Avid Dating Life Inc (ADL), the company behind the US-based Ashley Madison online (extramarital) dating service, are being held to ransom by a hacker known by the pseudonym "the Impact Team".
Rather than attempting to extort a payment from ADL, the Impact Team are demanding that the Ashley Madison site (and the related site Established Men) be permanently taken down and deleted. If their demands are not met, the Impact Team are threatening to release Ashley Madison member records online, including real names and addresses, credit card details, and other highly sensitive information (including sexual preferences and intimate photographs) contained within those profiles.
While consumers of online news might find these developments amusing, cyber risk insurers, and the businesses they seek to insure, must be alive to the potentially serious implications of a cyber hack such as this. Cyber insurers may wish to revisit their offerings in light of the issues identified below. And businesses that collect, store and share personal data should use this incident as a catalyst for reviewing their own cyber resilience plans.
Discretion is the primary concern of Ashley Madison members, and the ADL business model is based on complete confidentiality. The Impact Team has exploited this desire for confidentiality by threatening to publicly identify site members, causing damage to the ADL brand in the process.
Though perhaps an extreme example, the incident should highlight to cyber risk insurers the desire for businesses to protect their brand from negative publicity flowing from data breaches. Insurers offering comprehensive first party cover for public relations and related expenses are therefore more likely to be attractive in the aftermath of the Ashley Madison affair.
Misleading or deceptive conduct?
In apparent recognition of the importance of privacy, the Ashley Madison site offers a 'full delete' service, which purports to allow members the option of deleting their profiles without a trace. The profits ADL made from this service is cited as a factor motivating the Impact Team who assert that, despite the 'full delete' representations, Ashley Madison members cannot completely delete their personal data (and therefore should not have been induced to pay for such a service).
Recovery for relationship breakdown costs?
Some US commentators have raised the possibility that ADL may face liability for costs incurred as a result of relationship breakdowns following any actual publication of member names and addresses by the Impact Team. While this is an interesting idea, there are a number of hurdles that would need to be overcome before such claims could succeed in Australia.
Putting to one side any contractual terms (such as limitations or exclusions on liability contained in terms and conditions of service), the first and potentially biggest hurdle is that claims for relationship breakdown costs will, for the most part, amount to claims for pure economic loss under Australian law. Consequently, a duty of care will only be found to exist in exceptional circumstances, and the courts would no doubt have concerns about factors such as the indeterminacy of liability if asked to impose such a duty on an organisation such as ADL. Even if a duty of care was found to exist, valid arguments could be made with respect to contributory negligence, causation and voluntary assumption of risk (where available) to defeat or significantly reduce any claim for relationship breakdown costs.
But while recovery for relationship breakdown costs is unlikely to occur on this occasion, the Ashley Madison data breach is a timely reminder for cyber risk insurers, and the businesses they insure, that new and innovative claims may flow from data breaches.
Insurers should revisit the scope of any pure economic loss exclusions in their cyber offerings. And businesses concerned about possible claims resulting from data breaches should review their terms and conditions to ensure that liability is appropriately limited or excluded (to the extent that is it possible to do so having regard to the Australian Consumer Law).
The Impact Team's call for the Ashley Madison site to be permanently deleted in all forms emphasises the importance of business continuity in the context of cyber resilience plans and cyber risk insurance. ADL has not commented on whether it will shut down in the face of the Impact Team's threat, but it remains a possibility if the hackers cannot be identified.
Insurers should consider how cyber insurance offerings will respond in the event of a total loss such as that faced by ADL. Waiting periods and sub limits on liability for business interruption losses should also be reviewed in light of the Ashley Madison incident.
Businesses vulnerable to cyber extortion attempts should ensure that their cyber resilience plans foreshadow a 'doomsday' scenario such as that faced by ADL. It would also be prudent to make provision for self-funded business continuity during qualifying periods and after limits of liability have been exhausted under cyber risk policies.
The ADL data breach is a timely reminder for Australian businesses and insurers, following the Cupid Media data breach a year ago, that special obligations apply in respect of 'sensitive information' as defined under the Privacy Act 1988 (Cth), which includes such matters as an individual's sexual orientation and practices.
An entity subject to the Privacy Act must not collect sensitive information about an individual unless certain requirements are met, and these requirements are more onerous than for non-sensitive information.
Insurers should revisit their regulatory costs cover in light of the additional obligations that apply to the protection of sensitive information. Businesses that collect sensitive information are also encouraged to revisit their privacy obligations in light of this incident.
Whatever the ultimate outcome of the Ashley Madison affair, cyber risk insurers, and the businesses they seek to insure, should use it as a prompt to revisit their own cyber offerings, resilience plans, terms and conditions and privacy policies, so as to identify and address any potential consequences for their organisations.