Illicit affairs have always imposed risks – from marital discord and divorce to boiling bunnies and Maury appearances. However, when old-school adultery met new-school technology on the Ashley Madison infidelity website, those risks expanded to include data breach, identity theft, and having private sexual predilections and fantasies revealed to the world. Those risks became reality earlier this year when a hacker collective calling itself “The Impact Team” released over 30 gigabytes of stolen data, including personal and financial information of Ashley Madison’s more than 39 million users, as well as internal company e-mails and information. The breach has already created considerable fallout – including last week’s announcement of the CEO’s resignation.
Now, in a series of class action lawsuits, plaintiffs’ lawyers are jockeying for the opportunity to represent classes of potential victims. The various suits – filed in California, Missouri, Texas, and Alabama – are all, predictably, brought by “John Doe” or “Jane Doe” plaintiffs against Ashley Madison parent company, Avid Life Media, Inc. The thrust of each suit is similar. For example, each alleges that Ashley Madison promised robust protection of its members’ personal and financial information but, in fact, employed anemic security measures. Perhaps more troublesome for the company – because it could open the doors to fraud or other claims supporting punitive damages – the suits allege that Ashley Madison charged members $19 to permanently delete – as opposed to merely deactivate or hide – their profiles and data, but even members who purchased this “paid delete” option had their data compromised. Some of the suits focus almost exclusively on the loss of standard personal and financial information similar to claims seen in other data breach class actions. However, others spice things up by arguing that the disclosure of plaintiffs’ “intimate desires” and similar information gives rise to compensable emotional distress damages.
The suits contain multiple putative class and subclass definitions – including both national and state classes. By far, the most ambitious is the Central District of California action which, all tallied, offers at least 184 separate class definitions, including individual subclasses based on each state’s and territory’s data privacy and consumer protection laws, and two nationwide classes. The remaining complaints typically include one or more national classes and corresponding state-wide classes covering the forum state.
So, multiple class actions have been filed in various federal courts and each – at least in part – includes class definitions that overlap with the others. Where do we go from here? The most likely scenario is that all the matters will be consolidated by the Judicial Panel for Multidistrict Litigation (JPML) which will situate all of the matters before a single federal judge for MDL proceedings. Pursuant to 28 U.S.C. § 1407, transfer and coordination or consolidation of actions is appropriate when: (1) the cases involve one or more common questions of fact, (2) transfer would serve the convenience of the parties and witnesses, and (3) transfer will promote the just and efficient conduct of the actions. In recent data breach cases involving Target, Sony and others, the JPML has routinely found these factors satisfied.
In fact, the Missouri plaintiff – who filed the first putative class action – recently filed a petition with the JPML to consolidate all of the Ashley Madison litigation before U.S. District Court for the Eastern District of Missouri, which she argues has experience with data breach litigation and is centrally located for management of a nationwide class. Whether she gets her choice of forum, however, is far from certain, as the JPML can consider a wide variety of factors – including the location and number of pending cases, location of witnesses and evidence, and experience of the putative MDL judge – in determining where to plant an MDL. Moreover, all interested parties – including other plaintiffs and defendant Avid Life Media – will have an opportunity to suggest and advocate for their preferred venues during briefing and oral arguments.
Once the MDL is established, these cases should present a number of interesting wrinkles for litigators and observers. First, the plaintiffs invariably will face a motion to dismiss raising, among other defenses, Article III standing. As we’ve recently discussed, courts traditionally have been hesitant to find standing in data breach class-actions where the putative class members alleged a threat of future harm; however, a recent Seventh Circuit decision could make standing a less formidable hurdle. Assuming plaintiffs survive the motion to dismiss, discovery and briefing on class certification will begin in earnest. Importantly, although the standard for transfer to an MDL found in 28 U.S.C. § 1407 and Rule 23’s class certification requirements include some similar language regarding “common questions,” Rule 23’s requirements are much more demanding. For example, while transfer to an MDL requires only a finding of “one or more common questions of fact,” Rule 23 requires a finding of “questions of law or fact common to the class” and that those common questions “predominate over questions affecting only individual members.” In practice, this “predominance” requirement is one of the most difficult for plaintiffs to overcome. Accordingly, it is not unusual for cases to be consolidated by the JPML only to have class certification denied by the MDL judge, at which time the cases proceed as individual actions, albeit with some measure of coordination.
Another challenge to class certification is the widespread reports that much of the leaked “customer” data is false – for example, “Tony Blair” and “Barack Obama” had accounts, which, while obviously fake, raise legitimate questions regarding the ascertainability of any putative class. If fake accounts abound, will the court have to do an account-by-account assessment merely to determine class membership? Finally, if a class is certified, how will the court handle notice? After all, while e-mail or physical addresses may be available for legitimate Ashley Madison members, notifying class members of their rights risks outing them as site members – one of the very harms the lawsuits seek to remedy.
Ultimately, as journalists and others probe the wealth of data released by the hackers, the data breach may be just the beginning of Ashley Madison’s troubles. For example, tech blog Gizmodo recently analyzed source code released during the breach and determined that Ashley Madison “created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” These bots would be used to induce male clientele to spend money on “credits” to contact the phony suitors. If these allegations are borne out, they could conceivably form the bases for new allegations and claims against the company. Regardless, the entire spectacle is a dramatic fall from grace for a company that reported revenues of $114 million in 2014, once bid on naming rights to the Meadowlands stadium, and was positioning itself for an IPO.