Slashdot Mirror
Ashley Madison Hack Claims First Victims
wired_parrot writes: Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach. This follows pleas from other users of the site for the hackers to not release the data before it was exposed- an anonymous gay Reddit user from Saudi Arabia, where homosexuality is illegal, pleaded for the data to be kept private: "I am about to be killed, tortured, or exiled," he wrote. "And I did nothing." And when The Intercept published a piece condemning the puritanical glee over the data dump, one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there.
Ashley Madison has now offered a $380,000 reward for information that leads to the arrest and conviction of the hackers who leaked the data. Security researcher Troy Hunt has also posted about the kind of emails he's received from users after the data leak.
This should create the head of steam required to get some legislation passed to make companies and specific executives SUFFER if they screw up their data security. Ultimately that means if an executive is advised that a system is insecure, fails to act and it gets hacked, the executive needs to personally liable, with a small taste of prison. It happening once is all that is required....
It is, it's a 500k CAD reward, which translates to ~380k USD.
Your hair look like poop, Bob! - Wanker.
"I am about to be killed, tortured, or exiled," he wrote. "And I did nothing."
No, what you did was expose yourself using social media to an authoritarian, abusive government. Realize that or do not.
When you define any extramarital intimacy as "cheating", you've already cut off the debate paths that the victims from the summary illustrate. Not, mind you, that AM's marketing did much to discourage that definition.
But, hey, enjoy your puritanical two-minute hate, and don't worry about collateral damage.
(Posting as AC, even though I've never gone near the site, because I'm stuck with this country's puritanical environment and the consequences it imposes for even talking about ethical decisions that don't fit the standard mold. And, yeah, I guess I'm a bit of a coward.)
While I believe that there might be some people who had no "morally" dubious intents, I fail to see why anyone with a traditional moral compass would sign up for this website.
Even if you are not married and simply looking for a one nighter, you are still signing up to site where married people are looking for an affair. It is right on their main landing page: "Life is too short, Have an affair". While it sucks for them, I feel it difficult to feel pity for them when signing up to a website which main intend is to make is to make it easy for people to cheat.
The other people could have simply signed up for a different website where the main intent is not cheating. It seems there would be plenty, and none of them are getting hacked
" one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there."
At the end of the day these people signed up for a site whose primary market is marital infidelity. I feel a bit sorry for the woman referenced above, but I also have to wonder if the partners of the people she's "engaged with" on AM were as accepting as her husband was. I kind of doubt it.
There are a lot of other sites out there that don't specifically target cheating that she could have used instead. By choosing to have her hookups through that site she was pretty much guaranteeing that she was actively screwing around with someone else's relationship.
Rest assured that the new legislation will make hacking a crime worthy of being hung, drawn and quartered while at the same time not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I highly doubt it. Republicans are in the front line of the worst offenders against anything you might consider "decent" while at the same time also being the only ones who give a fuck about someone "important" shagging someone outside of marriage.
I don't really get it. Is it some kind of whipping boy stunt? By punishing someone else I am punishing myself for doing the dirty but I don't wanna stop?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
People paid him to have their personal info deleted. He took their money but did not delete anything. Put him in prison for fraud.
And we shall be more compassionate towards jerk bigots until there is a cure for their sickness.
Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach.
so, basically corollary conjecture pertaining to sets of potential outcomes of a data breech.
Dont get me wrong, as a homosexual I'm not at all condoning the death of a person for their sexuality. I think puritanical elation is at best inappropriate as a response to the incident. But frankly Ashley Madisons catchphrase was 'lifes short, have an affair.' As a saudi national, someone is unfortunately about to find out exactly how short that life can really be. Standard issue infidelity aside there are numerous gay dating sites you could have chosen. numerous potential outlets for gay, straight, questioning, bisexual, whatever your heart desires. But selecting Ashley Madison shows a puerile approach to interpersonal relationship as well as sexual orientation in general. Homosexuality is not the same as a casual extramarital affair.
Good people go to bed earlier.
Seems ridiculously low. They have already been sued for over half a billion CAD. This is likely to end their business. Is that really all they can afford or are willing to pay?
