Andrew
Kloster
On July 15, an online hacking group calling themselves “The Impact Team”
gained unauthorized access to a website known as Ashley Madison, and on Aug.
18, the group made publicly available the customer data they had stolen, the
names and other identifying information of 37 million users.
Ashley Madison is a for-profit website that facilitates extramarital
affairs (cheating) among its married customer base. Its motto is “Life is
short. Have an affair.”
In the wake of the hacking affair, commentators have asked what legal
recourse the “victims” have. And the lawsuits have begun.
Two Canadian law firms have
filed a Canadian-$760-million
(USD $576 million) class action suit against the website, claiming that it
failed to protect user information.
One anonymous plaintiff has filed suit against Ashley Madison and its parent company (Avid Life Media
Inc.) in U.S. District Court in Los Angeles, alleging everything but the
kitchen sink: various tort and contract claims, violations of California
competition and consumer protection laws, and violations of the California
constitution. This plaintiff is also seeking to proceed with his lawsuit as a
class action.
While such a lawsuit might succeed in Canada, would it work in the
United States?
In the United States, the common law is the background against which
state courts operate. With common law, a company that failed to protect
consumer data would typically be on the hook only if it agreed (contracted) to
protect the data and failed to do so.
As a general matter, if someone stole the data from
the company, the data theft victim would have a tort lawsuit against the thief,
but not against the company (unless, as some have argued, the theft was reasonably foreseeable by the company and it failed to
take adequate precautions against the theft). In recent years, however,
creative plaintiff’s lawyers have begun to challenge this in certain contexts,
as, for example, in the pending case against Sony for breach of employee data.
As the California lawsuit makes clear, though, many states have consumer
protection laws that could put companies that are hacked on the hook for
damages to customers.
Perhaps more importantly, however, the Federal Trade
Commission (FTC) has authority
under federal law to regulate
“unfair or deceptive acts or practices affecting commerce.” This past week, the
United States Court of Appeals for the Third Circuit ruled in FTC
v. Wyndham Worldwide Corp. that
this authority extends to FTC regulation of cyber security.
In that case, the Wyndham hotel chain had been hacked, and the stolen
consumer data was used to generate over $10.6 million in fraudulent charges.
Allegedly, Wyndham had failed to live up to its promises regarding its
protection of its computer systems, and the allegation was that this practice
violated federal law.
This situation appears very similar to what happened in the Ashley
Madison case, although the product sold was much more embarrassing for
consumers, giving the company a stronger incentive to protect its customer
data.
But if Ashley Madison failed to adequately protect its systems, while
making representations that it was doing so, the company could find itself
subject to investigation by state and federal competition and consumer
protection agencies.
Original
Original
No comments:
Post a Comment