$11.2M Ashley Madison Settlement Lesson for Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

A recent customer class settlement by adultery website AshleyMadison.com’s owner may be a preview of higher value data breach litigation settlements to come, cybersecurity professionals told Bloomberg BNA .

Companies need to implement basic security measures to avoid preventable breaches or risk high settlement payouts, privacy attorneys and security professionals said.

Without admitting any wrongdoing, privately-owned Ruby Corp., formerly known as Avid Life Media Inc., agreed July 14 to pay $11.2 million to settle class allegations that lax data security measures led to a 2015 hack that exposed the personal data of approximately 37 million users ( In re Ashley Madison Customer Data Sec. Breach Litig. , E.D. Mo., MDL No. 2669, proposed settlement filed 7/14/17 ).

The settlement proposal filed in the U.S. District Court for the Eastern District of Missouri would provide a maximum of $3,500 per class member. A preliminary settlement approval hearing is scheduled for July 21.

Jay Edelson, partner and founder of plaintiff-side class action law firm Edelson PC in Chicago, told Bloomberg BNA that the settlement is a strong one for the plaintiffs and signals that “the cost of data breach settlements are likely to rise over the next few years.”

Scott Blackmer, information technology law partner at InfoLawGroup LLP, told Bloomberg BNA that to “avoid costly liability like this,” companies must maintain reasonable security measures and “say what you do, and do what you say.”

AshleyMadison’s parent company charged a fee for a “full” delete feature and then didn’t delete users’ data, Blackmer said. “Getting hacked because of poor security is bad, but coupling that with deceptive practices is what really makes judges, juries, or regulators want to hit you with a stick,” he said.

In July 2015, hackers infiltrated AshleyMadison.com and released information on millions of users of the adultery website. The data dump leaked full names, email addresses, partial credit card data, and other sensitive personal information, including dating and sexual preferences. The hack led Noel Biderman, the company’s former CEO, to step down.

Amit Ashbel, cybersecurity evangelist at Checkmax Ltd. in Tel Aviv, told Bloomberg BNA that Ashley Madison “got a good deal” with the breach settlement.

Preventable Breach

According to Ashbel, the data breach and subsequent settlement could have been avoided. A crucial lesson for companies is to make sure they “employ security early on in the development cycle,” Ashbel told Bloomberg BNA.

With many recent data breaches, including the one affecting AshleyMadison.com, taking “just the basic step of ensuring sufficient data encryption would have reduced the impact of the breaches as the data would have not been readable,” he said.

Harry Piccariello, chief marketing officer at data security company GigaTrust Corp., agreed that companies need to invest in security upfront.

Assessing Damages

Francoise Gilbert, a shareholder focusing on global data privacy and security at Greenberg Traurig LLP in East Palo Alto, Calif., told Bloomberg BNA that data breach class actions are “seldom successful because of the difficulty in showing damages.” But this is a case “where some of the plaintiffs were able to show actual financial losses,” Gilbert said.

Blackmer noted that a part of the settlement fund is earmarked for those who can document losses due to identify theft, “which is difficult to prove.”

Edelson said going forward, he expects higher scrutiny over no-fault settlements like these. Settlements that “don’t recognize the harm caused by data breaches will face criticism by the courts and ultimately will be rejected,” he said.

Dowd & Dowd PC; HammondLaw PC; and Driscoll Firm PC represent the class. Paul, Weiss, Rifkind, Wharton & Garrison LLP and Bryan Cave LLP represent Ruby.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the proposed settlement is available at http://src.bna.com/qPY

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security