Paul Callan: The Ashley Madison hack could have legal consequences on a variety of fronts
He says innocent people caught up in the hack could sue; so could lawyers filing class-action suits
Editor’s Note: Paul Callan is a CNN legal analyst, a former homicide prosecutor and media law professor. He is “of counsel” to two law firms: Edelman & Edelman PC and Callan, Koster, Brady & Nagler LLP. The opinions expressed in this commentary are his.
It must have been a panic attack weekend for Ashley Madison website customers wondering whether they were soon to be outed in the latest highly publicized breach of cybersecurity.
State and federal judges and prosecutors, federal employees, military personnel, college professors, journalists, Hollywood celebrities, lawyers, teachers and even members of the British Parliament have already been identified in a preliminary sweep of an enormous 10 gigabytes of stolen data.
The website openly facilitates adulterous relationships with the help of a sophisticated advertising campaign which promised discretion and security. Its name, “Ashley Madison,” is a clever blend of two particularly popular female names with a ring of class and elegance, aimed at attracting the married men who largely populated the site.
The owners of Ashley Madison also created a snappy advertising logo, “Life is short. Have an affair.” Soon they will learn that though “Life is short,” there is always time for a lawsuit. In fact, time for perhaps thousands of lawsuits culminating in dire financial consequences for Ashley Madison and parent company Avid Life Media.
Though aggrieved spouses across the planet may feel that the hackers have performed a public service in shaming “cheaters and liars,” the criminal law does not agree.
If apprehended and convicted, the brazen cyberthieves will face many years in federal or state prisons dreaming of computer-assisted conjugal visits. A variety of federal laws including those against wire fraud, extortion, racketeering and computer fraud carry sentences of up to 20 years in prison for a cybertheft of this magnitude – not to mention strict state laws as well as laws in other affected nations.
The unusually verbose hackers who have published rather detailed manifestos regarding the Ashley Madison takedown are likely to be eventually tracked down by law enforcement authorities who employ their own sophisticated hacker advisers.
The unusual phraseology, discernable in the cyberthreats made by the hackers, may reveal speech and phrase patterns traceable on the Internet with the advanced computer technology now in the arsenal of law enforcement authorities. If you live by the cybersword, you may die by the cybersword. College students submitting plagiarized Internet term papers learned this lesson long ago.
This certainly doesn’t look like a foreign state supported cyberattack such as the recent Sony hack or the recent massive federal employee hack suspected to be of Chinese origin. The so called “Intercept Team’s” public statement regarding the attack has a moralistic rather than political edge to it.
The site users, the so-called “victims” who have already been trashed in social media as “cheaters & liars,” do have legal remedies.
First, there probably are at least some in the database who are entirely innocent. Ashley Madison had no procedure in place for confirmation of email addresses and some imposters checking out the site before actually investing money used false email addresses. One particularly ham-handed applicant used former British Prime Minister Tony Blair’s name with an obviously phony email address.
Even those who really did sign up for the notorious infidelity service have potential claims for “invasion of privacy” and “publication of private facts” in some but not all American states. The publication of their names, detailed sexual preferences and in some cases credit card information was clearly illegal.
Ashley Madison, if negligent in protecting such a sensitive database, would owe damages to the site members as well as media outlets who publish without adequately investigating the hacker data dump. Many legal experts believe, however, that the character issue hanging over the aspiring adulterers like an ominous cloud limits the probability of a big damage award from a jury. Enter the class-action attorneys.
These are the wealthy lawyers who took down the tobacco industry and who feast on securities fraud cases with thousands of clients, each suffering a very small “injury.” They often swoop into action on the wings of their Gulfstream jets armed with injunctions and endless depositions. No ambulance chasing for these guys.
Their fees are staggeringly high because they are set by the courts based on a multiple of the number of victims. An individual victim with no chance alone in court derives power through numbers and gets a big-time, class-action lawyer to litigate his or her case. Of course, each victim here would collect peanuts but the class-action lawyers may well consign Ashley Madison to the dustbin of infidelity.
Just follow the class action math.
Ashley Madison has repeatedly claimed almost 40 million members in a quest to become the Facebook of adultery. Now those membership numbers may spell its doom.
Though site members originally sign up for free, participation in the site often required an investment of as much as $400 for “credits” required for clients to have any meaningful opportunity to make the acquaintance of a real “Ashley” or “Madison.”
Even being conservative and discounting the damages to $100 per “victim” given their flexible sense of morality, the total damage sum is enormous.
That’s $100 times 40 million – amounting to $4 billion dollars in damages. Depending on the judge and jurisdiction, the lawyers could get as much as 25% of that, or $1 billion.
It’s not as much as Donald Trump says he is worth but not a bad payday for representing millions of admitted and aspiring adulterers. The first two lawsuits have already been filed in Canada and Missouri and more are sure to follow.
News organizations, in the meantime, should be careful about publishing names of outed site members. If innocent, such individuals could possibly sue for defamation and collect substantial damages. On the other hand, “public figures” such as politicians and judges would have a harder time because they would need to prove that the newsgroup acted with “actual malice” unlike other ordinary mortals who need only prove that the failure of the journalists to properly investigate the story caused the damage to reputation.
And in truth while a lot of people are laughing at the whole spectacle, the potential for damage to really innocent people such as family members and children is enormous.
It is also important to remember that in places such as Saudi Arabia where gay men reportedly used the service to connect with other gay men, the penalty for homosexual activity is death. The more radical view of Sharia law prescribes death by stoning for adultery involving heterosexual couples as well. Sadly, there may have been suicides – Toronto police said they are looking into two deaths they say may be connected to the Ashley Madison hack.
The case is yet another grim reminder that any information deposited in cyberspace is never truly secure. The law provides grounds for lawsuits against negligent companies but in a colossal failure of this magnitude, it is unlikely that sufficient assets will be available even if there are any real victims.
Determined hackers aided by ever-advancing technology can often outsmart even the most sophisticated defenses. Though the hackers may go to jail, embarrassing or sensitive information deposited with an unreliable guardian will remain in cyberspace forever.
If you really want to keep a secret, don’t email it, text it, post it or ever turn it over to a company with a name such as “Ashley Madison.”
Pretend it’s 1963; Steve Jobs is only 8 years old and Hillary Clinton has never heard of email. “Madison” is a boy’s name and an avenue in New York and believe it or not, communication the old-fashioned way is still possible.