A Tale of Two Hacks: How Ashley Madison's Legal Woes Differ From Sony's

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.hollywoodreporter.com/thr-esq/a-tale-two-hacks-how-819827

In what's become a familiar story, hackers once more have exposed a massive
amount of personal information from a corporate database, supposedly for
activist ends. Like with the hack on Sony Pictures in November, the
lawsuits against Ashley Madison were quick to follow.

At least six complaints have been filed in federal court against Avid Life
Media, the parent company of the infidelity website, over hackers'
disclosure of information from about 32 million users, including credit
card data and sexual preferences. "We are aware of reports concerning
lawsuits being filed against Avid Life Media. Avid Life Media Inc. will
address any litigation in the appropriate forum," a company spokesperson
tells The Hollywood Reporter.

The litigation resembles the string of eight class-action complaints that
current and former Sony employees filed over the hack on the studio (some
of which were consolidated into a federal action now in settlement
proceedings. Others in state court are on hold). In both instances, the
people whose information hit the web say the hacked companies didn't do
enough to protect their data and ignored the hackers' threats, prompting
claims including invasion of privacy and negligence.

But look closer and the differences come into view. For one thing, the Sony
lawsuits (and data breach cases against Target, Home Depot and other big
corporations in recent years) don't run the risk of plaintiffs wanting
anonymity to conceal their membership on the site. The six complaints were
filed under the aliases "John Doe" or "Jane Doe," but there's no guarantee
the court will permit the plaintiffs to stay anonymous. "I think that will
be a problem for finding an individual class representative," says Jonathan
Steinsapir, an L.A. litigator.

If anonymity will deter the Ashley Madison plaintiffs, they will have other
advantages. "In some ways it's a lot easier to prosecute the claims," says
Scott Vernick, an expert on data security litigation. He says the litigants
will face less difficulty proving legal standing and damages on several
claims.

Vernick told The Hollywood Reporter in January Sony could defend the
lawsuits by claiming the plaintiffs should file for worker's compensation
in a separate court. (Sony hasn't employed the defense so far.) There’s no
such possible out for Avid, which was sued by customers rather than
employees.

Nor will the Ashley Madison plaintiffs face the Sony employees' difficulty
proving actual damages (not just the risk of future harm), a common
challenge in hacking lawsuits. (Sony's defenses so far have questioned
whether former employees can prove identity theft resulted from the hack.)
Some Ashley Madison users paid the company to delete their profiles, but
reportedly the company charged them $19 without deleting personal
information like addresses and birth dates. "No problem with demonstrating
an injury there," says Vernick. "That's a real, tangible out-of-pocket
loss."

It could get the company in trouble with the federal government, says
Patrick Fraioli, another L.A litigator. The lawsuits coincide with a court
decision Aug. 24 granting the Federal Trade Commission control over
corporate cybersecurity. The FTC could find Avid scammed customers with the
fees for profile deletion. "Those regulatory fines are big. They do not
like it when you lie to consumers," says Fraioli. He notes the FTC might
defer to Avid’s home country: "It's not like Canada doesn't give a shit.
Canada cares at least as much about privacy as the U.S."

Some of the complaints include the rarer claim of infliction of emotional
distress, which requires plaintiffs to prove severe or prolonged
disturbance, often with the testimony of medical experts. "[Emotional
distress allegations for hacking] are usually claims where you start to
say, 'they couldn't think of anything better?'" says Steinsapir. "This is
the exception where, ok, I get it." Reports are already circulating of
suicides connected to the Ashley Madison leak, making medical proof of
emotional distress not seem unlikely.

Even the more general negligence claim might be easier for the Ashley
Madison plaintiffs to prove due to the site's emphasis on privacy.
Negligence claims are evaluated against a "standard of care" representative
of the precautions a “reasonable” person would expect. Because privacy is
central to Ashley Madison's business, lawyers predict the jury would find
Ashley Madison's "standard of care" uniquely high. “If you interviewed
every single person who used that site, they would say, ‘of course I
thought I was here privately,'" says Fraioli.

Still, the plaintiffs likely will face bias not present in the remaining
Sony suits if they go to trial (which they probably won't, given the record
of hacked companies settling the subsequent lawsuits). "Legally the claims
might be just as good as the Sony claims, but emotionally there’s going to
be more resistance to them," says Steinsapir. "Judges are human beings and
jurors are human beings. They might think the people complaining are, to be
superficial about it, bad people."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!