On July 15, an online hacking group calling themselves “The Impact Team” gained unauthorized access to a website known as Ashley Madison, and on Aug. 18, the group made publicly available the customer data they had stolen, the names and other identifying information of 37 million users.
Ashley Madison is a for-profit website that facilitates extramarital affairs (cheating) among its married customer base. Its motto is “Life is short. Have an affair.”
In the wake of the hacking affair, commentators have asked what legal recourse the “victims” have. And the lawsuits have begun.
Two Canadian law firms have filed a Canadian-$760-million (USD $576 million) class action suit against the website, claiming that it failed to protect user information.
One anonymous plaintiff has filed suit against Ashley Madison and its parent company (Avid Life Media Inc.) in U.S. District Court in Los Angeles, alleging everything but the kitchen sink: various tort and contract claims, violations of California competition and consumer protection laws, and violations of the California constitution. This plaintiff is also seeking to proceed with his lawsuit as a class action.
While such a lawsuit might succeed in Canada, would it work in the United States?
In the United States, the common law is the background against which state courts operate. With common law, a company that failed to protect consumer data would typically be on the hook only if it agreed (contracted) to protect the data and failed to do so.
As a general matter, if someone stole the data from the company, the data theft victim would have a tort lawsuit against the thief, but not against the company (unless, as some have argued, the theft was reasonably foreseeable by the company and it failed to take adequate precautions against the theft). In recent years, however, creative plaintiff’s lawyers have begun to challenge this in certain contexts, as, for example, in the pending case against Sony for breach of employee data.
As the California lawsuit makes clear, though, many states have consumer protection laws that could put companies that are hacked on the hook for damages to customers.
Perhaps more importantly, however, the Federal Trade Commission (FTC) has authority under federal law to regulate “unfair or deceptive acts or practices affecting commerce.” This past week, the United States Court of Appeals for the Third Circuit ruled in FTC v. Wyndham Worldwide Corp. that this authority extends to FTC regulation of cyber security.
In that case, the Wyndham hotel chain had been hacked, and the stolen consumer data was used to generate over $10.6 million in fraudulent charges. Allegedly, Wyndham had failed to live up to its promises regarding its protection of its computer systems, and the allegation was that this practice violated federal law.
This situation appears very similar to what happened in the Ashley Madison case, although the product sold was much more embarrassing for consumers, giving the company a stronger incentive to protect its customer data.
But if Ashley Madison failed to adequately protect its systems, while making representations that it was doing so, the company could find itself subject to investigation by state and federal competition and consumer protection agencies.