Having an Affair May Shorten Your Life: the Ashley Madison Suicides

• Citation: Vol. 33 No. 2
• Publication year: 2017

Having An Affair May Shorten Your Life: The Ashley Madison Suicides

Sakinah N. Jones
Georgia State University College of Law, sjones167@student.gsu.edu

[Page 455]

HAVING AN AFFAIR MAY SHORTEN YOUR LIFE: THE ASHLEY MADISON SUICIDES

Sakinah Jones^*

INTRODUCTION

Ashley Madison¹ is an online dating service originally designed for people in committed relationships who want to cheat on their partners.² In 2015, the website claimed to be "100% discreet."³ ASHLEY MADISON's FAQs promised that its users would never compromise their "safety, privacy or security" and would never have to reveal their identities unless they chose to.⁴ ASHLEY MADISON's concept attracted over forty million ostensibly anonymous members to its site.⁵

In July 2015, a group calling itself The Impact Team (Impact) hacked into ASHLEY MADISON's parent company, Avid Life Media, Inc. (Avid Life), breaching its security walls and reaching directly into the ASHLEY MADISON user database.⁶ Since the data breach, at least four class actions have been filed against Avid Life⁷ and several

[Page 456]

suicides have been reported as linked to the ASHLEY MADISON breach.⁸ Historically, courts have been largely unwilling to recognize data breach class action claims and reluctant to find third party liability for an individual's suicide.⁹ This Note asks whether the unique circumstances of the ASHLEY MADISON data breach require an evolution of existing legal principles.

Part I of this note provides background on the ASHLEY MADISON data breach, describes the reports of the suicides that have been linked to the data breach, and explains the current status of the class action lawsuits pending against Avid Life.¹⁰ Part I also describes existing precedent, outlining the current legal landscape of data breach class actions and suicide litigation.¹¹ Part II analyzes the facts of the ASHLEY MADISON data breach and distinguishes the ASHLEY MADISON issues from precedent.¹² Part III proposes a solution to the lack of legal remedy for consumers who are affected by data breaches by recognizing a new category of data breaches that satisfies both standing and tort-element damages.¹³ Part III also argues for an exception to the "artificial restriction"¹⁴ of the causation requirement in tort claims and suggests a limited statutory remedy to incentivize companies to respond to known threats to data security.¹⁵

[Page 457]

I. Background

A. "Life is short. Have an affair."¹⁶

The ASHLEY MADISON data breach compromised its "user databases, financial records and other proprietary information."¹⁷ Initially, Impact only leaked randomly sampled snippets of the stolen data, including some user information.¹⁸ However, along with the sensitive snippets, the hackers also posted a "manifesto" demanding Avid Life take ASHLEY MADISON offline permanently.¹⁹ If Avid Life did not comply with its demands, Impact threated to "release all customer records, including profiles with customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails."²⁰ Less than one month after making its demands known, Impact made good on its threat and posted almost ten gigabytes of stolen data to the "dark web" in a massive data dump.²¹

[Page 458]

1. "Christmas in September"²²

Since Impact's data dump of some thirty-two million names, emails, sexual preferences, and other data about alleged customers of ASHLEY MADISON, class action suits against Avid Life have been popping up in Federal District Courts around the country.²³ By the end of 2015, about a dozen class action lawsuits had been filed in the United States against Avid Life—including several in California, Missouri, Texas, and Arkansas.²⁴ Allegations included breach of contract, negligence, and violation of various state and privacy laws.²⁵ One lawyer described it as "Christmas in September" for the legal industry.²⁶

In California, plaintiffs claimed Avid Life did not "take appropriate measures to prevent hackers from accessing clients' sensitive private details."²⁷ Lawyers in Texas specifically alleged that Avid Life "should have known about vulnerabilities in their computer systems—because [they had] been warned about them."²⁸

[Page 459]

In Missouri, an anonymous female plaintiff claimed she paid the nineteen-dollar fee for ASHLEY MADISON to delete her account, however her personal information still appeared online in the data dump.²⁹ Joining the Missouri suit, two Canadian law firms filed a $578 million class action lawsuit, also claiming ASHLEY MADISON failed to protect its users' information.³⁰

Like many of the class action plaintiffs, an Arkansas plaintiff filed under the pseudonym John Doe.³¹ The choice is an understandable one because it attempts to hold on to any shred of privacy that the breach victims may have left. However, the federal judge in Arkansas rejected the plaintiff's request to remain anonymous.³² Seemingly adding insult to injury, the judge gave the plaintiff about a week to add his name.³³ If the plaintiff refused to disclose his identity in his complaint, the judge would permit ASHLEY MADISON to dismiss the lawsuit.³⁴