Shows how much they care about their users. Presumably they are hoping to get someone to grass on the cheap, and only ramp it up later if no-one comes forward. Even more alarming, it suggests that they have no idea who it is and their security is so poor they have nothing to go on.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
As much as I'd like to drag all the cheap-ass executives who shortchange IT security and reliability with an eye on promotion and their own bonuses into the street and have them tarred and feathered, I can only imagine that such a regulation would have loopholes a mile wide.
What makes a system insecure? The system integration/networking? The software, especially third party software with its disclaimers about "no liability for implied merchantability and fitness for a particular purpose"?
Who judges a system as secure/insecure? If I get a third party to sign off on it, are the execs then immune? How long does a system retain its status as officially secure? Can you patch it with new patches, which theoretically could introduce their own flaws?
How about unknown zero-days? You could judge a system as secure and then a new zero-day appears in some critical security juncture that renders it insecure. Worse yet, what about unknown exploits used for which there are no patches?
To me it smells like Sarbanes-Oxley all over again.
When he was CEO of SUN, Scott was once quoted as saying "You already have no privacy. Get over it."
If telephones are outlawed, then only outlaws will have telephones.
And, of course, don't forget carving out huge exemptions for copyright holders aggressively being assholes^Wdilligent ... there will be one of those.
And one for law enforcement, because hacking is OK if you're law enforcement.
And to protect the children. You can do anything if you're protecting children.
And national security, even if it is unrelated to national security. You know, that way the Stingray devices are still OK.
By the time all of those exemptions get made, it will boil down to "it shall be illegal for any private citizen to exploit the security holes we have ensured are in place", and will be utterly meaningless.
But, nosirree, we can't risk impacting quarterly profits and executive bonuses by ensuring corporations have legal responsibility to safeguard data. That would be like Communism.
Lost at C:>. Found at C.
This is not puritanism. This is looking down on people who make commitments they don't keep. There exists a way for a married person to declare that they no longer intend to maintain fidelity, it's called divorce. There is also swinging for couples that mutually choose that. AM is instead dedicated to people who vowed fidelity and unilaterally choose not to honor that vow.
Forgive me for being the odd duck out here, but what ever happened to "Personal Responsibility"? I, too, think it's wrong for the hackers to release that information. It sounds like a despicable act of misguided morality to me, but that's irrelevant.
These people took their own lives, the external stressers don't really matter; they CHOSE to commit suicide. Maybe if signing up and using that site was such an emotional risk for them, they shouldn't have done it?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
This is a bit like saying you're going to send someone to jail for getting rear-ended waiting at a traffic light.
I totally agree, data security is a big deal - but I think "gross negligence" probably covers the fact that someone did not put proper security in place. Beyond that, it's an arms race. You can't hold someone responsible for being hacked, unless they've demonstrated that they didn't even try to avoid it. Reasonable preventative measures.
The same reason you can't claim insurance when you don't have any locks on your house. But if they really want to, that moat and electric fence won't stop someone from breaking into your house.
.
If I leave my door open, and my stuff gets stolen, I am the one who has been punished.
If some asshole corporation fails at security, and my stuff gets stolen, I am still the one who has been punished.
See, the stuff being stolen here ... It's not the property of the corporation, and they're not the ones who suffer when it is stolen. They've deemed themselves trustworthy to hold onto your data, and failed to safeguard it.
Oh, sure, they might get a little bad PR, and the stock might slip a little. But that asshole executive who decided security was too costly? It's not his data being stolen, and it's not him who has to deal with it.
So he, being an asshole executive, says "wow, we're not really sorry but if we say it will you shut up and go away?"
This is more like I've got stuff in my safe deposit box, and the bank gets robbed, and the bank say "wow, that's totally not our fault".
Your analogy sucks.
Corporations failing to protect the private and sensitive information they have been entrusted with are not the fucking victims, and they don't get to play the victim card.
Lost at C:>. Found at C.
Yeah I could row in behind this. We need governments in particular but also corporations to enshrine peoples' right to privacy in hard legislation. The net is turning into a sick dystopian version of its original golden promise.
