by Jay Marshall Wolman, CIPP/US
Recently, this blog has published posts on a new Connecticut law and a 7th Circuit ruling on data breach, both of address the issue of standing in class action data breach suits. Standing, in plain terms, means having a legal right to sue based on an injury to you. The Sierra Club may have standing to sue for environmental damages because its members are specifically harmed; even if many of those members also belonged to Susan Boyle Fans International, Inc., the fan club would not have standing because the organization as a whole is not harmed.
Actual harm is key. In many data breach cases, it is hard to show actual harm; identity theft may very well not occur and free credit monitoring eliminates the direct consumer cost. Thus, a lot of litigation has focused on the right to sue in the event of a data breach.
Now, we have the Ashley Madison hack and data dump. Ashley Madison, as you may know, is a matchmaking service for adultery. Unlike prior breaches, the hackers are not merely keeping the information to themselves, but they are releasing information that identifies people, including public figures and federal employees. Divorces will occur because of the data dump. This is not a case of “maybe someone will open a credit card in my name”; it is a case of “I have to pay alimony and child support for the foreseeable future”. Data breach victims now have tangible harm.
Class action attorneys will still litigate questions of typicality and commonality, for not every victim will suffer the same harm. But class certification is likely, even in such instances. In the Black Farmers Case, the class was certified even where different class members had widely varying economic losses as a result of allegations of discrimination in USDA loan programs. The question in this matter will not be whether to certify, then, but rather how to establish class member damages. Although this is probably the least sympathetic data breach class, it will be one of the best cases.
I should also note that liability seems pretty decent. In the Neiman Marcus case, the plaintiffs alleged:
negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts.
That case lacked something this case does–an express guarantee. Take a look:
100% Secure? Nope. Completely Anonymous? Negative. Their privacy policy states:
Security
We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.
That just seems to be another broken promise. Section I of their Terms and Conditions states:
Privacy & Use of Information
Use of the Service is also governed by our Privacy Policy. You agree that by registering a Profile or using our Service you have agreed to our Privacy Statement. You acknowledge that although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages. Our privacy policy is incorporated into the Terms by this reference. You agree to release us, our parent, subsidiaries and affiliated entities and ours and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, know and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties. If you are a California resident, you waive California Civil Code Section 1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor.”
This is a pretty weak effort at a release and may well not be enforceable. Of course, the Terms and Conditions does have a choice of law provision, New York, which is pretty strong in their favor. It also has a mandatory arbitration clause, though there is a class action waiver and a damages cap of $5,000. I expect significant litigation over the enforceability of these terms.
By Email
By RSS Feed
The Legal Satyricon 
[…] Attorney Mark Randazza explains the strong class action case AshleyMadison.com users now […]
That release may be more effective than you would expect. Until this spring, here in Florida, a release that did not expressly mention the releasee’s negligence did not cover that negligence.
The supremes changed it this spring, possibly because there was a sympathetic defendant/releasee. In other states, it is likely that the release would still have to expressly mention the releasee’s negligence for it to be covered.
Yeah, I figure the elements are in place:
duty, both from advertising and reasonable expectation
dereliction, failing to take reasonable care to protect data
direct cause, just ask the first wave of divorce litigants
damages, yeah, that alimony, child support, &c.
There is the question of characterization also. Was it a release by a third party, or did Ashley’s negligent protection of the data constitute an effective release of the information?
[not legal advice, and all of the above could be wrong]
Question: if you live in a state where adultery is illegal, would you still be able to sue Ashley Madison?
Probably. Two wrongs don’t make a right.