The Ashley Madison cyber attack may well be the most publicized hack of the century, owing to the controversial nature of the cheating-enthusiast site and the apparent schadenfreude, online rubbernecking, and moral debates it has inspired. People are talking, and it’s worth taking a look at whether they’re talking about the key takeaways from this cyber event.
In July, hackers calling themselves the Impact Team announced they’d infiltrated the systems at Avid Life Media and threatened to release reams of data on users of ALM’s dating website unless the firm took down the Ashley Madison and Established Men websites it runs. ALM did not submit to the extortion, the data was dumped. And the Internet began having a field day, with many rejoicing at the exposure of a few public figures as hypocrites and others asserting that the cheaters and ALM simply got what they deserved. Many pundits quite rightly pointed out that releasing the personally identifiable information of Ashley Madison customers hurts those individuals far more than it does the corporation. It also runs the risk of exposing people with entirely legitimate reasons for using the dating website – gay or bisexual people in countries with discriminatory laws against being gay, for example.
And while I care naught for debating the ethics or intentions of anyone using Ashley Madison, I do so very much care about discussing potential liability issues. And this particular hack brings to mind any number of consequences, some of which may already be taking shape. These include the investigation in Toronto regarding two suicides that may be linked to the revelations of the hack, and the lawsuits that have already been filed against the company.
At the most basic level, this event involved the theft and publication of private data. In a twist from most data breaches, the information became very, very public. Anyone with the vaguest sense of how the Internet works could download or search the details – so, not me, in other words, because I’m generally mystified and terrified by the darknet. But for those differently motivated folk, there it is, a whole digital sheaf of emails for spamming, credit card numbers for scamming, and signals (between cheaters and their potentially unknowing spouses) for jamming. Reports have already come out about extortion attempts for users, with schemers threatening to reveal to loved ones the lurid details.
And who’s responsible for the outcome? The executives and security team at Ashley Madison? (Spoiler alert: probably.)The company turned out to be guilty of many of the accusations of the hackers, such as keeping data going back seven years, charging users a fee to delete profiles and then never actually doing so, and populating the site with what appear to be many, many fake-lady profiles.
How about the hackers? Well, yes, definitely, because although adultery is illegal in some jurisdictions, hacking is fairly universally frowned upon, even when fueled with a sense of vigilante justice. Or could it be the users themselves? This hack represents the likely first in which the court of public opinion appears to have also assigned blame to the consumers/victims of the data breach. No one was saying to me when my credit card was replaced after Target’s 2013 breach, “Well, what were you doing there anyway? You were really asking for it, shopping at Target, no matter how cute some of their dresses are.”
For the insurance industry, it’s not too much of a stretch to assume that this event could ultimately impact lines of business other than cyber. Say an Ashley Madison customer used a professional email address to sign up for the site – could this lead to a job termination and in what cases would that action be considered discrimination? I chatted with attorney Wynter Deagle of Mintz Levin’s San Diego, who also wrote an excellent blog post on the issues stemming from the AM hack, about the possible impact.
“If you look a little deeper, it has very real ramifications for a lot of companies,” she said, citing the increased risk of spear phishing emails to work email addresses. “For a lot of employers, the question you want to ask is, ‘It’s 2015, where is your workplace?’ There are a lot of paths for incursion that employers don’t think about.”
The potential for crossover into the field of employment practices liability insurance reveals some discussions that insurers, brokers, and insurance buyers need to have. It stands to reason that if an employee loses their job over their after-work activities, there could very well be wrongful termination lawsuits. Deagle suggested that the decision to terminate an employee based on information revealed by the AM hack likely turns on the employee agreements and policies in place at an organization.
“Do you have an employment agreement? Do you have a handheld data device? And if so, did what they do breach it? Or did they break the law? If it’s not unlawful, then you can’t terminate them for participation,” commented Deagle.” It breaks down to two things – can you fire them for just being present on the site or if their use of the email address lead to an incursion of the work network?”
With every data breach that occurs, new concerns come to light and the public demands answers and restitution, though not always from the correct parties. Every organization can and should be preparing for a damaging cyber attack, especially as lawmakers and regulators consider more in-depth legislation and regulators pursue stiffer penalties. Until businesses and society can effectively combat hackers, online privacy may only be an illusion.