I have put some things online that could be embarrassing. Nothing really earthshattering, nothing I could lose a job over. Back when the "anonymous" nature of the web first started, I was always wary. Maybe not as smart as I should have been, but smart enough. Accounts, posts, passwords, etc. These things are all ephemeral and all can be compromised. I always understood that.
The real question here is why people continue to think of the internet, "the web", and the myriad of online services as secure. I'm not apologizing for what those who have compromised these accounts have done, but really, at this point everyone should know nothing that is done online is secure. There have been too many compromises.
Who has inspired this trust?
Why do millions continue to put faith in something that proves over and over again to be untrustworthy?
That is the real question.
We play the game with the bravery of being out of range
Let's do that for homeowners too. If you are told that your door is unlocked, but you still don't lock it, and some robber comes and steals your stuff, the homeowner should be thrown in jail.
Not really the same. But I would argue the insurance company might have a leg to stand on in a fraud case if they had some extra data to prove you enticed the burglar to enter.
A better scenario, is if you rent out rooms in your apartment complex, and you are told that the door locks you installed on the rooms are defective and allow anyone with a toothpick and dreams of glory to enter, and you choose not to fix it, and then people are robbed/raped/murdered in their sleep you probably share some of the blame. You may not have at all intended for those things to happen, but you made it possible and failed to fix your property which was designed for the purpose of keeping unwanted people out, and your tenants weren't free to replace those locks on their own.
How stupid do you have to be to misunderstand the parent post so badly? Adequate data security stops all but the most skilled hackers. Laws are already in place to force corporations to act better than they otherwise would in other areas and there is a good case to be made that that should be the case with data security as well. When you're responsible for other people's personal details, you have to act responsibly and have proper data security. Just like airlines must follow safety regulations and are penalized if they don't, corporate executives should be held responsible if data security is neglected. The main question is how to formulate it into a law and the parent proposed a solution which I don't fully agree with but I do agree with the idea. We've seen it happen over and over and over again - corporations need to be held in a short leash through laws because their ultimate incentive is always shareholder wealth. A bad reputation is nothing that a good PR campaign won't fix cheaper than preventing the problem in the first place.
100% of the worlds pain and misery come from these people who find glee in forcing their beliefs on others.
Never had a broken heart? Probably never been loved either. Most "puritanical" views really aren't puritanical, they're common sense. If you love someone, you don't hurt them by cheating behind their back. AM is for cowards. Pure and simple.
not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you? Should we lighten up the sentences for "breaking and entering" or even burglary?
Personally I think with certain exceptions like public Utilities etc that already enjoy a special relationship with government and a captive market, that companies ought to be allowed to have whatever security posture they like. They should simply have to be honest about it with consumers. Government ought to do one of the few things its Constitutionally supposed to do and set some standards of measure.
Develop some NIST definitions for overall information security postures. If companies then want to claim they have a 'Double plus good can't hack me bro' rating there is a way to prove that. Then if one of these breaches happens and its done in a way that should not have been possible while in compliance like 'plain text data on laptop found on bus' we would all be able to go after them for contract fraud or false advertising etc.
Additionally we should have some disclosure laws, just like food labels there need to be some standardized categories and forms companies that maintain any information that is personally identifiable other than firstname, lastname, current address, billing address, and primary phone number, should be required to disclose that on a standardized and both electronically readable and human readable format. Maybe a nice TML or INI like file.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I agree. If any, the guilty here is AMs poor security and data management. And its nothing new, people cheat, we are good at it . I think it's a little over the top to "make a new life because... Oh the shame".
"If anyone"? That's overboard. I agree that to a degree, AM is complicit due to their poor security and negligence with their clients data, yes, but still the truly guilty party here, quite simply, is the one who actually committed the crime and stole data they were not entitled to. I'm a fool if I leave my house or car unlocked at night; nevertheless, if someone breaks in and steals stuff, they have committed a crime, not me; I was naive, negligent, careless, but I didn't steal anything. Granted, I'd feel more culpable if I had several friends' gear in my house or car that got stolen, as that's less excuse to be so careless, and some responsibility must be shouldered in that case, but still, I am not directly responsible for the behavior of a thief, he is. The thief must still be found and held accountable. That is not debatable.
