(The opinions expressed here are those of Alison Frankel, a
columnist for Reuters.)
By Alison Frankel
NEW YORK Aug 25 The adultery-encouraging website
Ashley Madison is now facing at least five U.S. class actions by
users who claim the site failed to protect their confidential
information from hackers who have since dumped their names,
addresses and sexual predilections onto the Internet.
The good news for people burned in the Ashley Madison
attack: The most potent argument for defendants facing similar
data breach suits won't save the adultery site from facing
claims by at least some of its users.
The bad news: If Ashley Madison is telling the truth about
its handling of payment card data, classwide damages won't be
astronomical.
EASIER TO SUE
In the past six months, it has become a easier for people
whose personal information has been exposed to sue corporations
for lapses in cybersecurity. Defendants had previously been
swatting these suits away by persuading judges that hacking
victims did not meet constitutional requirements to sue in
federal court.
Hacking victims, defendants said, did not have standing to
sue because they could not show they had suffered an actual
injury or faced a "certainly impending" threat of harm.
Judges have recently become more skeptical of those
arguments. (And class action lawyers have become savvier about
framing their cases.) The judges overseeing data breach class
actions by Target shoppers and former Sony employees, for
instance, both ruled that hacking victims had standing to sue
because they acted to protect their identities and credit
ratings.
In an important ruling in July, the federal appeals court
overseeing Illinois, Indiana and Wisconsin said the theft of
their financial information put Neiman Marcus shoppers at enough
risk of harm that they can sue.
"Neiman Marcus customers should not have to wait until
hackers commit identity theft or credit card fraud in order to
give the class standing, because there is an 'objectively
reasonable likelihood' that such an injury will occur," the
appeals court said.
NOT A TYPICAL DATA BREACH
But the Ashley Madison case may not fit the typical data
breach scenario. According to the company, its members' full
credit card numbers were not stored on the site and were not
exposed by hackers. (Other reports on the stolen data have said
partial credit card numbers and card security codes were posted
online.)
Cybersecurity litigator Jason Beach of Hunton & Williams
told me that if Ashley Madison users cannot show their payment
card data was stolen, they will have a hard time convincing a
judge that they face impending harm.
One group of Ashley Madison users, however, will have no
trouble establishing their right to sue. Customers who paid the
site $19 to delete their profiles, only to find their
information subsequently exposed to hackers, have already been
injured, Beach said, because they didn't get what they paid for.
"The contractual theory is an easy one," Beach said. "That is an
actual injury."
Three of the suits already filed against Ashley Madison -
one in federal California, one in Missouri and one in Texas
-make demands specifically on behalf of customers who paid the
$19 delete fee.
At the very least, these suits say, Ashley Madison must pay
back customers for a service it did not provide. That is a
precisely the type of claim the U.S. class action system was
designed to address, and it is hard to see how Ashley Madison
can evade it.
The class actions attempt to leverage the delete-fee facts
to generate additional damages. The suits claim Ashley Madison
users had to spend their own time and money to hire credit and
identity protection services and to replace compromised cards.
Usually, companies hit by hackers agree to provide customers
with credit monitoring for a year or two. Ashley Madison has
not, presumably because it contends its users' financial data
was not stolen from the site. If that turns out to be true, the
company will doubtless argue that customers had no need to spend
money on the services so they should not recover damages for
their expenses.
Ashley Madison users offer two other theories for damages in
their class action complaints. Neither is likely to succeed,
according to cybersecurity lawyer Beach, who specializes in
representing data breach defendants.
Two of the class actions cite the Stored Communications Act,
a 1986 law addressing data held by Internet service providers.
The law carries minimum damages of $1,000 per violation, so
Ashley Madison's exposure would be sky-high if all of its
supposed 40 million members were able to collect $1,000 for the
site's failure to secure their information.
But Beach said other data breach victims have tried to make
claims under the Stored Communications Act - and have not
succeeded. (He mentioned, for instance, a 2013 decision
dismissing SCA claims in a class action against the credit card
payment processing company Global Payments.)
Courts have generally held that even lax cybersecurity
doesn't satisfy the statute's requirement that plaintiffs show
the defendant's intention of disclosing data, Beach said.
EMOTIONAL DAMAGE
What about the emotional distress of cheaters and would-be
adulterers who trusted Ashley Madison to protect their
identities yet ended up exposed to their families and even
employers? Three of the class actions against the company claim
damages based on the pain and suffering of the website's users.
Data breach litigation precedent, however, suggests that
fear and anxiety claims won't hold up, according to Beach,
unless users can show a "physical manifestation" of the
emotional damage they claim, such as a broken marriage or a lost
job.
And even if the Ashley Madison breach has had such real-life
consequences for certain customers, Beach added, judges are
unlikely to permit an entire class of the website's users to
make such claims because they don't apply to all class members.
So the bottom line on Ashley Madison's exposure to U.S.
class actions, assuming the truth of the company's denial that
credit card info was stolen: The threat is real but not
existential.
(Reporting By Alison Frankel. Editing by Alessandra Rafferty.)