While class action lawsuits have become more common following a data breach, ashleymadison.com may not see its 37 million customers racing to put their name forward as members of a class.
"One of my first reactions was that Ashley Madison may be less of a class action risk than we would usually see because I'm not sure there are going to be a lot of potential representative plaintiffs who will want to come forward," says Catherine Beagan Flood, a partner at Blake Cassels & Graydon LLP.
"This is not your everyday data breach."
The company's cheeky brand took a hit on Monday when it was hacked by a group that says it has private information about its users including names, photos, and credit card data.
While there has been a trend toward certification in class actions over data breaches, they haven't proven to be a very profitable venture for class action lawyers, says Barry Sookman, a senior partner and technology lawyer at McCarthy Tétrault LLP.
"Often, there are suits started, but it's really undetermined what the damages will be. This is an interesting case because the kind of mental distress that might be caused is directly associated with the fact there was a very high expectation that information would be confidential," says Sookman.
"If the information is disclosed, there will be a lot of distressing conversations that could end up also having financial losses. Consider what would happen if it precipitated 10,000 divorces of monetary settlements of $1 million each?"
The company declined a request for interview with Legal Feeds, but Toronto-based Avid Life Media Inc., which owns ashleymadison.com issued a statement apologizing to its customer base, saying it's offering the option to fully delete their personal information for free.
"We have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world," the statement said.
The statement went on to explain the company had secured its sites and closed the "unauthorized access points."
"Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online."
The statement added that the paid-delete option offered by ashleymadison.com does remove all information related to a member's profile and communications activity. The process involves a hard delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' e-mail boxes.
"I expect they are making a careful assessment of the scope of what personal information has been taken by this hacker group and considering what information they can and should make public for purposes of their customers taking appropriate steps," says Beagan Flood.
The question for the company will be how best to notify its customer base without further breaching privacy.
"You need to make sure that giving notice doesn't make the situation worse and in many cases that can be by using a compromised security system, for example. This is a rather unusual situation in which any specifically targeted notice may only exacerbate a data breach," she says.
The cost of dealing with the breach will be high, says Sookman, in terms of legal fees and the brand.
"For a service like this in which people have an expectation of a higher level of security, the damage to the reputation might well be very difficult for them in the short term until consumer confidence is restored," he says.
"They will want to notify individuals if there actually has been disclosure but they probably won't want to notify 37 million people if their information has not been compromised," he says.
And given the 37 million customers include people from different countries, the company will have to comply with the mandatory disclosure laws in those jurisdictions and retain law firms there.
Even if a class action is launched, Beagan Flood says it's difficult in privacy cases to assess what the damages are, particularly where they're not financial in nature.
"This is one of the circumstances in which quantification of damages would be difficult," she says.
She says the Ashley Madison hack is an example of how identify theft and fraud aren't the only motivations for breaches of security safeguards.
"That means companies that may not have thought they were likely to be targets or thought putting significant safeguards on their financial data would be enough may need to rethink that because the rationale for the hack and type of information that is particularly sensitive isn't related to financial motivations," she says.
Howard Simkevitz of Simkevitz Law says if they aren't doing so already, companies will be paying more attention to data breaches and looking into insurance for cyber extortion.
"Data has become such a critical part to any business. The reality is you're going to have a data breach at some point. It's very difficult for an organization to go unscathed. You need to be prepared for that," he says.
While changes to the federal Personal Information Protection and Electronic Documents Act include the addition of data breach rules, they're not yet in force. They would require organizations give notice to the privacy commissioner and individuals affected and fines could be levied. Right now, only Alberta has mandatory breach notification.