Using Stolen Data in Discovery

Assume your opponent in litigation suffers a data breach and data relevant to your case is dumped online.  Can you use it?

Some might remember the Ashley Madison data breach.  The company’s slogan was once “life is short, have an affair.”  Anyhow, the company was hacked and information about its users was data dumped online.  Included in the data were “internal company documents, including communications between Avid and its counsel.”  A class-action was filed.  “Plaintiffs assert that for purposes of drafting their consolidated amended complaint, they intend to use news articles discussing and, in some cases, quoting those documents, but not any of the original documents leaked in the data breach.”[1]  Ashley Madison moved for protective order to prevent plaintiffs from using the stolen data.

Plaintiffs opposed, first arguing the court had no authority to control information that was obtained outside the discovery process.  There was some authority supporting the argument, but the court rejected it.  Allowing a party to use information that was improperly obtained would make the court complicit in improper activities.  The court invoked its inherent authority and heard the motion on the merits.

Plaintiffs’ argument basically was that the information was publicly available online, so it was no longer privileged or confidential.  “Plaintiffs base their entitlement to rely on this ‘public information’ in drafting their pleadings on the fact that journalists may legally publish leaked or stolen information….”  That argument did not work.  “Journalists, however, are in a completely different position than parties involved in private litigation. No doubt exists that the news media enjoy the freedom of ‘the press;’ however, the conduct of attorneys is informed by their ethical responsibilities as officers of the Court.”

The Plaintiffs other arguments also did not work.

Plaintiffs would be unfairly advantaged while Avid would have no opportunity to argue against production. The fact that the content of some of Avid’s internal documents, including email communications between Avid and its counsel, has been to some extent placed on the internet and reported in news articles does not change the nature of the documents. They remain stolen documents. Regardless of whether some of the documents at issue may be ultimately discoverable, Avid has, and has always had, the right to keep its own documents until met with proper discovery requests or ordered to disclose them by the Court

The court added “[a]llowing Plaintiffs to use the documents stolen from Avid would serve to encourage the conduct of hackers and cause businesses and individuals victimized by hackers to be more likely to give in to extortionists.”  The result was the protective order was issued.


[1] In re Ashley Madison Customer Data Sec. Breach Litig., No. MDL No. 2669, 2016 U.S. Dist. LEXIS 57619 (E.D. Mo. Apr. 29, 2016).