AshleyMadison.com Owners Agree to Pay $1.6 Million to Settle FTC and State Data Breach Charges | Practical Law

AshleyMadison.com Owners Agree to Pay $1.6 Million to Settle FTC and State Data Breach Charges | Practical Law

The operators of the AshleyMadison.com dating site have agreed to settle FTC and state charges that they misled consumers and failed to protect their personal information after a 2015 data breach. Among other obligations, the terms of the settlement require the company to implement a comprehensive data security program and pay $1.6 million.

AshleyMadison.com Owners Agree to Pay $1.6 Million to Settle FTC and State Data Breach Charges

by Practical Law Intellectual Property & Technology
Published on 15 Dec 2016USA (National/Federal)
The operators of the AshleyMadison.com dating site have agreed to settle FTC and state charges that they misled consumers and failed to protect their personal information after a 2015 data breach. Among other obligations, the terms of the settlement require the company to implement a comprehensive data security program and pay $1.6 million.
On December 14, 2016, the FTC announced that it and a coalition of 13 states and the District of Columbia had reached a settlement with the operators of the AshleyMadison.com dating website for engaging in deceptive business practices and failing to protect the personal information of more 36 million users.
Toronto-based Ruby Corp. and Ruby Life Inc. d/b/a AshleyMadison.com, and Delaware-based ADL Media Inc. (collectively Ashley Madison) operated a web-based dating site for adults in committed relationships who were interested in having an affair. AshleyMadison.com offered a three-tiered system of membership:
  • A basic membership that allowed users to create free dating profiles, including personal information, their email addresses, and photographs of themselves. They could also search for other users, post and view photographs, and engage in limited communications.
  • Users could upgrade their profiles to a full membership which allowed them to send messages, engage in real-time chats, and send virtual gifts.
  • Priority membership required an additional monthly subscription that would elevate a user's profile to a preferred position in search results.
As a part of their service, Ashley Madison collects, among other things, personal information from its users that includes:
  • Full name.
  • User name.
  • Gender.
  • Address, including zip codes.
  • Date of birth.
  • Ethnicity.
  • Height.
  • Weight.
  • Sexual preferences and desired encounters.
  • Email address.
  • Photographs.
  • Payment card numbers.
  • Hashed passwords.
  • Answers to security questions.
The company claimed their website was "100% secure," and displayed icons indicating the site was the recipient of a trusted security award.
On multiple occasions during 2014 and 2015, intruders were able to breach Ashley Madison's security system and access its corporate network and payment processors. In late 2015, the company discovered the site had been hacked. Hackers released almost 10 gigabytes of information related to its 36 million customers, including:
  • The full names of paying customers.
  • User names and email addresses of non-paying customers.
  • Profile and account information, including codes related to security questions, security answers, and hashed passwords.
  • Billing information, including billing addresses and the last four digits of consumers' credit and debit cards. In some cases, users' full credit card numbers were published.
The complaint alleged Ashley Madison's failure to provide reasonable data security measures led to increased risk of harm for the individuals identified in the breach. Further, the FTC claimed the company could have prevented or mitigated these risks by implementing low-cost measures.
The complaint also alleged that Ashley Madison misrepresented:
  • The security of the website.
  • That the site had received a trusted security award.
  • The number of actual users on the site.
  • The terms and conditions for deleting a user's profile.
Under the terms of the settlement, among other things, Ashley Madison agreed to:
  • Pay a combined $1.6 million to the FTC and participating states.
  • Refrain from misrepresenting the extent to which they:
    • collect, use, or maintain personal information;
    • protect the privacy, confidentiality, security, and integrity of personal information;
    • have received awards or seals from third parties; or
    • participate in any privacy or security program sponsored by a third party.
  • Establish and implement a comprehensive written information security program.
  • Obtain initial and biennial third-party assessments for the next 20 years to evaluate the company's data security measures and compliance with the settlement agreement.
While the FTC's mandated data security measures are similar to those found in past enforcement actions, this settlement is notable because:
  • The FTC worked with its Canadian and Australian counterparts, which reached their own settlements with Ashley Madison, including sharing information as permitted under the SAFE WEB Act (15 U.S.C. §§ 41-58).
  • It arose out of the combined efforts of the FTC and 13 states, including Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont, and the District of Columbia.