Look, if you cheat on your wife, that's NOT OUR BUSINESS.
You don't get the right to vilify and laugh and insult someone because they betrayed someone else.
Why do you think everyone has a right to cheat on their spouses, but nobody has the right to the free speech of criticizing that behavior?
Yes, blame the victim because they violated our society's moral code, rather than an actual law.
Worst of all, I have never seen a case where someone cheated on a virtuous spouse. Every single case of cheating I have ever heard of or seen among my friends was one shallow shmuck marrying a clear and obvious player and then getting upset that the player played.
My sister married her law professor - after he divorced his 2nd wife (yes, she slept with him before he was divorced). Surprise surprise, he cheated on her also. What happened to her is pretty much exactly like what happens most of the time.
Why do others not to get to blame the victim, but you do when you think they deserved it?
if the data hackers grabbed ak 47s and stormed the colocation facility and ripped out hard drives, then your analogy works. the company is innocent and the hackers deserve full condemnation
but obviously that's not an analogy to what we happened with ashley madison or other infamous corporate hacks
more like the bank president installed a keypad on the bank vault by a well known manufacturer whose name is written on the keypad and is known to have default passwords on their products. he never changed the default password. or he wrote the password on a post it note above the keypad
the hackers simply punched in the obvious password, walked in and walked out. the hackers aren't innocent, no one is suggesting that. but obviously the bank president is hardly innocent either. his negligence is disgusting
now you have a valid analogy to what we are talking about here, and absolutely the bank president needs to be punished
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
My question: Where would laws be aimed at?
I fear that we would get laws like the CFAA aimed at stringing up intruders in the US, but because most attempts are coming from overseas where the local governments either ignore or actively encourage security breaches, it would not help anything. However, with the cosplan ban that the TPP [2] gives, we likely will see effort along these lines just as scare tactics and security theater.
If we get laws at businesses, it may not help either. Sarbanes Oxley and HIPAA were to address security, and the last time I've heard of someone going to jail under those was someone who caught too many fish and was prosecuted under SOX because he tossed his stash of dead grouper.
If a law stipulates "reasonable measures", a lot of companies would do nothing at all, throw their hands up and say that the bad guys can get through anything, and point to Target and Sony as being heavyweights, but yet nailed [1].
If a law stipulates exact OS methods taken, the OS controls in Windows NT are significantly different from the ones available in Windows Server 2016.
[1]: Even though basic network segmentation would have stopped Target's attack, and locking/warning IT about brute force AD password guesses would have helped mitigate Sony... and an IDS/IPS would have stopped both.
[2]: Here in the US, treaties come before laws. Even Marbury vs. Madison doesn't allow judicial reviews on treaties.
Your claim that it is 'puritan' to challenge promise breakers is pure labelling to avoid the issue. Whilst politicians are accepted to lie, there's no reason for the rest of the community to descend to such a level. If a couple makes promises to each other in marriage, it is reasonable to expect them to live by those promises. It is reasonable for society - attempting to encourage couples to stay together so that children get to benefit from a stable background in which to grow up - to challenge behaviour that damages children, and therefore society.
If you store other peoples' shit in your home for money, damn right you are responsible for its security. Nobody cares if your own stuff gets stolen.
“He’s not deformed, he’s just drunk!”
You are absolutely right. The already extant laws that make the Ashley Madison hack a crime clearly did not stop perpetrators. Unfortunately, for you, GP was talking about laws that would punish those responsible for the security of sensitive personal information when they clearly do not take adequate precautions to protect that data from the lawless hackers. Get it now?
FWIW, negligence is tough to prove. Criminal negligence, even more so, but I'll wager that what those responsible for security at Ashley Madison failed to do, or more likely, what they were prevented from doing by their superiors, is as clear a case as there has ever been. We all know the story. The security team warned the developers, then the operations guys, who warned the CISO (if they had one) who damn-well better have warned the Board. Somewhere along the way, operations/profit won out over security. It's probably going to ruin Ashley Madison. It is clearly going to ruin thousands of lives of people who had a reasonable expectation of privacy. That is nothing, if not a crime. Why is it not being treated as such? Why is it not treated as such every time it happens?
