From Ashley Madison to the Panama Papers: Is Hacked Data Fair Game?

We’ve previously written about the distinctions between hacking credit and other financial data in comparison to hacking private information. (See Ashley Madison and Coming to “Terms” with Data Protection.) The issue of how much protection the latter receives when it relates to attorney-client communications is currently before the District Court of the Eastern District of Missouri in the multi-district litigation arising from the July 2015 Ashley Madison leaks. Plaintiffs—former users of the site who claim that Ashley Madison defrauded the public by creating fake female profiles to lure male users—hope to use leaked information in their consolidated complaint against the site, due to be filed June 3 of this year. The leaked information sought to be used includes references and citations to emails between Ashley Madison’s parent company, Avid Dating Life, and its outside counsel.

ashley-madisonIn their court filings, plaintiffs argue that they should be allowed to reference media reports that cite and analyze communications between Avid Dating Life and law firm Barnes & Thornburgh. Stating specifically that they do not intend to use the communications themselves, plaintiffs argue that public articles are not privileged, even if they cite potentially privileged communications, and that journalists are protected by the First Amendment in publishing leaked information. Although they recognize that the communications were obtained by hackers, plaintiffs characterize the leaked communications as “fully memorialized in the public domain.” Any confidentiality of the communications—many of which are still available online and freely accessible, they allege—was destroyed by the public disclosure. (As an example of the media reports that plaintiffs may seek to cite to, the National Law Journal points to a Gizmodo article that cites to emails in which an attorney at Barnes & Thornburgh advises that Ashley Madison’s terms of service disclose that some of the profiles are fictitious.)

Ashley Madison argues that these communications between its parent company and its lawyers are confidential attorney-client communications and are protected by privilege despite being widely distributed. Even if they were widely disseminated, it argues, “stolen documents do not lose their privileged status because they are published without the consent of the privilege holder.” Accordingly, Ashley Madison moved for a protective order on February 29 precluding the use of “stolen documents.”

Amicus briefs have been filed in support of Ashley Madison’s motion for protective order, mostly focused on the fact that leaked information includes 37 million consumer records. A group of former users advocated for the issuance of the protective order based on their and other consumers’ “strong privacy interest” in keeping personally identifiable and financial information from disclosure. In response, plaintiffs clarified that they do not intend to use any consumer information, just internal business documents and press articles that discuss those documents.

In its order directing plaintiffs to respond to Ashley Madison’s motion for protective order, Judge John A. Ross of the District Court referred to the leaked documents as “illegally obtained from Avid,” and further ordered that plaintiffs refrain from referencing or quoting from those documents in their response or attaching any as exhibits. Judge Ross had also recently ruled against plaintiffs and ordered them to be publicly identified by name so that they can be open to scrutiny from class members they seek to represent. This has already resulted in a few John and Jane Does deciding to drop their suits.

This issue has come up in various contexts before. After the Sony leak in 2014, several media outlets, including Am Law Daily, Corporate Counsel and The New York Post published analyses of communications between Sony and its in-house and outside counsel. When asked for comment by Am Law Daily, a Sony spokesperson reportedly responded that the information asked about was “stolen from Sony” and declined to comment. More recently, the documents leaked from law firm Mossack Fonseca— the “Panama Papers”—have been dissected, discussed and publicized by publications worldwide, thus bringing up many of those same issues being wrestled with in the Ashley Madison case.

Whether privilege stays intact after confidential communications between an attorney and client are leaked may vary depending on a state’s case law and rules of professional conduct. In looking at federal and Missouri case law, Ashley Madison itself recognized that most cases discussing stolen documents implicate the client or lawyer’s personal involvement in the theft. The Ashley Madison hack and similar cases present a novel situation where the client or attorney may not be guilty of personal wrongdoing but may benefit from the leak nonetheless. In arguing for upholding privilege, Ashley Madison largely relies on a policy argument: allowing use of “stolen” documents would degrade the integrity of the legal process and encourage hackers.

Since there has yet to be a ruling on this issue, the Ashley Madison MDL court could issue a cutting-edge ruling on a novel and important issue.