Ashley Madison, the self-described “world's leading married dating service for discreet encounters” is the latest high-profile social media website to sustain a cyberattack. Established to provide an opportunity for married persons to engage in extramarital affairs, Ashley Madison boldly proclaims that it is the “most successful website for finding an affair and cheating partners.” Now, with media sources reporting the public disclosure of the names, addresses, credit card information and phone numbers of its 37 million members, the cheat facilitator has been cheated in what will likely amount to a very costly breach.

Subscribers who were promised “discretion” and then had their names and personal information revealed to the world may seek compensation or damages. Some may lose their jobs. Others will lose spouses, children and the support of family members. There may be credit card fraud and identity theft. As seen in many previous incidents, there can be widespread damage arising from the disclosure of such personal information.

All eyes are now on Ashley Madison as it determines the extent of the breach. How will it respond to angry subscribers who claim to have lost everything? The simple “they got what they deserved” defense will not likely succeed, even in the most conservative venues. The brashest “cheating partner” has an expectation of privacy.

Analysis

Ashley Madison will likely defend itself by pointing to terms and conditions of use and its privacy policy. Among the terms and conditions of the membership subscription, Ashley Madison states:

“Although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages. Our privacy policy is incorporated into the Terms by this reference. You agree to release us, our parent, subsidiaries and affiliated entities and our and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, know[n] and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties.”

Ashley Madison further provides in its privacy policy:

“We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII [personally identifiable information], we use industry standard practices and technologies including but not limited to ‘firewalls,’ encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.”

What remains to be seen is the effectiveness of those terms in minimizing exposure for damages tied to the compromised information. Recent cases arising out of the unauthorized public presentation of private information and the protections afforded the social media sites secondary to “terms” and “privacy policies” have focused on whether the user is “on notice” of the risks. The courts have examined whether the provider has disclosed sufficient information to place the user on notice of the risks they assume when participating on the site, and that such determinations involve questions of fact sufficient to survive summary dismissal. As such, whether the Ashley Madison terms and policies sufficiently advised its subscribers of the risks and consequence of potential loss will likely be a question left for a jury.

Additionally, as crafted, the question of whether Ashley Madison has kept its promises set forth in the terms and conditions and privacy policy will also be a question left to be decided by a jury. Considering its own language, whether Ashley Madison maintained “the necessary safeguards” and adhered to the “industry standard practices and technologies” to protect data against loss and unauthorized access will need to be decided by a jury following the presentation of evidence by the parties as to what those safeguards and standards must entail.

Summary

In the end, the forthcoming lawsuits will place Ashley Madison in the uncomfortable position of defending its preparation for the inevitable data breach prophesied by industry professionals for the past several years. Ashley Madison’s data retention policies, which include the preservation of credit card and PayPal information, will be scrutinized. The extent of its encryption and multilevel authentication practices will be carefully examined. As noted above, its promises and attempted disclaimer of responsibility also will be closely evaluated. The months ahead will be long for Ashley Madison.