Matthew Keilson – In July and August of this year, hackers infiltrated Ashley Madison – the world’s leading “married dating service for discreet encounters.” The digital hack released the names, emails, and private profile information of upwards of thirty million users worldwide. Naturally, a slew of multi-million dollar lawsuits followed. Former users filed suit against Ashley Madison in California, Texas, Missouri, Georgia, Tennessee, and Minnesota. The largest suit, however, originates from Canada. In this $578 million class action, Toronto-based litigation firms Charney Lawyers and Sutts, Strosberg, LLP allege that Ashley Madison failed to protect its users’ information. The action specifically seeks damages for negligence, intrusion upon seclusion, breach of contract, breach of consumer protection statues, and breach of privacy.
Additionally, the Rosen Law Firm of New York released a statement encouraging users to join a prospective consumer fraud class action suit against Ashley Madison. It reads, “[t]he Company…attracted users by advertising and marketing a ‘Full Delete’ service which promised to completely eliminate user profiles and all associated data for a fee….the Full Delete service did not eliminate all traces of the user, and in fact, the third party hacker was able to obtain personal information about users.”
Avid Life Media, parent company of the controversy-ridden online dating service, AshleyMadison.com, attempted to allay its users’ anxiety over the privacy of their data, writing, “Recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated. The company continues its day-to-day operations even as it deals with the theft of its private data by criminal hackers.”
For a company whose business turns on discretion, a hack, arguably, represents its worst-case scenario. Given that it offered a paid “Full Delete” option, Ashley Madison was no doubt aware that its customers feared exposure above anything else.
To view the hack as an isolated episode of karma, however, may be missing a greater lesson. The public’s tendency to praise the hacker as the “Robin Hood” of monogamous romance —robbing data from the unfaithful and releasing it to the masses — may blind the public to the increasing danger presented by the monetization of consumer data. That monetization calls for the public to rethink how it analyzes risk with regard to digital business.
Historically, businesses and investors dealt with external risk factors ¾ like political turmoil and market changes in demand. Because businesses cannot directly control external risk factors, they must hedge their exposure with a variety of risk management tools. With these hedging tools, businesses regain some control over their profitability. But, the only tool available to manage the external risk of a hack is a strong, defensive security system. Even some of the largest and most profitable businesses have inadequate data security. The increasing frequency and scope of hacking suggests that advances in security lag behind developments in hacking.
In Ashley Madison’s case, the company found a way to profit from the hoards of data collected from former and inactive users by offering to permanently delete their information from its servers – an interesting idea marred only by the company’s inability or unwillingness to actually follow through. An investor who would have praised such an effort in light of Ashley Madison’s rumored IPO may now see the mass collection of consumer data as a pure liability, immune to traditional risk management. Whereas other risk factors can be countered, hacks are somewhat random and potentially incentivized when the public discovers a corporate stockpile of sensitive user data. In that sense, avoiding a hack is similar to navigating a minefield, where hacks can only be avoided through sheer luck or costly armor.
Several new companies have nonetheless survived and flourished after hacks. In January 2014, Snapchat suffered its first major attack, where hackers exposed the usernames and phone numbers of approximately 4.6 million users. Oddly enough, those hackers wanted to strengthen the company by revealing a major structural weakness. Today, Snapchat is valued somewhere between $15 and $19 billion. Had the attackers harbored a nefarious motive and targeted the app’s ‘disappearing photos,’ perhaps investors would not be as keen.
Despite the uptick in hacks, the problem is not without potential fixes. Because this issue is largely still in the awareness phase, a solution must begin with a change in public opinion. If the hacker responsible for the Ashley Madison attack had a vendetta against Facebook for ruining traditional friendship, its fair to say that most consumers would have expressed extreme anger, as opposed to indifferent praise. Notwithstanding the questionable ethics of Ashley Madison, society should always condemn hacks.
Even if public opinion about Ashley Madison and other controversial sites remains constant, the legislature may need to step in and regulate the collection and monetization of data as a whole. Currently, government agencies –namely the Federal Trade Commission–have only intervened on a handful of occasions, typically to address issues of unfair and deceptive business practices. Whether laws regulating deceptive business practices sufficiently protect or even address the monetization of consumer data is relatively uncertain. In the absence of such regulation, several companies, including Google, have offered cash rewards for those able to hack its servers. It is unclear whether these private-sector competitions also benefit new businesses that are unable to offer such large sums. In the alternative, consumers could also demand a change in the way their information is stored and monetized. Today, it seems as if that demand is often funneled through class action suits. These suits, however, address these serious issues only after they have occurred. Admittedly, it is unlikely that consumers will gather to demand changes outside the class action forum. Regardless of the chosen solution, the right change is certainly worth the risk.