5:00am PT by Austin Siegemund-Broka
A Tale of Two Hacks: How Ashley Madison's Legal Woes Differ From Sony's
In what's become a familiar story, hackers once more have exposed a massive amount of personal information from a corporate database, supposedly for activist ends. Like with the hack on Sony Pictures in November, the lawsuits against Ashley Madison were quick to follow.
At least six complaints have been filed in federal court against Avid Life Media, the parent company of the infidelity website, over hackers' disclosure of information from about 32 million users, including credit card data and sexual preferences. "We are aware of reports concerning lawsuits being filed against Avid Life Media. Avid Life Media Inc. will address any litigation in the appropriate forum," a company spokesperson tells The Hollywood Reporter.
The litigation resembles the string of eight class-action complaints that current and former Sony employees filed over the hack on the studio (some of which were consolidated into a federal action now in settlement proceedings. Others in state court are on hold). In both instances, the people whose information hit the web say the hacked companies didn't do enough to protect their data and ignored the hackers' threats, prompting claims including invasion of privacy and negligence.
But look closer and the differences come into view. For one thing, the Sony lawsuits (and data breach cases against Target, Home Depot and other big corporations in recent years) don't run the risk of plaintiffs wanting anonymity to conceal their membership on the site. The six complaints were filed under the aliases "John Doe" or "Jane Doe," but there's no guarantee the court will permit the plaintiffs to stay anonymous. "I think that will be a problem for finding an individual class representative," says Jonathan Steinsapir, an L.A. litigator.
If anonymity will deter the Ashley Madison plaintiffs, they will have other advantages. "In some ways it's a lot easier to prosecute the claims," says Scott Vernick, an expert on data security litigation. He says the litigants will face less difficulty proving legal standing and damages on several claims.
Vernick told The Hollywood Reporter in January Sony could defend the lawsuits by claiming the plaintiffs should file for worker's compensation in a separate court. (Sony hasn't employed the defense so far.) There’s no such possible out for Avid, which was sued by customers rather than employees.
Nor will the Ashley Madison plaintiffs face the Sony employees' difficulty proving actual damages (not just the risk of future harm), a common challenge in hacking lawsuits. (Sony's defenses so far have questioned whether former employees can prove identity theft resulted from the hack.) Some Ashley Madison users paid the company to delete their profiles, but reportedly the company charged them $19 without deleting personal information like addresses and birth dates. "No problem with demonstrating an injury there," says Vernick. "That's a real, tangible out-of-pocket loss."
It could get the company in trouble with the federal government, says Patrick Fraioli, another L.A litigator. The lawsuits coincide with a court decision Aug. 24 granting the Federal Trade Commission control over corporate cybersecurity. The FTC could find Avid scammed customers with the fees for profile deletion. "Those regulatory fines are big. They do not like it when you lie to consumers," says Fraioli. He notes the FTC might defer to Avid’s home country: "It's not like Canada doesn't give a shit. Canada cares at least as much about privacy as the U.S."
Some of the complaints include the rarer claim of infliction of emotional distress, which requires plaintiffs to prove severe or prolonged disturbance, often with the testimony of medical experts. "[Emotional distress allegations for hacking] are usually claims where you start to say, 'they couldn't think of anything better?'" says Steinsapir. "This is the exception where, ok, I get it." Reports are already circulating of suicides connected to the Ashley Madison leak, making medical proof of emotional distress not seem unlikely.
Even the more general negligence claim might be easier for the Ashley Madison plaintiffs to prove due to the site's emphasis on privacy. Negligence claims are evaluated against a "standard of care" representative of the precautions a “reasonable” person would expect. Because privacy is central to Ashley Madison's business, lawyers predict the jury would find Ashley Madison's "standard of care" uniquely high. “If you interviewed every single person who used that site, they would say, ‘of course I thought I was here privately,'" says Fraioli.
Still, the plaintiffs likely will face bias not present in the remaining Sony suits if they go to trial (which they probably won't, given the record of hacked companies settling the subsequent lawsuits). "Legally the claims might be just as good as the Sony claims, but emotionally there’s going to be more resistance to them," says Steinsapir. "Judges are human beings and jurors are human beings. They might think the people complaining are, to be superficial about it, bad people."