Should Ashley Madison worry about U.S. class actions?

August 25, 2015

The adultery-encouraging website Ashley Madison is now facing at least five U.S. class actions by users who claim the site failed to protect their confidential information from hackers who have since dumped their names, addresses and sexual predilections onto the Internet.

The good news for people burned in the Ashley Madison attack: The most potent argument for defendants facing similar data breach suits won’t save the adultery site from facing claims by at least some of its users.

The bad news: If Ashley Madison is telling the truth about its handling of payment card data, classwide damages won’t be astronomical.

In the past six months, it has become a easier for people whose personal information has been exposed to sue corporations for lapses in cybersecurity. Defendants had previously been swatting these suits away by persuading judges that hacking victims did not meet constitutional requirements to sue in federal court.

Hacking victims, defendants said, did not have standing to sue because they could not show they had suffered an actual injury or faced a “certainly impending” threat of harm.

Judges have recently become more skeptical of those arguments. (And class action lawyers have become savvier about framing their cases.) The judges overseeing data breach class actions by Target shoppers and former Sony employees, for instance, both ruled that hacking victims had standing to sue because they acted to protect their identities and credit ratings.

In an important ruling in July, the federal appeals court overseeing Illinois, Indiana and Wisconsin said the theft of their financial information put Neiman Marcus shoppers at enough risk of harm that they can sue.

“Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” the appeals court said.

But the Ashley Madison case may not fit the typical data breach scenario. According to the company, its members’ full credit card numbers were not stored on the site and were not exposed by hackers. (Other reports on the stolen data have said partial credit card numbers and card security codes were posted online.)

Cybersecurity litigator Jason Beach of Hunton & Williams told me that if Ashley Madison users cannot show their payment card data was stolen, they will have a hard time convincing a judge that they face impending harm.

One group of Ashley Madison users, however, will have no trouble establishing their right to sue. Customers who paid the site $19 to delete their profiles, only to find their information subsequently exposed to hackers, have already been injured, Beach said, because they didn’t get what they paid for. “The contractual theory is an easy one,” Beach said. “That is an actual injury.”

Three of the suits already filed against Ashley Madison – one in federal California, one in Missouri and one in Texas -make demands specifically on behalf of customers who paid the $19 delete fee.

At the very least, these suits say, Ashley Madison must pay back customers for a service it did not provide. That is a precisely the type of claim the U.S. class action system was designed to address, and it is hard to see how Ashley Madison can evade it.

The class actions attempt to leverage the delete-fee facts to generate additional damages. The suits claim Ashley Madison users had to spend their own time and money to hire credit and identity protection services and to replace compromised cards.

Usually, companies hit by hackers agree to provide customers with credit monitoring for a year or two. Ashley Madison has not, presumably because it contends its users’ financial data was not stolen from the site. If that turns out to be true, the company will doubtless argue that customers had no need to spend money on the services so they should not recover damages for their expenses.

Ashley Madison users offer two other theories for damages in their class action complaints. Neither is likely to succeed, according to cybersecurity lawyer Beach, who specializes in representing data breach defendants.

Two of the class actions cite the Stored Communications Act, a 1986 law addressing data held by Internet service providers. The law carries minimum damages of $1,000 per violation, so Ashley Madison’s exposure would be sky-high if all of its supposed 40 million members were able to collect $1,000 for the site’s failure to secure their information.

But Beach said other data breach victims have tried to make claims under the Stored Communications Act – and have not succeeded. (He mentioned, for instance, a 2013 decision dismissing SCA claims in a class action against the credit card payment processing company Global Payments.)

Courts have generally held that even lax cybersecurity doesn’t satisfy the statute’s requirement that plaintiffs show the defendant’s intention of disclosing data, Beach said.

What about the emotional distress of cheaters and would-be adulterers who trusted Ashley Madison to protect their identities yet ended up exposed to their families and even employers? Three of the class actions against the company claim damages based on the pain and suffering of the website’s users.

Data breach litigation precedent, however, suggests that fear and anxiety claims won’t hold up, according to Beach, unless users can show a “physical manifestation” of the emotional damage they claim, such as a broken marriage or a lost job.

And even if the Ashley Madison breach has had such real-life consequences for certain customers, Beach added, judges are unlikely to permit an entire class of the website’s users to make such claims because they don’t apply to all class members.

So the bottom line on Ashley Madison’s exposure to U.S. class actions, assuming the truth of the company’s denial that credit card info was stolen: The threat is real but not existential.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/