Ashley Madison hack: There is no such thing as guaranteed data security
This post was written by Michael Whitener, partner at VLP Law Group
Such is the mission of Ashley Madison, an online dating service owned and operated by Avid Dating Life, Inc. that has attracted some 37 million registered members. As has been widely reported, the Ashley Madison servers were hacked earlier this week. The hackers claiming responsibility for the cyberattack are threatening to release the names, passwords and financial transactions of Ashley Madison members if the website is not shut down.
Every major data breach gives rise to questions of liability, and the Ashley Madison breach is no exception. The threshold question is: what security promises did Ashley Madison make to its members when they joined?
Despite the careful attempt in Ashley Madison’s terms of service to avoid liability for a data breach, the company faces two primary liability threats:
- Regulatory action. As a Canadian company, Ashley Madison may face sanctions under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires that organizations such as Ashley Madison implement security safeguards protecting personal information from loss, theft, and unauthorized access, disclosure, copying, use or modification. Sensitive information – which includes the credit card data that the Ashley Madison hackers reportedly obtained – requires heightened security measures. PIPEDA authorizes the federal Privacy Commissioner to both investigate complaints by individuals and initiate investigations on its own. While the Privacy Commissioner has not been as activist as the U.S. Federal Trade Commission in taking privacy-related enforcement actions, it is empowered under PIPEDA to impose fines and other sanctions.
Ashley Madison is reportedly working with law enforcement officials to track down the hackers, but that is scant comfort to the millions of Ashley Madison registrants, who must be working on their explanations and apologies to spouses and significant others, just in case the hackers make good on their threat to publicly “out” them.
If there’s a lesson to be learned, it’s that there is no such thing as guaranteed data security. For the individual, private lawsuits and regulatory action may result in payment of damages (and sanctions for lax data security practices), but data breached may be data lost, and possibly shared with the wider world. For the breached enterprise, the negative publicity and resulting loss of business can be fatal. That is especially the case when – as with Ashley Madison – the foundation of your business model is discretion and secrecy.
Michael Whitener is a partner at VLP Law Group. His legal practice focuses on two areas: (1) technology transactions, including software licensing and alliances, cloud computing, web hosting and outsourcing agreements; and (2) corporate compliance, particularly regarding data privacy and anti-corruption laws.