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars?
If you're in business and promising your customers that you're keeping their stuff secure, well, yeah, there should be legal penalties for not meeting some standards of due diligence (admittedly, there's quite a bit of wiggle room as to where those standards should be set).
/. If the government wants us to respect the law, it should set a better example.
Eating pussy is also illegal in NC. Who cares?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
All of this seems to presume that a site CAN be made 100% hacker-proof. I don't think that is likely.
This position reminds me a lot of the folks that want to sue gun companies when someone commits a murder with a gun. The people who released this data have the blood of the two (so far) victims on their hands - they're at least partly resonsible for their deaths.
Your own Apples to other people's Orangutans comparison.
The Government requires you to have vehicle insurance because you impact other people if you wreck on a road. Banks are required to have insurance protecting a specific percentage of deposited wealth. You will go to jail if you kill someone while driving even if it was on accident if you don't have insurance. Banks have had people go to jail when they lied about or have not met obligations required by law. Why should a business be treated differently exactly? No reason, except that we lack enforceable regulation.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
And that is the root cause of this whole situation. We need to find a way to change the overall mindset (especially in these here Unitee States) towards other people's personal sexual congresses. Not only should it be nobody else's business, but nobody should even **care** what some person they're neither related to nor dating is doing.
If someone's cheating on a spouse (and the spouse does not approve of extramarital sex), the spouse will likely find out one way or another at some point. What happens to the couple is up to them. But what your employees, or Congressional reps, or sports/music/theatre idols do in their personal lives including sex, just plain shouldn't matter.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
You can't hold someone responsible for being hacked, unless they've demonstrated that they didn't even try to avoid it.
Sure you can, this is why we have insurance. If I put stuff in a storage unit and it gets broken into, it's the storage unit's fault. Period. They will have to pay me. It matters not if they tried to keep out the burglars or not. They will get paid by their insurance company but it is most certainly their fault that my stuff got stolen.
alienation of affection, which is punishable with jail time.
Bullshit. Even in NC, alienation of affection is a civil matter.
Affairs are probably illegal in most states in the U.S. If not all.
Also bullshit. Just a few states still have these laws on the books.
Furthermore, such laws are plainly totalitarian, they misplace responsibility, they view a marriage as little more than a property deed, and they elevate particular religions to sources of law. No small government conservative, nor any other supporter of a free society, could possibly support such a law. The only reason they haven't been declared unconstitutional is that no relevant case has yet reached the Supreme Court.
One NC attorney, quoted in the Wiki, says it quite well:
One North Carolina divorce attorney has written: "Adultery is not uncommon, but an alienation-of-affection case just polarizes everyone and devastates everything in its path including the children and both spouses....The world has changed. Women are no longer viewed as property. Alienation-of-affection is something that dates way, way back, and if there was ever a law that needed to be removed, this is it."
.: Semper Absurda
If you store other peoples' shit in your home for money, damn right you are responsible for its security. Nobody cares if your own stuff gets stolen.
My wife has a yarn store and import/distribution business for fancy schmancy yarns. We have customer data, not by choice, customers demand it for their convenience. I happen to be a security/crypto type engineer. So we worked out what the plan was based on the notion that a yarn store is helpless in the face of electronic warfare.
1) Outsource anything touching PCI-DSS. The payment card machine doesn't attach to the computer. The online payments are through a service that handles the card data on their servers while appearing to be on our web site and PCI-DSS compliance is part of their service. PCI-DSS sucks (I've read the specs - It's not pretty). But it's what we have. So pay someone else to hold the responsibility who on the surface may be better positioned that a yarn store to handle such data.
2) Don't keep customer credit card data on a computer. Use other means.
In general, there's nothing anyone can do who isn't deeply involved in computer security and cryptography, which on average is everyone. Those few who are involved in the intersection of retail and computer security are disempowered by the payment card companies who dictate terms, avoid liability and push absolutely useless security standards on the rest of us.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
You are talking about two different coins, not even two sides of the same coin. I believe that if you leave 100.00 on your door step you should not expect it to be there when you get home. The person who took it is not right for doing so, but you are not right for leaving 100.00 on your door step where people would be tempted to take it and in other circumstances would not have done so.
