The Ashley Madison saga has captured the attention of the public and legal profession like few prior data security breaches. The reasons are obvious: A website devoted to promoting infidelity is called out for “fraud, deceit, and stupidity” by a faceless group of self-proclaimed hacktivists, who release personal, financial and social information about 30 million would-be lotharios. Ashley Madison's CEO is revealed as a cheater himself, and its parent company, Avid Life Media, is sued for damages that amount to five times the previous year’s gross revenues. The pun-filled headlines almost write themselves, as do the post-hoc assertions that Ashley Madison should have taken precaution X or implemented system Y to protect itself from a breach.
Ashley Madison is already the target of four class actions alleging more than $500 million in damages. Each lawsuit presents the same general reasoning: Ashley Madison promised it would keep customer data safe; Ashley Madison did not keep customer data safe; customers had their personally identifiable information revealed to spouses and identity thieves alike. In all four of the Doe v. Avid Life Media cases,[1] the anonymous plaintiffs demand compensation for their misplaced trust in Avid Life Media and any demonstrable financial harm they suffered.
There is an axiom that good judgment comes from experience, and experience comes from bad judgment. Here, attorneys watching the Ashley Madison drama unfold should take advantage of the lessons of Ashley Madison's bad judgment to help their clients avoid similar mistakes. There will be ample opportunity to detail best practices and create a data security plan before a breach occurs. But there are many more lessons to learn than simple planning, as these cases make clear.
Avid Life Media Lawsuits
Each suit alleges that Ashley Madison negligently permitted the breach that exposed customer data. As one plaintiff put it, Avid Life Media failed to “exercise reasonable care in protecting and safeguarding [plaintiffs’] Personal Information which was in Defendant’s possession.”[2] These appear to be garden-variety negligence claims: Avid Life Media owed customers a duty of reasonable care to safeguard data, and breached that duty by failing to avoid a breach.[3]
The complaints take different routes to try to prove their cases, and although the differences are nuanced, there could be major strategic implications for future cases depending upon their respective success or failure. Some plaintiffs contend that Avid Life Media assumed a duty to protect customer data, made public announcements that reasonable steps were being taken and yet somehow still failed to prevent a hack. These complaints cite internal Avid Life Media documents showing an awareness of risks and failure to take subsequent steps to remedy them.[4] Put simply, the argument is that Avid Life Media failed to take reasonable steps to avoid a foreseeable risk and consequently caused the plaintiffs harm.
According to another complaint, the duty of care stems from commercially reasonable safeguards against a breach. To support this claim, the plaintiffs claim that Avid Life Media failed to follow industry standards, even citing the Data Security Standards for the payment card industry to demonstrate the kind of steps they allege would have been sufficient to protect data.[5] The theory behind this claim is that, had Avid Life Media adhered to industry standards, their breach could have been avoided.
If these two theories sound familiar, they should. The first approach is garden-variety negligence, the same kind you might see alleged in a personal injury suit. The second approach is much closer to a products liability claim, where the failure to take commercially reasonable and viable steps to protect consumers led to harm.
A New Tort?
The natural response of many to this is to ask: So what? What difference does it make what theory the plaintiffs use, the end result is likely to be a settlement anyway. But there is a critical difference between the two theories, one that underscores the relative novelty of data breach negligence suits. If a data breach suit is simply a negligence action, then the plaintiff’s critical step is to show what the defendant knew about foreseeable risks and whether they ignored those risks. Both the burden of proof and the pre-suit economic burden are on the plaintiff in that scenario.
But if the “commercially reasonable options” approach prevails, then the economic burden shifts to the defendant, which must demonstrate that it kept up with and abided by industry standards on data security. That change would be momentous for two reasons. First, it would compel a race, if not to “top,” then certainly to a point just above commercial reasonableness. That standard is advantageous to plaintiffs suing companies that did not keep pace with the industry.
Second, it would provide some measure of comfort to those companies that do employ best practices, because it would create a presumption of reasonable care, even in the event of a data breach. As the federal government’s recent data security problems demonstrate, no amount of resources can prevent every hack. For businesses that take the commercially reasonable steps to protect customer data, then a breach might not signal automatic liability.
Of course, there is not a perfect delineation between the two theories of negligence the Ashley Madison complaints allege — proving either requires establishing a duty of care that will almost certainly overlap. Yet, the theoretical underpinning of the commercial reasonableness test does present a fascinating premise — that businesses holding private data are, in effect, providing a product to consumers (i.e., data security) and that failure to provide that product in a reasonably safe manner creates liability.
These cases are in their earliest stages, and so it is far too soon to make any predictions about what their long-term consequences will be. Nevertheless, the Ashley Madison cases (and the ongoing Target class actions, now at the class certification stage) are worthy of close attention in the years to come. We may be witnessing the creation of a new species of tort: negligent data security.
This article is reprinted with permission from Law360.