By: John H. Brainard
Hell hath no fury like a hacker scorned. As the recent target of a “black-hat” entity, Avid Life Media [ALM] can attest to this better than most. Accompanying the stolen data dump, the “Impact Team” stated that it was “ALM that failed you and lied to you; prosecute them and claim damages, then move on with your life.” A group of Ashley Madison subscribers seem to have taken this to heart as class action lawsuits against Avid Life Media have sprung up across the country.
Although not as heavily publicized, this type of data breach, and the lawsuits that follow, are becoming increasingly more common. The latest examples have included companies as prolific as Target, Sony and Neiman Marcus. A common misconception is that big corporations will have provisions in place to insulate themselves from this type of litigation, however, in all three of these cases, the defendant’s motions to dismiss were denied. Even more devastating was the 2014 South Korea Credit Bureau data breach. In this incident, more than 20 million South Korean citizens had their credit card information stolen and sold to marketing firms.
As it currently stands, ALM is named in six class actions in five states and two countries, alleging an aggregate of over $600 million in damages. In each of these lawsuits, the plaintiffs assert a claim of negligence among various others. In the Texas class action, Doe v. Avid Life Media Inc., No. 3:15-cv-2720, and the Alabama lawsuit, Doe v. Avid Life Media Inc. et al., No. 6:15-cv-01464, the plaintiffs are alleging that ALM violated the Federal Storage Communications Act. In both the California class actions, Doe v. Avid Life Media Inc. et al., No. 2:15-cv-06405 and Doe 1 et al. v. Avid Life Media Inc. et al., No. 8:15-cv-01347, the plaintiffs state the Unfair Competition Statute and specifically, the Los Angeles lawsuit asserts violation of the California Customer Records Act. Several of these lawsuits also claim violation of state legislature against deceptive trade practices.
Often times, the effects of a data breach extend beyond the breached party. In the recent case of John Doe 1 v. Godaddy.com LLC, the plaintiff used the Computer Fraud and Abuse Act (“CFAA”) to allege that, by hosting the websites on which the stolen data was posted, Godaddy.com and Amazon.com had unlawfully received stolen data. The allegations went so far as to claim that the Defendants, due to the highly publicized nature of the breach, had actual knowledge, and thus breached their duty of care. After complying with the plaintiffs’ request to remove their specific information, Amazon and Godaddy were dismissed without prejudice from the lawsuit. This is illustrative of the problem and the far reaching implications of security breaches.
Despite plaintiffs’ recent success in select jurisdictions, privacy and security class actions have the high bar of requiring proof of actual harm. These lawsuits are usually dismissed for a lack of “Article III standing,” and the three prong test to overcome a motion to dismiss: 1) an injury-in-fact; 2) a “sufficient causal connection between the injury and the conduct complained of,” and 3) “a likelihood that the injury will be redressed by a favorable decision.” In the recent case of Remijas v. Neiman Marcus Group, LLC (“Neiman Marcus Case”), a Seventh Circuit Appellate Court ruled that the risk of future harm was sufficient for Article III standing. To date, the standing for a data breach case fluctuates depending on the jurisdiction.
The claims that ALM negligently failed in safeguarding their customer’s data could move forward, but ALM likely has a defense against several claims for lack of Article III standing. With this in mind, a shrewd company will recognize that an affirmative defense is not always the best strategy due to the jurisdictional variance in the law and the cost of litigation itself. The more prudent decision is to implement the industry’s best security practices. This ensures that a company is both legally insulated and presents a less obvious target for cyber crime. ALM may very well have a convincing legal argument, but their seemingly lackluster security practices may have doomed them long before they stepped into the courtroom.
Data breaches are here to stay, and the more successful you are, the more inevitable they become. A disgruntled employee or motivated hacker is now potentially far more damaging to a company’s viability than a bad fiscal quarter ever could be. As a result, implementing the industry’s best security practices is more important than ever. It will be important for companies to pay close attention to the ALM lawsuits to see how the court defines the industry standard for protecting costumers’ personal information. Clearly, Ashley Madison is a particularly vulnerable target, but every company has the potential to be the victim of a data breach, and in turn have their own dirty laundry exposed to the world.
John is a Staff Member of the Journal of High Technology Law. He is currently a 2L at Suffolk University Law School with a concentration in Trial and Appellate Advocacy. He earned his Undergraduate Degree from Boston College with a major in Corporate Systems.