Can a company be held liable if, after agreeing to “delete” a customer’s personal information, it blocks public access to that information but keeps it in the company’s database? Following the recent data breach of servers hosting Ashley Madison’s customer information, this question may soon be answered.
Ashley Madison is an online dating and social-networking service marketed to people who are married or otherwise in a committed relationship. The company, which has approximately 37 million users, was recently hacked by a group (or individual) called Impact Team. Impact Team has indicated that part of its motive for targeting Ashley Madison is the company’s allegedly inaccurate claim that, in exchange for a $19 fee, it will “fully delete” a customer’s account information. According to Impact Team, this $19 fee does not buy complete erasure of a customer’s digital interactions with Ashley Madison—which, given the nature of the service the company provides, is presumably what the customer believes (or at least hopes) he is paying for. Instead, the company merely limits the ability of other Ashley Madison members, and the general public, to view the customer’s account. The customer’s information, meanwhile, remains in Ashley Madison’s database. (Ashley Madison has denied Impact Team’s allegations regarding its deletion policy and, since the breach, has waived its fee for deleting a customer’s account.)
Ashley Madison’s privacy policy, which has been in place since 2011, indicates that the company will keep the personal information a customer provides for as long as the customer’s profile “stays active or hidden.” Neither the privacy policy nor the FAQs page on the company’s website explains whether the profile information of a customer who pays to delete his account is actually removed—both from public view and from the company’s database—or, instead, is merely “hidden” from public view, but still maintained by Ashley Madison.
Assuming, as Impact Team alleges, that Ashley Madison has been keeping the personal information of customers who paid the company to “fully delete” that information, the company may be exposed to liability under section 5(a) of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce. . . .” Although it has not yet filed charges against Ashley Madison, the Federal Trade Commission (FTC)—which, over the past five years, has actively filed charges against companies that, in the agency’s view, have failed to keep their privacy promises to customers—may ultimately decide to do so. Impact Team has begun disclosing to the public customer information it stole from Ashley Madison’s servers. If the information of customers who paid Ashley Madison to delete their accounts is among that disclosed, the FTC may conclude that the company’s deletion policy constitutes a deceptive trade practice.
Such customers may also file civil lawsuits against the company, alleging, for example, that Ashley Madison’s failure to scrub their information completely—both from public view and from the company’s database—constituted fraud or breach of contract, which, in light of the recent data breach, has exposed them to identify theft and other misuse of their personal information. While some courts have been reluctant to allow cases seeking redress for potential future harm to proceed, finding the damages sought too speculative to confer standing, the Court of Appeals for the Seventh Circuit recently held that, at the motion to dismiss stage, allegations of future injury suffice.
In addition to legal liability, companies that promise to delete customer information, but fail to follow through, risk significant reputational harm. As people, many of whom have spent a decade or more building their online footprints, become increasingly cognizant of the need to carefully and thoughtfully manage their online presence, customers will look to the companies they patronize to aid them in that pursuit—and, using tools such justdelete.me, will be able to gauge which companies are willing and able to do so.
In light of the legal and reputational risks discussed above, companies should thoroughly review their customer information deletion policies and protocols. They should determine what “level” of information removal they currently provide, and should balance the costs of offering more complete removal—such as loss of continued access to customer information or costs associated with technology upgrades—against the benefits of doing so—primarily, mitigating the risks of reputational harm and legal liability to the companies. Once companies have settled on their policies, the crucial next step is to clearly communicate these policies to their customers. Not every customer will insist that companies wipe his or her informational slate clean; those who do, however, will look unfavorably on companies that fail to make them aware that they have not done so.
— Damon W. Silver, Jackson Lewis P.C., New York, NY