Ashley Madison, a dating website specifically geared towards married individuals looking to have an affair, recently found out it was the victim of cyber hackers who claim to have stolen personal information, including names and addresses, about some or all of the roughly 37 million individuals who subscribe to the website. While such news naturally will catch the attention of divorce lawyers, could this most recent data breach also potentially result in meritorious civil claims against Ashley Madison?
One interesting theory of liability comes from an old common law tort that has been phased out legislatively in all but seven states – alienation of affections. In fact, this theory had been used against Ashley Madison on at least one occasion even before the data beach. In 2012, a man from North Carolina sued Ashley Madison after his wife used the website to meet another man, ultimately resulting in a divorce. While similar claims could exist even without the data breach, a release of the confidential information allegedly taken would very likely bring the website into the crosshairs of individuals who previously had no idea where their former spouse had connected with a paramour. The good news for Ashley Madison is that proximate causation and intent to alienate affections as to any one scorned husband or wife could present proof problems for potential plaintiffs. Plus, the fact that only seven states recognize such a claim will likely limit any perceived risk.
The more troubling issue of potential liability is based on a contractual or quasi-contractual theory that may be asserted by individuals who decided to delete their Ashley Madison account in the past. Apparently, the company offers its members the ability to erase their account and all information related to the account, but only if the member pays the company $20.00. According to those who perpetrated the breach and one individual who purportedly deleted his Ashley Madison account but recently had his personal information released to the public, however, Ashley Madison has allegedly retained personal information of its members despite its representations that it would delete such information with the account.
With the hackers threatening to release more information, the potential liability from a misrepresentation and/or breach of contract theory could loom large if the representations about a member’s profile did, in fact, state that such personal information would no longer be retained by the company. Potential lawsuits could take one of two forms. First, an individual could sue based upon the $20.00 they paid for deletion, but the economics of such a lawsuit would not make much sense without some additional harm like a subsequent divorce or loss of reputation caused by the disclosure. The more dangerous prospect would be a class action lawsuit for every individual who paid $20.00 for a deletion that purportedly did not occur. Even this type of lawsuit, which it appears may be contemplated by some firms, may not become ripe until the hackers make good on their threat to release such information. Even if such disclosure does not occur, however, it may still be that a class or even a governmental entity could bring state consumer protection law claims based on the alleged misrepresentation.
Of course, considering the purposes for which the Ashley Madison users have given their personal information, the company could always attempt to defeat each and every one of the potential claims discussed here by asserting the equitable doctrine of “unclean hands.”