Life Is Short. Litigate.

The many, many lawsuits of Ashley Madison.

Ashley Madison hack
The fallout of the adultery-management website’s hack has been swift and brutal.

Photo by ASIFE/iStock

In what may be the consummate legal irony of the summer, Ashley Madison—the adultery-management Web business dedicated to the proposition that one relationship is never quite enough—is suddenly contending with multiple lawsuits, each more explosive than the one before. The website was targeted by hackers who last week exposed more than 30 million client memberships, email addresses, credit card numbers, addresses, and sometimes naughty sexual fantasies. It was socked by a Canadian class-action suit and then by a first volley of American suits this week. That’s just the start of the litigation it now faces.

The group calling itself the Impact Team managed to download onto the dark Web a tranche of deeply personal identifying information about tens of millions of users, ostensibly in protest against the company’s predatory practices and lack of privacy protection, but with a thick layer of moral thundering at the clientele and their loose morals. (As the hackers so eloquently put it: “Too bad for those men, they’re cheating dirtbags and deserve no such discretion.”) The fallout was swift and brutal, sweeping up alleged philanderers ranging from Josh Duggar and Christian vlogger Sam Rader to Florida state prosecutor Jeff Ashton to sports and political figures and members of the military and intelligence communities.* According to the Hill, more than 15,000 email addresses associated with accounts were hosted by government agencies or the military.

The biggest worry for the company will be the class-action suits by angry, outed users.

Last week two Canadian law firms filed a $578 million class-action suit against the Toronto-based Avid Life Media, Ashley Madison’s parent company, and Avid Life Dating, a subsidiary that runs the website. The class-action status still needs to be certified by the Ontario court. It’s been filed on behalf of “all Canadians” affected by the leak. The lead plaintiff named in the Canadian suit is Ottawa widower Eliot Shore, who joined the website after he lost his wife to breast cancer but never used it to cheat on her. Lawyers for the plaintiffs allege that “in many cases, the users paid an additional fee for the website to remove all of their user data—only to discover that the information was left intact and exposed.”

In Canada, a class action requires just one or two people to come forward and be willing to be named, and the rest of the class can have their identities protected, which may well encourage more users to come forward without fear of being humiliated for it.

In the United States, it’s much harder to anonymously join a class-action suit, although at present each of the suits is filed on behalf of a John or Jane Doe. A class-action lawsuit filed in federal district court in California on Monday by a John Doe accuses the Canadian website of negligence and invasion of privacy and of causing emotional distress. According to a report in Reuters, “The lawsuit claims that the data breach could have been prevented if the company had taken ‘necessary and reasonable precautions to protect its users’ information, by, for example, encrypting the data.”

The Daily Beast reported Monday that a similar suit was filed in Texas as well. Lawyers in the Texas case contend that Ashley Madison should have known about security vulnerabilities in its computer systems because internal documents—also revealed in the hack—made clear that the company had been warned that it was at risk and did nothing.

Even before the breach, Ashley Madison was already facing legal trouble. At the end of July, Missouri lawyers had already filed an early class-action suit, Jane Doe v. Avid Life Media Inc. in U.S. District Court seeking more than $5 million in damages. They filed on behalf of an unnamed female plaintiff alleging, among other causes of action, “violations of the Stored Communications Act (“SCA”), negligence, and breach of implied contract.”

And all this is just the beginning. The Rosen Law Firm of New York has posted a call for Ashley Madison users to join a prospective privacy and consumer fraud suit. In its announcement, the firm highlights the fact that the “full delete” feature advertised by the company opens it up to all sorts of false claims and deceptive trade practices claims, noting that “the Company lured users, in part, by highlighting publicly its purportedly heightened data security. The Company further attracted users by advertising and marketing a ‘Full Delete’ service which promised to completely eliminate user profiles and all associated data for a fee.”

As Russell Brandom explained in the Verge, the greatest challenge for plaintiffs in any data breach case is showing that the users suffered a tangible harm. That will not be a high bar in the Ashley Madison suits. Simply being associated with the company can produce devastating reputational harms for most users.

