Data breaches can have repercussions far beyond the loss of personally identifiable information. They can also include the loss of internal business documents that can damage the hacked company, including documents subject to the attorney-client privilege. That exact scenario affected Avid Dating Life Inc., the operator of Ashley Madison, the website targeting individuals seeking extramarital relationships. It suffered a breach that included not only personally identifiable information of 37 million users, but also internal business documents and communications between executives and Avid Dating Life’s attorneys. The hackers posted 30 gigabytes of compromised data from Ashley Madison online. That data included hundreds of thousands of corporate documents stolen as part of the breach, including documents Avid Dating Life claims are subject to attorney-client privilege.
The breached documents have become an issue for Avid Dating Life in multidistrict litigation brought against it by Ashley Madison users whose information was compromised as part of the breach (the Plaintiffs). In re Ashley Madison Customer Data Security Breach Litigation, Case No.: 4:15-md-2669 (E.D. Mo. 2015). Avid Dating Life asserts that the Plaintiffs have downloaded and reviewed portions of the breached documents and that the documents should not be available for review or use in the litigation in any manner.
Ashley Madison’s Response
Avid Dating Life filed for a protective order to ensure that the Plaintiffs and their attorneys would destroy all of the stolen documents and would not review or use them in any way. In support of its motion, the company asserts that documents subject to attorney-client privilege do not lose their status because they became available via a criminal act such as an improper data breach. The Plaintiffs have opposed the motion for protective order because, among other reasons, they were not the ones who engaged in the illegal conduct that obtained the information. Further, they claim the documents are in the public domain and no longer protected by privilege. The court has yet to rule on the motion for protective order.
Lessons for Other Companies
The Ashley Madison situation illustrates that many types of sensitive data – in addition to personally identifiable information – are at risk. A breach can target sensitive corporate information for the hackers’ financial gain or to embarrass a company and its officers. This reaffirms the importance for any company to take precautions related to its cybersecurity, including performing frequent security assessments, communicating cyber risks to the board of directors and key officers, implementing appropriate encryption and security controls, cultivating a secure culture through corporate policies and training, and implementing and practicing an incident response plan to minimize detection and response time.
Any company that is the victim of a data breach may find that critical information has been stolen as part of the theft, potentially including documents that are subject to attorney-client privilege. Once the documents have been accessed, the hackers can use the documents in a variety of ways, including selling the information and posting it on the internet. In particular because litigation can follow a data breach, companies should take steps to protect their documents, including privileged communications, that may have been stolen as part of that breach. Such measures may include considering seeking a protective order to prohibit anyone from using the stolen documents in any litigation.