102 Cornell L. Rev. 1743 (2017)On August 18, 2015, a group of hackers named Impact Team released 37 million records—9.7 gigabytes of data—from the Toronto-based website Ashley Madison. The hackers claimed to be motivated by the alleged unscrupulous practices of Ashley Madison’s parent company, Avid Life Media Inc., such as false advertising and failing to follow through on a datapurging procedure for which it charged members a nineteendollar fee, The data dump has affected people from all walks of life, including 15,000 government employees, Vice President Joe Biden’s son, and individuals who, because of this data breach, learned that strangers used their e-mail addresses to create Ashley Madison accounts. Former subscribers to the website have received demands to pay money in the form of bitcoins as a ransom on their personal information. The data breach is likely related to at least two suicides thus far. Lawsuits against Avid Life Media Inc. have commenced, and more are in the planning stages; some plaintiffs hope to coordinate class action litigation. Despite the understandable outrage that the website’s members and former members feel, many lawyers are not optimistic about the chances of recovering damages from Ashley Madison or Avid Life Media Inc. This Note will explore the avenues for recovery available to individuals who lose control of their personal information when the security of an organization that collects or holds such information is compromised. This Note will begin by tracing the development of privacy jurisprudence as it specifically relates to the creation and eventual prominence of the Internet in the United States. Next, the piece will discuss the emerging split of authority surrounding a question of statutory interpretation presented by the Good Samaritan exception of the Telecommunications Act of 1996. Specifically, the issue is whether 47 U.S.C. § 230(e)(2)—a carve-out within the Good Samaritan exception that withholds immunity for civil liability for intellectual property claims—applies to federal intellectual property laws only, or to both federal and state intellectual property laws. The piece will then conclude that if the Supreme Court were to resolve this split of authority, it should, and likely would, hold that § 230(e)(2) withholds immunity from claims brought under both federal and state intellectual property laws. Finally, this Note will present new policy proposals that Congress and interactive computer service providers (ICSPs) could pursue in light of that conclusion.
Hacking a reputation: crisis communication and the Ashley Madison data breach