2. Suicides Following the ASHLEY MADISON Breach

The data exposed in the ASHLEY MADISON breach includes the names of millions of ASHLEY MADISON members,³⁵ and the lawsuits against Avid Life cover a wide spectrum of claims and damages.³⁶ In a few cases, the damages extend to wrongful death damages because

[Page 460]

those whose names were exposed committed suicide, likely as a result of the data breach disclosures.³⁷ In one tragic story, John Gibson, a member whose name appeared in the list of stolen data, was a married Louisiana pastor with two children.³⁸ Just six days after the data dump, Gibson committed suicide, mentioning ASHLEY MADISON in his suicide note.³⁹

In another story, Captain Michael Gorhum was a twenty-five year veteran of the San Antonio Police Department.⁴⁰ Shortly after his official police email address was published on a cop-hating blog in a "purported list of ASHLEY MADISON users,"⁴¹ Gorhum committed suicide, shooting himself in his church parking lot.⁴² At least two other suicides have been reportedly linked to the ASHLEY MADISON breach.⁴³

B. Data Breach Class Actions Are Historically Unsuccessful

Most hacking activity goes largely unnoticed by the media.⁴⁴ In fact, in order for a breach to reach "public awareness," a hacker has to make a significant mistake that leads to getting caught, make a demand of money or other assets, or simply seek a platform to air grievances.⁴⁵ For every breach that becomes public knowledge, there

[Page 461]

are an estimated 100 that go undetected.⁴⁶ That said, when a breach is publicly exposed, lawsuits often follow.⁴⁷

A data breach is defined as "an incident in which an individual name plus a Social Security number, driver's license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure."⁴⁸ The number of data breaches and the number of records compromised in a single breach were on record pace at the time of the ASHLEY MADISON hack.⁴⁹ But, there had been several significant data breaches in prior years.⁵⁰

In 2009, Heartland Payment Systems announced the "largest data breach ever to affect an American company" compromising 130 million credit and debit cards.⁵¹ Then, in December 2013 and January 2014, Target's breaches affected as many as 110 million people.⁵² Other significant breaches include Sony's, affecting 102 million;⁵³ Home Depot's, fifty-six million;⁵⁴ and TJX Companies Inc.'s,

[Page 462]

forty-six million.⁵⁵ Class action litigation rapidly follows large data breach cases.⁵⁶

Consumers affected by data breaches typically seek a remedy as a class because the expected damages for any one individual are very low.⁵⁷ Most cases follow the same pattern: "a consumer, suing on behalf of a putative class, alleges that a company breached its duty to customers by allowing a data breach to occur and confidential information to fall into the hands of third parties."⁵⁸ The consumer commonly alleges injuries of "(1) the cost of fraudulent transactions, (2) the increased risk of future identity theft resulting from the breach, and (3) the burden of closing affected accounts and opening new ones."⁵⁹ Almost all of these class actions are brought as negligence claims.⁶⁰

Unfortunately, data breach class actions are notoriously unsuccessful.⁶¹ Many courts find that data breach class action plaintiffs fail to satisfy the injury-in-fact element necessary for constitutional standing.⁶² These courts reason that the alleged injuries

[Page 463]

are not "actual or imminent," but are instead "conjectural or hypothetical."⁶³ Those that overcome the constitutional standing hurdle still face a high likelihood of dismissal because the alleged injury is not "sufficient to satisfy the damages requirement of a tort claim."⁶⁴ For example, while the Seventh Circuit found standing was satisfied in Pisciotta v. Old National Bancorp, ultimately the plaintiff's claims were dismissed "for want of damages" under the controlling state law.⁶⁵ In Krottner v. Starbucks Corp., the Ninth Circuit also found standing but dismissed "for lack of tort-element damages."⁶⁶ Moyer v. Michaels Stores, Inc. saw the same result.⁶⁷

C. Wrongful Death by Suicide

People usually move on with life after being injured by someone else's negligence.⁶⁸ Unfortunately, a few find the pain of the injury unbearable, and instead take their own lives.⁶⁹ Under these circumstances, a suicide can turn a personal injury action into a wrongful death action.⁷⁰ In every tort suit, a plaintiff must not only prove that the defendant breached the standard of care, but also that "the defendant's act or omission caused the injury or damage for which the plaintiff claims compensation."⁷¹ This latter element establishes the legal cause, also known as the "factual cause"⁷² or the

[Page 464]

"cause-in-fact,"⁷³ of...