Trial lawyers circle Ashley Madison

Trial lawyers circle Ashley Madison
© Getty Images

The infidelity website Ashley Madison is fighting for survival after a hack that exposed the personal information of up to 37 million people.

Class-action lawsuits are flooding the parent company of the website, with people seeking millions of dollars in damages for having been revealed to the world as having sought extra-marital affairs.


At least four lawsuits seeking class-action status have been filed in the United States, including two in California, one in Texas and one that was filed in Missouri before the data dump.

In Canada, two leading firms have filed a $578 million class-action suit on behalf of users who were outed.

All four U.S. cases has been filed on behalf of anonymous clients and accuse Ashley Madison and its parent company, Avid Life Media, of failing to adequately protect sensitive information.

The plaintiffs argue Ashley Madison knew about its security deficiencies but did nothing to address them — an allegation that they say is supported by internal company communications also released by the hackers.

The suit filed in Los Angeles this week also accuses the company of emotional distress and violating privacy laws.

Typically in data breach cases, the biggest hurdle consumers face is demonstrating that they were harmed. But given the sensitive nature of the Ashley Madison data, and the reports of suicides by users who were exposed, the plaintiffs should have an extremely strong case, experts say.

Perhaps the biggest threat of all to the site is the charge that Ashley Madison’s “Full Delete” option — which offered to scrub users’ data from the site, for a price — was a fraud.

In the Missouri suit, the anonymous plaintiff claims to have paid a $19 fee to have the site completely delete all of her personal information, only to see it appear in the information that hackers leaked online.

"Full Delete netted ALM $1.7mm in revenue in 2014,” the hackers wrote. “It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."

The Missouri lawsuit echoes those claims: “Reportedly, among the ‘dumped’ data was data of individuals who paid a fee of $19 to have scrub their profiles from the site, but whose profiles had apparently not been scrubbed,” the suit alleges.

A review of the leaked data performed by The Register came to a similar conclusion, reporting that accounts that were marked as deleted still retained identifiable information, such as GPS coordinates, date of birth, ethnicity, sexual preferences and more.

Experts say the evidence that the “Full Delete” function did not work as advertised is the complaint most likely to draw the attention of the Federal Trade Commission (FTC).

If Ashley Madison failed to deliver on its promise of data scrubbing, “that’s a low-hanging fruit, a classic in-the-sweet-spot enforcement action, before you even get to the data security issues and the general state of their cyber readiness,” said Scott Vernick, partner and head of the data security and privacy practice at Fox Rothschild.

“That’s a classic no-no from the FTC’s standpoint,” Vernick said.

Adding ammunition to possible enforcement action from the FTC, a federal court of appeals on Monday solidified the agency’s authority to mete out punishment on companies that fail to adequately shore up their data against cyberattacks.

The U.S. Court of Appeals for the Third Circuit ruled unanimously that the FTC could go forward with a lawsuit alleging that the Wyndham Worldwide Corp. did not do enough to safeguard its customers’ personal data.

The Wyndham case has many parallels to Ashley Madison’s breach. Both involve companies that allegedly failed to use basic cybersecurity practices — such as encryption and authentication — only to suffer a major data breach.

But since Ashley Madison is based in Canada, the FTC might let its counterpart across the border handle the consumer protection case.

Kristine Devine, a communications attorney with Harris, Wiltshire & Grannis says that if reports that the hack was facilitated by an inside actor are true, the FTC may not have as strong of a case against the company because better cybersecurity may not have prevented the breach.

That the hack appears to have been motivated more by morality than profit — the hackers called users “cheating dirtbags who deserve no such discretion” — could help Ashley Madison’s defense.

“Ashley Madison was probably going to be a target either way, whether their security was lax or not,” Devine said.

From the FTC’s perspective, Devine says, this means that Ashley Madison’s security practices may not be considered what is called “proximate cause,” or an event legally considered to have lead to the breach.

An FTC spokesman has said that it "can't comment on whether we're investigating a specific site.”

It’s now up to the courts to determine which, if any, of the pending lawsuits against the website receive class-action status. If the cases are consolidated under a single lawsuit, the FTC may have less reason to act.

“They don’t really gain much going after a company whose neck is on the chopping block,” Devine said.