whitener is a partner at VLP Law Group. His legal practice focuses on two areas: (1) technology transactions, including software licensing and alliances, cloud computing, web hosting and outsourcing agreements; and (2) corporate compliance, particularly regarding data privacy and anti-corruption laws.
