Importance of cyber liability policies highlighted By $578 million lawsuit against Ashley Madison

Candice Sutherland, Business Development Consultant at SHA.

The importance for organisations to have the necessary cybercrime liability policies in place has been highlighted by the $578 million class-action lawsuit laid against the companies that run extramarital-affairs website Ashley Madison. The lawsuit was issued by two Canadian law firms following a recent hack that exposed the personal information of about 37 million users.

Candice Sutherland, Business Development Consultant at SHA Specialist Underwriters, says that this follows news that the hackers, known as The Impact Team, had dumped the entire database of all 37 million Ashley Madison clients’ personal details, including unique emails addresses and payment records. “The original hack occurred in mid-July 2015 with the hackers threatening to release the personal details of the website’s customers – of which 175 000 are South African - if the website was not taken down.”

She says that this situation points to the growing wave of cybercrime taking the world, including South Africa by storm. “According to an industry source, from a local point of view 515 .gov.za, 130 Eskom and 176 banking industry related email addresses were leaked.”

Sutherland explains that cybercrime is defined as any criminal activity involving a computer or network that results in the unauthorised access to, interference with, fraud or forgery of data. “In the case of the Ashley Madison website, it is interesting to note that the apparent driving factors for The Impact Team’s hack is related to moral reasoning, where they are attempting to stand up against the use of the website which enables people in relationships to cheat on their partners.”

In most cases of cybercrime, the criminals are usually blackmailing the organisation for money, says Sutherland. “This is why this case is so interesting; it is going against the normal rationale for cybercrime.”

Sutherland adds however, that innocent parties may be harmed by this type of hack, because it is debatable as to whether the addresses that appear in the database were actually signed up by the owners of those addresses. “It is possible for anyone to register someone else's email address as a vindictive act or even a prank. As a joke, students could have signed up a teacher for example. The hackers may thus have had moral reasons to begin with, but the collateral damage to innocent parties could be significant.”

The nightmare may not be over for the victims as the hackers still have over 290GB of photos and emails which are yet to be released, adds Sutherland

She points to a message released by the party responsible for the data dump, which states that Ashley Madison allegedly has a 95% male membership, which implies that the female membership it portrayed on the website was falsified. “This may possibly have been a ploy to lure the male members to part with hard-earned cash by signing up.”

Rumours are also circulating that several user’s data, who had paid $19,00 to Ashley Madison in order to have their data removed from the database, can still be found among the leaked information, she says. “It can thus be argued that the data was never removed from the site, but that trusting users paid the fee in vain. The hackers believe they would also be exposing the fact that these "deleted" addresses were never removed, further incriminating the platform.

When looking at the consequences of a breach for the company, the reputational damage and loss of customer trust is probably one of the biggest concerns, says Sutherland. “The cost of losing shareholders and customers can financially liquidate any business and force them to close their doors. In addition, the legal fees and other costs such as notification costs, investigators, forensic auditors can grow quite quickly as these specialists generally charge an hourly rate.”

From a local perspective, Sutherland says that any South African company that fails to protect the personal details of its clients and employees could be found in violation of the Protection of Personal Information Act (POPI). “POPI aims to give effect to the constitutional right to privacy and therefore restricts the unauthorised access to information regarding the educational, medical, financial, criminal or employment history of an individual as well as their personal details such as ID numbers, contact details and physical addresses. In addition, all personal details that are shared with an organisation in confidence, be it race, gender, marital status, religion, culture, sexual orientation and even language, are protected under POPI legislation and a breach of the act can result in a fine of up to R10 million or 10 years in prison.”

Sutherland says that a Cyber Insurance Policy will covers the following costs in the event of a breach:

- First Party Expenses, including: the actual costs to restore, re-collect or replace data; expenses of specialists, investigators, forensic auditors or loss adjusters; costs for the use of rented, leased or hired external equipment, services, labour, premises; or additional operating costs, including staff overtime.
- Loss of Business Income such as the net income that would have been earned had the breach not occurred.
- Notification Expenses, for example, the expenses incurred to comply with privacy legislation such as the legal costs as well as the communication expenses including email, call centres, website and customer support expenses.
- Crisis Management Expenses, including the services of a public relations consultant, related advertising or communication expenses.
- Associated regulatory fines and penalties to the extent insurable by law.

“It is imperative for an organisation to consult with a reputable broker to ensure that all the possible vulnerabilities and threats relating to the business and the industry have been taken into account to avoid the financial and reputational risks of a cyber-attack ” concludes Sutherland.