On July 21, 2017, Judge John A. Ross of the U.S. District Court for the Eastern District of Missouri issued a preliminary approval of a settlement agreement between the owner of AshleyMadison.com and the class representing former users whose personal information was breached in July 2015. Under terms of the settlement, Ruby Corp, the operator of the Ashley Madison website, is scheduled to pay $11.2 million. For some, the settlement announcement is a missed opportunity: the litigation represented a chance to clarify the scope of actionable consumer harm in breach-related litigation, as unlike in other notable breaches, the mere identification of individuals who used the website (and were thus affected by the breach) likely produced unwanted consequences. Nonetheless, the settlement agreement is interesting by itself, as it offers unique solutions to address class members seeking financial remuneration but wishing to avoid further publicity regarding their connection to AshleyMadison.com.
The litigation arose from a data security breach affecting AshleyMadison.com on around July 15, 2015. The data breach resulted in the electronic theft of personally identifiable and financial information of nearly 37 million registered end-users of AshleyMadison.com. Ashley Madison marketed—and continues to market—itself as a means to help people, primarily men, cheat on their spouses, and was known for its slogan “Life is short. Have an affair.” After absconding with Ashley Madison’s private and sensitive user information, the intruders subsequently made various public statements that they would leak the database and underlying documents they obtained to the public. Following through on their promise, roughly 30 days after the initial breach, much of the information compromised was released.
In their complaint, the plaintiffs claimed that Ruby Corp’s data processing practices supported their claims of: violations of the Racketeer Influenced and Corrupt Organizations Act, the Federal Stored Communications Act, California Customer Records Act, and numerous state consumer protection and data breach notification statutes; negligence; breach of contract; unjust enrichment; and negligent misrepresentation. In agreeing to the settlement, Ruby Corp denied any wrongdoing.
Scope of Actionable Harm
For those who follow these cases, there was some hope that litigation might provide additional insight into standing where the alleged injury is not directly connected to financial harm. Ashley Madison’s lawyers were expected to challenge the plaintiffs’ standing by arguing that for many of the class’s claims, the hack did not cause “concrete injuries” as defined in the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins. In that case, the Supreme Court held that to establish Article III standing, there must be an injury that is “real” and not “abstract” or merely “procedural.” To establish such an injury, the plaintiff must allege a statutory violation that caused him or her to suffer some harm that “actually exist[s]” in the world. In other words, even when a statute has allegedly been violated, Article III requires such violation to have caused some real—as opposed to purely legal—harm to the plaintiffs. The litigation would have offered Judge Ross a unique set of facts to interpret and apply the Supreme Court’s Spokeo ruling.
Under the settlement, lawyers for the class may receive up to one-third of the $11.2 million payout. Class members with valid claims can recoup up to $3,500. Layn Phillips, the settlement mediator and a former federal judge, said in a court filing that the accord offered “a valuable recovery for the class in the face of many obstacles[.]” One of the greatest obstacles had been pursuing litigation on behalf of a plaintiff class that did not want to further publicize their patronage of the website. From the start, the desire of class members to remain anonymous plagued the litigation. Numerous class action attorneys refused to pursue the litigation fearing that the plaintiffs’ refusal to be identified in court filings would prove difficult to overcome. Those who pursued the case asked Judge Ross to allow their clients to use pseudonyms in filings, but were ultimately unsuccessful in their efforts.
The settlement, however, contains solutions that acknowledge the difficulties in sending out notices and distributing payouts to class members that wish to remain anonymous. “In this particular case, direct notice to the class is impossible and has the potential to create future harm to class members,” plaintiffs’ attorneys wrote in a motion to Judge Ross to approve the settlement. Under terms of the agreement, notice of the settlement will be provided via prominent ads placed in People and Sports Illustrated magazines and on internet banner ads, rather than emails or mailboxes. In addition, the settlement will have its own website, although the URL will not make any reference to Ashley Madison or any other information identifying it as being related to AshleyMadison.com. Last, claim forms submitted via the website will be treated as strictly confidential and will not be disclosed to any person other than each party’s counsel, the settlement administrator, the court, and other persons to whom disclosure is necessary to effectuate the terms of the agreement.
Notably missing from the settlement is any discussion regarding the security of the settlement’s website. Hopefully the parties will put into place the necessary safeguards to protect the identities of class members.