Friday, May 13, 2016

Federal judge overseeing lawsuits against Ashley Madison says hacked data from extramarital-affair Web site will be kept out of courtroom proceedings

A federal judge in Missouri has ruled that plaintiffs cannot use hacked data to build their case against the extramarital cheating site Ashley Madison and its parent company, Avid Life Media. The ruling comes roughly three weeks after U.S. District Judge John A. Ross found plaintiffs must proceed under their own names, that they will not be able to use pseudonyms.

Last summer's hack of Ashley Madison data produced a flurry of federal lawsuits, including several brought by Birmingham law firm Heninger Garrison Davis. The class-action complaints have been consolidated at U.S. District Court in St. Louis, with Ross (who was nominated to the bench by President Barack Obama in 2010) overseeing the case.

So far, Ross has ruled in Ashley Madison's favor on a couple of key issues. Writes Kristen V. Brown, a reporter at Fusion:

A Missouri judge is making it very hard to sue Ashley Madison over last year’s massive data breach. First, the U.S. district court judge ruled that breach victims couldn’t sue the company anonymously, meaning that their names will go into the public record as users of the infidelity dating website. Now, that same judge has ruled that plaintiffs cannot use hacked data to build their case against the company. So Ashley Madison is legally protected, for now, from the secrets exposed in the hack of its client records and corporate email.

Ashley Madison’s parent company Avid Life Media faced a rush of John Doe lawsuits after the hack that exposed the identity of millions of its users. In the Missouri suit, 42 plaintiffs filed under pseudonyms alleging that Ashley Madison failed to “adequately secure” users’ personal and financial information. When a hacking group named “Impact Team” leaked the identities of users last summer, it revealed that the site had been lax on security and had retained records of users who had paid the company for a permanent deletion of their accounts.

Avid Life Media asked that its leaked documents be kept under wraps during court proceedings because they had been criminally obtained. U.S. District Judge John A. Ross sided with the company, even though the wide distribution of those documents online is the very thing users argue turned their lives to turmoil.

What was Ross' reasoning? Writes Brown:

“The fact that the content of some of Avid’s internal documents … has been to some extent placed on the internet and reported in news articles does not change the nature of the documents. They remain stolen documents,” the judge wrote in an April 29 ruling.

The plaintiffs had argued that the documents were no longer confidential, because they are widely distributed on the internet. This was the same argument Google used when fighting for the right to use emails exposed in the Sony Pictures hack in a legal battle with the MPAA—and while Google was barred from using the hacked documents themselves in the case, which is ongoing, the company has cited press articles that reference the documents in their filings

Ross went on to find that lawyers and journalists have very different obligations in how they handle the case:

In the Ashley Madison decision, the judge found that even news articles referencing the leak were off limits. While journalists were protected under the First Amendment in publishing the stolen information online, he wrote, attorneys involved in private litigation had differing ethical responsibilities.

Judge John A. Ross
 “The fact that plaintiffs intend to use only news articles quoting from the original documents as opposed to the original documents themselves is, in the court’s view, a distinction without a difference,” Judge Ross wrote. “The quality and nature of the information remains the same. It is stolen information and cannot form the basis for a good faith belief of evidentiary support for a pleading.”

It's not all bad news for plaintiffs in the case, as Brown notes:

The silver lining to this cloud is that the documents revealed in the hack could come out during the case’s discovery process. “Regardless of whether some of the documents at issue may be ultimately discoverable, Avid has, and has always had, the right to keep its own documents until met with proper discovery requests or ordered to disclose them by the court,” wrote the judge.

So to get the hacked documents admitted in court, the plaintiffs will need to ask Ashley Madison to produce them. Luckily, the plaintiffs have a very good idea of the smoking gun documents it should request.


Anonymous said...

I think this judge is hitting the nail on the head with these rulings. Seems like a good judge. Maybe he can ride circuit to Alabama.

Anonymous said...

Should be interesting to see what comes out of discovery in this case.

Anonymous said...

About time there was a clear pronouncement about this data being stolen and not suitable as the basis for a fishing expedition.

legalschnauzer said...

A couple of comments, @7:29 --

(1) Never has there been a question that the data was stolen, via a hack. A group of hackers took credit for it and warned in advance what they were going to do. No pronouncement was needed, or made, by any judge on that point.

(2) I have not seen the judge's full ruling, but I see no signs in news coverage that it said a word about whether the material was "suitable as the basis for a fishing expedition (whatever that is)." If you are referring to news coverage on the subject, the Fusion article clearly states that journalists are entitled to report under the First Amendment. Specifically, Bartnicki v. Vopper is a 2001 SCOTUS case that resolved that issue:

(3) To be clear, the ruling says lawyers may not use the stolen data for evidentiary reasons, even though journalists can use it. Lawyers, however, can obtain the data from Ashley Madison via the discovery process. Discovery almost certainly will show that the stolen data and the AM data are one and the same. In fact, no one seems to dispute in the court case that the stolen data actually is from AM. The plaintiffs' primary contention is that the company was negligent in failing to protect their personal data.