On December 14, 2016, operators of online extramarital dating and social networking website AshleyMadison.com came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million AshleyMadison.com accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.
On April 29, 2016, Judge Ross issued his ruling on Ashley Madison’s motion for a protective order, prohibiting Plaintiffs from using the leaked documents, reports quoting the leaked documents, and information “stolen from Avid” in drafting their consolidated class action complaint. The result was largely policy driven, with Judge Ross stating broadly, “the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery. To do so would taint these proceedings and, if left unremedied, potentially undermine the integrity of the judicial process.” The Court also ruled that it had inherent authority to issue a protective order with respect to documents obtained outside the course of normal discovery, and distinguished cases cited by the Plaintiffs in opposition. Rejecting Plaintiffs’ First Amendment argument, Judge Ross notes, “[j]ournalists … are in a completely different position than parties involved in private litigation. No doubt exists that the news media enjoy the freedom of ‘the press;’ however, the conduct of attorneys is informed by their ethical responsibilities as officers of the Court.” The amici briefs submitted by other Ashley Madison users made an impact on the Court as the Court found that the leaked information could not truly be considered “readily available to the public” due to the efforts of the other users to protect their privacy following the leak, as asserted in their briefs. Ultimately, Judge Ross emphasized the need to “protect the integrity of the internet and make it a safer place for business, research and casual use.”
We’ve previously written about the distinctions between hacking credit and other financial data in comparison to hacking private information. (See Ashley Madison and Coming to “Terms” with Data Protection.) The issue of how much protection the latter receives when it relates to attorney-client communications is currently before the District Court of the Eastern District of Missouri in the multi-district litigation arising from the July 2015 Ashley Madison leaks. Plaintiffs—former users of the site who claim that Ashley Madison defrauded the public by creating fake female profiles to lure male users—hope to use leaked information in their consolidated complaint against the site, due to be filed June 3 of this year. The leaked information sought to be used includes references and citations to emails between Ashley Madison’s parent company, Avid Dating Life, and its outside counsel.
Colleagues Rafi Azim-Khan, head of Pillsbury’s Data Privacy practice in Europe, and counsel Steven Farmer recently penned a piece providing a EU/UK perspective on lessons learned from the Ashley Madison hack, as well as on how to reduce the risk of cyber attack in an era where such incidents are all-too-common.
Read their article: Reducing the Risk of Cyber Attacks in the Wake of Ashley Madison.