Affair Website Ashley Madison Fined $8.75 Million Over Data Breach, Misrepresentations

Ballard Spahr LLP
Contact

Ballard Spahr LLP

The Federal Trade Commission (FTC) has entered into a multimillion dollar settlement with the owners and operators of AshleyMadison.com, a dating website for people interested in having discreet affairs, related to the hacking and posting online of customer data in the summer of 2015. The FTC conducted its investigation—one of its largest relating to a data breach—in conjunction with investigations by multiple state attorneys general and privacy regulators in Canada and Australia.

According to a civil complaint filed simultaneously with the settlement agreement in U.S. District Court for the District of Columbia, hackers repeatedly accessed the Ashley Madison corporate network and that of a service provider in 2014 and 2015 by utilizing stolen employee user credentials. In July 2015, the attackers contacted the company and claimed to have stolen all customer records for the websites AshleyMadison.com and EstablishedMen.com. They threatened to release the stolen data unless the company immediately shut down both websites. After the company failed to heed their demands, a group identifying itself as "The Impact Team" published online 9.7 gigabytes of data related to 36 million Ashley Madison customers and to the company owners and operators.

The FTC's complaint alleged that Ashley Madison violated Section 5 of the FTC Act by engaging in unfair security practices and misrepresentation. The FTC claimed that Ashley Madison acted unfairly by failing to employ reasonable data security standards to prevent unauthorized access to personal information on company networks. The deficiencies cited by the FTC included:

  • Absence of a written information security policy;

  • Lack of reasonable access controls, including weak password policies, login and data security event monitoring, and insecure remote access;

  • Failure to provide adequate data security training to employees; and

  • Failure to require implementation of reasonable data security measures by third-party service providers.

The misrepresentation claims had three components:

  • Misrepresentations concerning the website’s security practices, including the claim that it had received a "Trusted Security Award;"

  • Retention of account information, which was purloined in the hack, even after customers had paid $19 for a "Full Delete" service to remove their information from the Ashley Madison network; and

  • Use of "engager profiles" in which customers believed they were receiving communications from interested women, but in fact where receiving communications from "fembot" profiles created and maintained by Ashley Madison staff.

As part of the settlement, Ashley Madison agreed to pay a fine of $8.75 million to the FTC, of which all but $828,500 was suspended due to the company's inability to pay, and agreed to pay the same amount to settle claims made by 13 states and the District of Columbia. In addition, Ashley Madison agreed not to misrepresent the security of customer information and its use of engager profiles and further agreed to implement stringent data securities policies and procedures to better protect consumer information in the future. These changes include implementation and maintenance of a comprehensive information security program commensurate with the size, complexity, and nature of Ashley Madison’s business, as well as biennial data security assessments to be conducted by a third party for 20 years.

This investigation and settlement show that governmental regulators are collaboratively engaged in investigating security practices related to consumer data, and will seek stiff fines and onerous, long-term supervision of non-compliant companies that suffer sophisticated cyberattacks. Consistent with the terms of regulatory settlements like this one, businesses that maintain and process consumer data should maintain comprehensive data security measures to mitigate potential loss and liability.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide