The second data dump comes after Biderman questioned the credibility of the hacker’s claims, with the Impact Team taunting him with a message regarding Thursday’s disclosure, “Hey Noel, you can admit it’s real now.” As reality does indeed set in for both ALM and the millions of users whose personal lives may be altered forever by the leak, sorting out legal liability in the matter will be messy.
Lawsuits likely leading to class-action certification have already been filed in the wake of last month’s hack of infidelity site Ashley Madison. This comes after Tuesday’s massive 10 GB data dump of personal information of roughly 32 million account holders in the dark web by a hacker, or hackers, calling itself “the Impact Team.” On Thursday evening, the Impact Team released an even larger trove of data, 20 GB on the downloading site Torrent, including the personal emails of the website’s founder and CEO of parent company Avid Life Media (ALM), Noel Biderman. ALM owns the site, along with similar websites Cougar Life and Established Men. The second data dump comes after Biderman questioned the credibility of the hacker’s claims, with the Impact Team taunting him with a message regarding Thursday’s disclosure, “Hey Noel, you can admit it’s real now.” As reality does indeed set in for both ALM and the millions of users whose personal lives may be altered forever by the leak, sorting out legal liability in the matter will be messy.
Among the first law firms to present a case to the courts happened in Canada, with Charney Lawyers and Sutts, Strosberg LLP having already filed suits against ALM and Avid Dating Life, another Ashley Madison parent company. The firms are representing Ottawa native Elliot Shore, with Sutts, Strosberg partner David Robins saying that the firm is in contact with at least twelve other potential plaintiffs. The suit is seeking $750 million in general damages and $10 million in punitive damages. Another lawsuit was filed by an anonymous St. Louis woman last month after the July 5th disclosure of the hack, claiming that she paid the $19.99 to permanently delete her personal information from the site, which was not actually done. That lawsuit is also seeking additional plaintiffs, with the Impact Team noting that the “Full-Delete” option was a scam, and the main reason for the “hacktivism” against the site. John Driscoll, the Missouri woman’s attorney, said after Tuesday’s data release, “I think our prospects went through the roof today. We’re getting a lot of phone calls.”
While it is likely that many more lawsuits will be filed, along with calls for class-action formation, some legal experts question the validity of claims. Legal cases involving similar data breaches of retailers Target and Home Depot have involved financial losses, whereas with the Ashley Madison leak, the losses are much more difficult to quantify. Courts in the past have ruled against victims of data breaches must incur a financial loss to be officially considered a victim, most notably a May ruling in Louisiana federal court which dismissed a similar class action suit against online retailer eBay involving a similar data breach of account holder information. Driscoll also acknowledges that the courts may not allow plaintiffs to remain anonymous, which will likely weigh heavily in a plaintiff’s decision to join a case. Patterson Belknap Webb & Tyler partner Craig Newman also notes that although most of the account holders were American, ALM is a Toronto-based company and many of the users come from Canada and around the world. Newman said, “So you have the laws of different countries that might come into play, some of which value personal privacy greater than others.” Newman also noted the litigation costs involving international clients may prove to be very expensive.
Another matter that the courts will need to hash out is how liable is Ashley Madison itself for the breach. Because Ashley Madison did not verify the email addresses of account holders, and as an Ashley Madison official told The Canadian Press that “People can speculate based on the leaked data, but there’s no smoking gun.” ALM released a statement on its website following Tuesday’s disclosure, “This event is not an act of hacktivism; it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.” Authorities are taking the event seriously, with the FBI joining the Royal Canadian Mounted Police and the Ontario and Toronto police forces. Several government and private cybersecurity experts are also looking to track down the identity of the Impact Team. Finally, as Newman explains, “At the heart of many data breach cases is the general question of whether the victimized company employed reasonable data protection measures. If the hack is the work of a disgruntled contractor, as ALM initially suggested, then damages could be significantly lower.” While it is obvious that the victims of the hack in general have been harmed in some way, many legal obstacles may impede any meaningful litigation over the incident.
ABC News/Associated Press – Bree Fowler
Business Insider – Rob Price
National Post – Sadaf Ahsan
The Verge – Russell Brandom
Wired – Kim Zetter