As data breach plaintiffs are starting to overcome questions of whether or not they have standing [1] to bring lawsuits in federal court under Article III of the U.S. Constitution, a recent decision may place an additional burden on plaintiffs. The August data breach of Ashley Madison [2], a website that refers to itself as “the world’s leading married dating service for discreet encounters,” has given rise to a number of lawsuits.
For example, one plaintiff recently filed a lawsuit [3] in an Arkansas federal court seeking damages, on behalf of himself and others, related to the theft and exposure of his personal information stored by Ashley Madison. The plaintiff claims Ashley Madison was unjustly enriched by charging customers for a “paid delete” service to remove customer information but did not actually delete the information.
Ashley Madison recently argued that the plaintiff’s suit should be dismissed because he filed suit under the pseudonym John Doe rather than using his real name. On December 14, 2015, the U.S. District Court for the Eastern District of Arkansas denied Ashley Madison’s motion, but held the plaintiff had to sue in his real name. The District Court held that under the First Amendment “[t]here is a ‘strong presumption in favor of parties proceeding in their own names.’”
In analyzing this issue, the District Court relied on Plaintiff B v. Francis, 631 F.3d 1310, 1315 (11th Cir. 2011), which instructs courts to consider the following factors to determine if “privacy concerns” warrant a party to proceed anonymously:
- Is the plaintiff challenging a government activity?
- Will the plaintiff “be required to disclose information of the utmost intimacy?”
- Is there risk of criminal prosecution for admissions that may be made by the plaintiff?
The plaintiff argued the second “privacy concern” factor permitted him to proceed anonymously because disclosing his real name would subject his “sexual habits [to] public scrutiny.” The District Court disagreed and issued an order requiring the plaintiff to file an amended complaint [4] under the following reasoning:
Rather, [signing up for the website] simply reveals that at one time he was a member of a website that catered to individuals who wanted to have “discreet relationships.” The details of whether Plaintiff did anything beyond signing up are not relevant to the claims in the complaint, which means there would be no revelation of Plaintiff’s sexual proclivities. Plaintiff’s privacy concerns do not outweigh the “strong presumption” in favor of requiring a party to proceed under his own name.
Based on the court’s reasoning, the plaintiff is required to file an amended complaint with his proper name by December 23, 2015.
A number of plaintiffs are struggling to meet the requirements for Article III standing to bring suit for data breaches. Here, the District Court’s holding that the plaintiff must use his proper name in data breach litigation may prove to be another obstacle to bring a suit for a data breach. While not every data breach has the potential to cause reputational damage to the extent seen with the Ashley Madison breach, some people may not want to pursue litigation under their proper names if that litigation would further highlight the fact that their name is associated with a breach at a certain political organization or related to a questionable service or purchase.