What GP said is that if you leave your doors unlocked and get robbed, people would claim that _you_ should go to jail. Which is not a valid argument since AM is not holding their own stuff, they are holding EVERYONE ELSE'S STUFF!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Well a couple of good places to start for standards in this area would first be the NERC CIP standard and once you have got that down then proceed to the Cybersec Procurement Language for Energy Delivery Systems (warning PDF) for a set of industry best practices that are highly encouraged to be in vendor contracts. While they are written for energy management systems the ideas and regulations should mostly be applicable to all other systems that need computer security as well.
Time to offend someone
Yes, this is quite unfortunate. However: given a random selection of 30 million individuals, at what rate would suicides be observed? Make sure you know the answer to this question before jumping to conclusions.
Actually, I offered two alternatives. One that many puritans wouldn't find acceptable either and one that would make a puritan's head explode.
There may well be a gray area somewhere in fidelity, but having an affair is sufficiently distant from fidelity that it will be well past that region.
Ashley Madison Data Dump
http://themobilebay.org/torren...
Don't expect to betray spouses and remain anonymous
My wife says it already is.
You are welcome on my lawn.
Seems ridiculously low. They have already been sued for over half a billion CAD. This is likely to end their business. Is that really all they can afford or are willing to pay?
Shows how much they care about their users. Presumably they are hoping to get someone to grass on the cheap, and only ramp it up later if no-one comes forward. Even more alarming, it suggests that they have no idea who it is and their security is so poor they have nothing to go on.
I'd say how much they cared about their users was shown much earlier--or has the claims about them not deleting information they demanded money to delete not been verified yet? If it has, they're probably going to be gotten for fraud.
not changing anything about how corporations have to secure data, or even (god forbid!) be punished for having sloppy security.
And why should it? For the sake of argument do you think the government should tell you that you MUST install a home security system, have dead bolts on every exterior door, require exterior doors be steel or solid wood, limit the side of windows to no more than 1" by 1" or require bars? If you violate any of these rules on your structure fine or punish you? Should we lighten up the sentences for "breaking and entering" or even burglary?
Personally I think with certain exceptions like public Utilities etc that already enjoy a special relationship with government and a captive market, that companies ought to be allowed to have whatever security posture they like. They should simply have to be honest about it with consumers. Government ought to do one of the few things its Constitutionally supposed to do and set some standards of measure.
Develop some NIST definitions for overall information security postures. If companies then want to claim they have a 'Double plus good can't hack me bro' rating there is a way to prove that. Then if one of these breaches happens and its done in a way that should not have been possible while in compliance like 'plain text data on laptop found on bus' we would all be able to go after them for contract fraud or false advertising etc.
Additionally we should have some disclosure laws, just like food labels there need to be some standardized categories and forms companies that maintain any information that is personally identifiable other than firstname, lastname, current address, billing address, and primary phone number, should be required to disclose that on a standardized and both electronically readable and human readable format. Maybe a nice TML or INI like file.
The government already requires permits, inspections, specific codes you must follow for wiring, water, heat, etc when building a house. If these don't pass inspections your house doesn't get built. If you add to your house and don't get a permit you can pay massive fines and possibly have to rebuild it. In hurricane prone cities they have increased requirements for buildings. So yes, it sure does make sense. It also make sense when you collect and maintain personal data of others. If your house was hit by a Tornado and someone walked in the next day and stole all your customer data you would be liable. Whether it involved putting it in a safe or encrypting it electronically it's your job to secure this info or don't collect it at all.
Social media is for fools. It's not just Ashley Madison. It's Facebook too. It is just amazing to me how people will pony up so much personal information and entrust other people to "manage" it.
How long is it going to be before someone hacks into Facebook and steals millions of user account details? Email addresses, phone numbers (in some cases), family photos, where you work (in some cases), all your friends (in some cases), you name it.
Buyer beware.