•  
  •  
 

Document Type

Article

Abstract

Ashley Madison is an online dating service originally designed for people in committed relationships who want to cheat on their partners. In 2015, the website claimed to be “100% discreet.” Ashley Madison’s FAQs promised that its users would never compromise their “safety, privacy or security” and would never have to reveal their identities unless they chose to.

Ashley Madison’s concept attracted over forty million ostensibly anonymous members to its site. In July 2015, a group calling itself The Impact Team (Impact) hacked into Ashley Madison’s parent company, Avid Life Media, Inc. (Avid Life), breaching its security walls and reaching directly into the Ashley Madison user database. Since the data breach, at least four class actions have been filed against Avid Life and several suicides have been reported as linked to the Ashley Madison breach.Historically, courts have been largely unwilling to recognize data breach class action claims and reluctant to find third party liability for an individual’s suicide.

This Note asks whether the unique circumstances of the Ashley Madison data breach require an evolution of existing legal principles. Part I of this note provides background on the Ashley Madison data breach, describes the reports of the suicides that have been linked to the data breach, and explains the current status of the class action lawsuits pending against Avid Life.Part I also describes existing precedent, outlining the current legal landscape of data breach class actions and suicide litigation. Part II analyzes the facts of the Ashley Madison data breach and distinguishes the Ashley Madison issues from precedent. Part III proposes a solution to the lack of legal remedy for consumers who are affected by data breaches by recognizing a new category of data breaches that satisfies both standing and tort-element damages. Part III also argues for an exception to the “artificial restriction” of the causation requirement in tort claims and suggests a limited statutory remedy to incentivize companies to respond to known threats to data security