[BreachExchange] From Ashley Madison to the Panama Papers: Is Hacked Data Fair Game?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 25 19:38:07 EDT 2016


http://www.jdsupra.com/legalnews/from-ashley-madison-to-the-panama-85218/

We’ve previously written about the distinctions between hacking credit and
other financial data in comparison to hacking private information. (See
Ashley Madison and Coming to “Terms” with Data Protection.) The issue of
how much protection the latter receives when it relates to attorney-client
communications is currently before the District Court of the Eastern
District of Missouri in the multi-district litigation arising from the July
2015 Ashley Madison leaks. Plaintiffs—former users of the site who claim
that Ashley Madison defrauded the public by creating fake female profiles
to lure male users—hope to use leaked information in their consolidated
complaint against the site, due to be filed June 3 of this year. The leaked
information sought to be used includes references and citations to emails
between Ashley Madison’s parent company, Avid Dating Life, and its outside
counsel.

In their court filings, plaintiffs argue that they should be allowed to
reference media reports that cite and analyze communications between Avid
Dating Life and law firm Barnes & Thornburgh. Stating specifically that
they do not intend to use the communications themselves, plaintiffs argue
that public articles are not privileged, even if they cite potentially
privileged communications, and that journalists are protected by the First
Amendment in publishing leaked information. Although they recognize that
the communications were obtained by hackers, plaintiffs characterize the
leaked communications as “fully memorialized in the public domain.” Any
confidentiality of the communications—many of which are still available
online and freely accessible, they allege—was destroyed by the public
disclosure. (As an example of the media reports that plaintiffs may seek to
cite to, the National Law Journal points to a Gizmodo article that cites to
emails in which an attorney at Barnes & Thornburgh advises that Ashley
Madison’s terms of service disclose that some of the profiles are
fictitious.)

Ashley Madison argues that these communications between its parent company
and its lawyers are confidential attorney-client communications and are
protected by privilege despite being widely distributed. Even if they were
widely disseminated, it argues, “stolen documents do not lose their
privileged status because they are published without the consent of the
privilege holder.” Accordingly, Ashley Madison moved for a protective order
on February 29 precluding the use of “stolen documents.”

Amicus briefs have been filed in support of Ashley Madison’s motion for
protective order, mostly focused on the fact that leaked information
includes 37 million consumer records. A group of former users advocated for
the issuance of the protective order based on their and other consumers’
“strong privacy interest” in keeping personally identifiable and financial
information from disclosure. In response, plaintiffs clarified that they do
not intend to use any consumer information, just internal business
documents and press articles that discuss those documents.

In its order directing plaintiffs to respond to Ashley Madison’s motion for
protective order, Judge John A. Ross of the District Court referred to the
leaked documents as “illegally obtained from Avid,” and further ordered
that plaintiffs refrain from referencing or quoting from those documents in
their response or attaching any as exhibits. Judge Ross had also recently
ruled against plaintiffs and ordered them to be publicly identified by name
so that they can be open to scrutiny from class members they seek to
represent. This has already resulted in a few John and Jane Does deciding
to drop their suits.

This issue has come up in various contexts before. After the Sony leak in
2014, several media outlets, including Am Law Daily, Corporate Counsel and
The New York Post published analyses of communications between Sony and its
in-house and outside counsel. When asked for comment byAm Law Daily, a Sony
spokesperson reportedly responded that the information asked about was
“stolen from Sony” and declined to comment. More recently, the documents
leaked from law firm Mossack Fonseca— the “Panama Papers”—have been
dissected, discussed and publicized by publications worldwide, thus
bringing up many of those same issues being wrestled with in the Ashley
Madison case.

Whether privilege stays intact after confidential communications between an
attorney and client are leaked may vary depending on a state’s case law and
rules of professional conduct. In looking at federal and Missouri case law,
Ashley Madison itself recognized that most cases discussing stolen
documents implicate the client or lawyer’s personal involvement in the
theft. The Ashley Madison hack and similar cases present a novel situation
where the client or attorney may not be guilty of personal wrongdoing but
may benefit from the leak nonetheless. In arguing for upholding privilege,
Ashley Madison largely relies on a policy argument: allowing use of
“stolen” documents would degrade the integrity of the legal process and
encourage hackers.

Since there has yet to be a ruling on this issue, the Ashley Madison MDL
court could issue a cutting-edge ruling on a novel and important issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160425/960c03e1/attachment.html>


More information about the BreachExchange mailing list