Online businesses using third party services could potentially face claims in multiple jurisdictions if a personal data breach occurs. The recent attack on the Ashley Madison website has highlighted yet again the importance of ensuring that robust systems are in place to protect customer information.
The dating site, which is aimed at married people who want to have an affair, was hacked by an individual or group known as The Impact Team. The Impact Team has threatened to release users’ profiles (including details of their fantasies and naked pictures) if Ashley Madison and its sister site, Established Men, are not shut down. It claims to have already released 2,500 customer records, but Ashley Madison has denied this, saying that only two names were released. Ashley Madison is owned by Avid Life Media which is based in Toronto, but has millions of users worldwide who may be affected by this breach.
The Data Protection Directive (Directive 95/46/EC) requires the legislation of each EU member state to apply to the processing of personal data where the data controller is established within that member state or, even if not established within the EU, makes use of equipment (automated or otherwise) situated within that member state, except where that equipment is used only for the purposes of mere transit through that territory.
It appears that the Ashley Madison website started using Cloudflare’s Content Delivery Network (“CDN”) on 23 July 2015 after their website was hacked. Cloudflare (which reportedly provides security to the hacker group, Lulzsec) distributes web content by routing traffic through their global network which is powered by 36 data centres around the world including 13 located in Europe. Generally only static website content, which typically includes images or videos, is saved on Cloudflare servers, but other web content including user profile information is likely to pass through their servers before reaching the end user. It seems likely that Ashley Madison’s web content is still being hosted in the US or Canada and is merely transiting through Cloudflare’s servers.
However, businesses should ensure that they properly understand the services they receive from third parties as the Data Protection Working Party has stated that the application of the Directive could be triggered by third parties if their services use calculating facilities, run java scripts or install cookies with the purpose of storing and retrieving personal data of users.
The Impact Group has announced its intention to release further customer information. If the European directive was triggered this could open Ashley Madison up to claims in multiple jurisdictions should there be any further data protection breaches in future. Luckily for Ashley Madison, potential claimants may be reluctant to draw any further attention to their indiscretions by bringing a case.
Ashley Madison will have a defence against any claims if it can show that appropriate measures were put in place to protect personal data against unauthorised and unlawful processing. The CEO of Avid Life Media, Noel Bidderman, indicated that the person responsible for the attack had been identified, saying that it was not an employee but someone who had touched their technical services. One immediate question is what background checks were carried out on this individual and the level of access he/she was given to confidential customer information. Nevertheless, even if Ashley Madison did everything in its power to protect customers’ personal information, the breach is likely to have a severe impact on the business.
As a result, Ashley Madison’s plans to list its shares on the London Stock Exchange are now in doubt. This is more than sufficient warning to all businesses whose reputation depends upon the safe storage of the personal data of its customers.