Ashley Madison will likely take the position that since accounts were not verified by the company on signing up, the presence of an email on the database means nothing. They also contend that merely being signed up on the site is not proof, in and of itself, of infidelity. The company has also released a furious statement decrying the smug moralism and criminality of the Impact Team: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

Maybe. But citizens around the world have been regrettably willing to giggle and point at the so-called dirtbags whose information has been stolen and posted. Ashley Madison will also rely on its consumer-unfriendly terms of service statement, which seems to offer the company leeway to argue that consumers took on the risk when they joined the website, as well as its comprehensive release of claims against Ashley Madison for any damages “related to the release or use of such information by third parties.”

And what about the reports of greedy divorce lawyers licking their chops at the prospect of thousands of new clients swept in on the tide of mistrust and infidelity? There will be divorces, but since in most jurisdictions we live in the age of no-fault divorce, claims of adulterous spouses won’t get you very far in terms of property dissolution or have much impact on child custody, which puts the best interests of the child over allegations of parental infidelity.

The folks who may quickly see legal consequences for their involvement with Ashley Madison are the members of the military who signed up. Adultery is still a crime under the Uniform Code of Military Justice. The other real victims of the hack will be people who are being targeted for extortion and blackmail by predators who find their names on the Web. In an attempt reported by security blogger Brian Krebs, a married Ashley Madison user received a demand for cash in exchange for secrecy: “If you would like to prevent me from finding and sharing this information with your significant other,” the message said, “send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address.” There have also been several unconfirmed reports of suicides relating to the hack. In countries where being gay will suffice for a death sentence, victims of the hack who are exposed as homosexual may pay with their lives.

In addition to the legal questions surrounding the hackees, there will be serious criminal consequences for the hackers, if they are found. Canada’s National Post reports that “the Ashley Madison hackers would likely be charged under laws against stealing computer data, breaking into computer networks and even ‘possessing a computer password … to commit an offence of unauthorized use.’ ”

And none of this even begins to touch on the thorny legal questions surrounding the problem of whether news entities can legally download and disseminate the hacked data—questions that seem to largely be resolved on the side of journalists’ First Amendment rights, but whose answers—legally and ethically—are hardly unequivocal.

And as Lauren Walker notes in Newsweek, perhaps the most worrisome aspect of the public reception of the Ashley Madison scandal is the vicious moral judgment we are willing to direct at the private lives of private figures, simply because they are involved with an adultery website. As Rabeh Soofi, managing attorney at Axis Legal Counsel, a Los Angeles–based privacy law firm, explained to Walker, “What is unusual about the Ashley Madison situation is that there seems to be a sentiment that the victims of this data breach are somehow deserving of having their information revealed to the public.”

Tulane University’s Amy Gajda, author of The First Amendment Bubble: How Privacy and Paparazzi Threaten a Free Press, is far more sanguine about the way the media have largely respected the privacy of the nonpublic victims of the hack. She notes, in an email, the contrast between the way the press handled the Ashley Madison scandal and “the backlash after the recent story by Gawker about the CFO alleged to have been looking for sex with a male escort on backpage.com. … The CFO was seen as more of an average person, I think, someone others could relate to at least in non-public-figure terms, and there was a sort of uprising in favor of his privacy there.” That episode leads Gajda to conclude that “we find such ‘private’ people to be worthy of far less scrutiny than politicians, and that, even in an age in which sexual information is available at a click, we still find the release of private sexual information wrong.”

The truth is we may not know for a long time whether the legal system can vindicate, through class-action suits or agency investigations, the damage done to the real victims of this hack: the wives and the children and the private clients too humiliated to come forward to seek legal help. We have directed a good deal of inchoate contempt to real people suffering real harms who will never come forward to talk about it. A lot of lawyers may get very rich off Ashley Madison. And we may never even learn who the most vulnerable victims were.

*Correction, Aug. 27, 2015: This article originally misstated that Jeff Ashton intended to resign. (Return.)