Mahisha Rupan, senior associate, at technology and digital media law firm, Kemp Little comments on the fallout of the Ashley Maddison hack… offering guides on the legal implications.
The legal implications of the Ashley Madison hack
“Legally, Ashley Madison has to ensure that its users’ information is protected using security measures that are in proportion to the sensitivity of the personal information being protected. Given that the hackers claim to have collected “secret sexual fantasies, nude pictures, credit card transactions, real names and addresses as well employee documents and emails”, it is arguable that Ashley Madison should have been using state-of-the-art security technology.
“However Ashley Madison is actually quite elusive about its security techniques – it only states that it will be using “industry standard” technologies and practices, which inevitably begs the question, what industry is being referred to? Most individuals would expect a higher standard of security to be used by Ashley Madison than other online services.
Another legal obligation is that Ashley Madison should not be keeping its users’ information for longer than necessary.
“Given that the hackers accessed information about users who have stopped using the service and requested the “paid delete” functionality, Ashley Madison will need to have a strong and justifiable reason as to why it still held these users’ information. Making sure that you’re not hoarding data and that you have in place clear data deletion practices are key components of being a good data custodian.”
ICO fine?
“Ashley Madison could be fined by the ICO if they are found to have breached the Data Protection Act 1998. At this stage, it is unclear how the hackers were able to access the data and whether there was a breach of data protection laws – were Ashley Madison’s security measures inadequate and vulnerable to attack or were the hackers highly skilled at being able to circumvent a sophisticated data security regime.
“The damage to customer trust and reputation is likely to be a bigger blow to Ashley Madison than any fines levied by the ICO (which are capped at £500,000). Regardless of whether you agree with the service offered by Ashley Madison, its users trusted Ashley Madison with large quantities of deeply personal data and are likely to be feeling incredibly let down, especially since Ashley Madison’s USP is discretion (according to their website, they are “firmly committed to privacy”).”
The hackers’ claim that profiles were not deleted has been disputed by the site
“Unusually Ashley Madison offers two services for users leaving the service; they can simply cancel their subscription or they can cancel and pay for the “complete profile removal” option which promises to remove the existence of the users’ profile, including any messages and photos sent.”
“A key cornerstone of data protection laws is that companies should not be keeping data that it no longer requires. For those users that didn’t opt for the paid deletion route, it is unclear why Ashley Madison would be keeping their profiles alive. Users could potentially have a claim under data protection laws that Ashley Madison was holding excessive amounts of out-of-date information. Additionally it is possible that the users would have a breach of contract claim against Ashley Madison for violating its own terms and conditions.”
Potential damages
“If there has been a breach of data protection laws, the Information Commissioner’s Office (“ICO”), who regulates data protection in the UK, has the power to issue monetary fines of up to £500,000 for a serious breaches that are likely to cause substantial distress. Given the sensitivity of the data that has been collected by the hackers, it is highly likely that the regulator will inflict a larger fine if Ashley Madison has not been compliant with the principles of data protection.”
Past example
“The ICO fined Sony £250,000 when its PlayStation network platform was hacked and the data of millions of customers was compromised. Recently the ICO fined South Wales Police £160,000 for losing sensitive information that was used as evidence in sexual abuse trial. For the most part, the larger fines tend be levied when inadequate security measures have been used by companies.”
By Mahisha Rupan
Senior associate
Kemp Little