With all the news about the Ashley Madison leak, I feel like I have to weigh in on the cybersecurity issues of the leak. Given that I just graduated from law school, I have to weigh in on the legal aspects...
I think this company keeps making dumb move after dumb move. First, from what I understand, the information was released because Ashley Madison charged people to remove their information from the system, but failed to remove it. In the US, I would think this would be a pretty clear case of negligence (Ashley Madison is a Canadian company, so Canadian law would probably apply, and although it's probably similar, I don't know Canadian law). Negligence in the US requires duty, breach, causation, and damages. Duty means that you're required to do something or not do something. Breach is when you are supposed to do something, you fail to do it, or if you are supposed to refrain from doing something, you do it anyway. Causation can be tricky, but in essence, the breach caused something bad to happen and it's not too far removed from the facts to cut off liability. To use an example, if you take your vacuum to be repaired and the repairman fails to fix it- that's causation. If, however, you take it to be repaired, the repairman doesn't fix it, you need the vacuum because it scares away a mountain lion that lives in your backyard, and now that you don't have the vacuum you get attacked by the mountain lion- that's usually too unforeseeable and the law won't hold the repairman responsible. Finally, damages are the negative consequences you suffered because they breached a duty to you.
In Ashley Madison, they had a duty to remove the information because they charged people to remove it. They took on that duty. When they failed to remove it as agreed, they breached their duty. This caused the information to become publicly available to the public. And people have suffered damages to their marriages because of this leak. The reason I would handle it under tort law instead of breach of contract is because I believe I'd get higher damages and I could easily throw in additional claims of dignity torts such as false light or invasion of privacy.
Second, the reward they are offering for information about the people who leaked the information is insulting. $500,000 Canadian dollars is roughly $378,000 US dollars. But they've already suffered more than this in the publicity nightmare. When countries around the world are talking about your brand on the evening news in terms of the size of the hack, and the discussion continues for a week or two, you might as well close your doors and file for bankruptcy. You cannot buy that goodwill back. And from a user's perception, $378,000 divided by the 37 million names released means that as a user, your information is worth a little over a penny to the company. Thinking in terms of the impact on a person who has had their spouse file for divorce or lost a job because they used a work email- how much does that user think their information is worth? Probably well more than a penny. Whoever did the valuation where they decided to offer $378,000 is nuts.
Even though I'm looking at it in terms of cybersecurity, this is an example of a blunder that's so basic that the discussion should start past it. Does a company really need to be told that if they charge money to remove a user's info, they'd better remove it? Do they really need to be told that their reward is insulting and not high enough to provide a tipping point that will outweigh the damage they did? Sadly, apparently so.
