Ashley Madison: Data Privacy, For Richer (And Now, Inevitably) For Poorer
Despite proudly displaying its ‘Trusted Security Award', its ‘100% Discreet Service' banner, and even its SSL symbol - it seems it really wasn't.
The recent Ashley Madison data breach affair might make you wonder how even the most secure data storage – containing something around thirty-five million (in this case) highly sensitive personal contact data entries can be vulnerable to an attack.
Well, at least you might think it was secure. But despite proudly displaying its ‘Trusted Security Award’, its ‘100% Discreet Service’ banner, and even its SSL symbol – it seems it really wasn’t.
The End Of The Affair – Or Is It?
The reality is currently in terms of online data, nothing is one hundred percent safe; and to in any way elude to the fact that your data is completely invulnerable, is not only disingenuous, but pretty imprudent, too.
That said, the Ashley Madison site does not claim to be 100% secure, but only eludes to this. And there is sadly some considerable ignorance in society about the dangers of malicious data breaches, despite the previous breaches at Sony, JP Morgan Chase and AOL.
And any customer who thought their data was completely secure with Ashley Madison may now, instead, be thinking about suing Avid Life Media, Ashley Madison owners.
In marketing – and I’m sure the Ashley Madison marketing crowd are aware of this – our mission is to engage customers with aspiration, passion or inspiration – at least something that creates a desired prospect action and positive commercial outcome.
But within this – data regulatory laws or none – we digital marketers owe our clients’ customers a duty of care. And while I’m not here to judge the morals of Ashley Madison members, they entrusted their data to an organisation that has let them down – and not particularly slowly.
Is Size Important?
On the Ashley Madison website, under the heading ‘Security’ it states:
‘We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk’
This is a relatively standard statement and to the person in the street, what does it actually mean? More or less nothing I would think, even if they thought to read it in the first place. But the data is still gone, and now there are further allegations that may prove to be fatal.
You Can’t Hide It
This attack on an adultery-themed dating site is one of the most damaging personal data breaches we’ve ever seen. And normally in personal data breach cases, it is difficult for the plaintiff to prove what kind – if any – damage has been caused to them.
But in this case it’s all too easy, as reputational damage is clear, and in some regions, signing up to such infidelity-themed sites may be considered legally as unreasonable behaviour and could result in divorce proceedings.
Bye Bye Love
With a pre-tax revenue of €100m last year, life at Ashley Madison could well be over if its members are brave enough and decide to sue. If this took the form of a class action little Ashley may well end up as but a scorch mark on the shag pile of corporate history.
And there may yet be further bad news for Ashley: apart from the potential of Ashley Madison membership suing Avid Life Media, if this company is domiciled in Canada, then Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) legislation may well come into play.
Slave to love – and law?
Canadian legislation of this nature is pretty much aligned to regulations in EU, so it looks like there could be massive fines ahead if the company is found to have been negligent.
And to illustrate how seriously governments take such data security issues, under the upcoming EU General Data Protection Regulation (GDPR) due to be rolled out in 2016, if negligent (and based in the EU), Avid Life Media would find themselves facing fines of anything up to 10% of their world-wide annual gross revenues.
If nothing else, this is a warning to us all: the moral of this story – if there has been morality going on here – is that the public, such as Ashley Madison members, need to be better educated and made more aware of the implications of handing over personal data.
It is entirely likely that like many other victims of malicious data attacks, Avid Life Media may have also been completely data compliant.
Here at Novacom we believe good data security practice as found in ISO 9001 and ISO 27001 is critical to keeping both data and our clients as safe as is possible, because while you can’t completely rule out malicious attack, you can at least mitigate it.
Find out more on the future of Technology at our DLUK - Trends Briefing on the 24th September 2015