Ashley Madison, the self-described “world's leading married dating service for discreet encounters” is the latest high-profile social media website to sustain a cyberattack. Established to provide an opportunity for married persons to engage in extramarital affairs, Ashley Madison boldly proclaims that it is the “most successful website for finding an affair and cheating partners.” Now, with media sources reporting the public disclosure of the names, addresses, credit card information and phone numbers of its 37 million members, the cheat facilitator has been cheated in what will likely amount to a very costly breach.
Subscribers who were promised “discretion” and then had their names and personal information revealed to the world may seek compensation or damages. Some may lose their jobs. Others will lose spouses, children and the support of family members. There may be credit card fraud and identity theft. As seen in many previous incidents, there can be widespread damage arising from the disclosure of such personal information.
All eyes are now on Ashley Madison as it determines the extent of the breach. How will it respond to angry subscribers who claim to have lost everything? The simple “they got what they deserved” defense will not likely succeed, even in the most conservative venues. The brashest “cheating partner” has an expectation of privacy.
“We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII [personally identifiable information], we use industry standard practices and technologies including but not limited to ‘firewalls,’ encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.”
What remains to be seen is the effectiveness of those terms in minimizing exposure for damages tied to the compromised information. Recent cases arising out of the unauthorized public presentation of private information and the protections afforded the social media sites secondary to “terms” and “privacy policies” have focused on whether the user is “on notice” of the risks. The courts have examined whether the provider has disclosed sufficient information to place the user on notice of the risks they assume when participating on the site, and that such determinations involve questions of fact sufficient to survive summary dismissal. As such, whether the Ashley Madison terms and policies sufficiently advised its subscribers of the risks and consequence of potential loss will likely be a question left for a jury.
In the end, the forthcoming lawsuits will place Ashley Madison in the uncomfortable position of defending its preparation for the inevitable data breach prophesied by industry professionals for the past several years. Ashley Madison’s data retention policies, which include the preservation of credit card and PayPal information, will be scrutinized. The extent of its encryption and multilevel authentication practices will be carefully examined. As noted above, its promises and attempted disclaimer of responsibility also will be closely evaluated. The months ahead will be long for Ashley Madison.