“Life Is Short. Settle with the FTC” – The Cost of Ashley Madison’s 2015 Data Breach

by Pillsbury’s Social Media & Games Law Blog
Contact

On December 14, 2016, operators of online extramarital dating and social networking website AshleyMadison.com came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million AshleyMadison.com accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.

The FTC’s complaint against AshleyMadison.com (a.k.a. Ruby Life Inc.) and its related/parent entities (e.g., Ruby Corp) sought permanent injunctive relief, restitution, the refund of monies paid, and disgorgement of ill-gotten monies in connection with AshleyMadison/Ruby’s marketing and sale of online dating services. The FTC’s complaint noted that as part of the service, AshleyMadison/Ruby collected and transmitted personal information, including:

16. … full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats.

AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” The Gizmodo article concluded that “[w]hatever the total number of real, active female Ashley Madison users is, the company was clearly on a desperate quest to design legions of fake women to interact with the men on the site.”

In its complaint the FTC also described problems with AshleyMadison/Ruby’s “Full Delete” option, for which consumers paid $19 to remove their profiles from the website completely, and accused AshleyMadison/Ruby of misrepresentations regarding the terms and conditions for deleting profiles.

It is alleged that AshleyMadison in some instances failed to remove consumer profiles from their internal systems, even though the consumer had paid $19 for the “Full Delete” option.

According to information on the New York Attorney General’s website, AshleyMadison/Ruby (1) retained certain information about consumers who purchased the “Full Delete” option for up to twelve months in order to address requests for chargebacks, and in several cases (2) it did not delete all consumer information—including user photographs, chat communications, nicknames and sexual preferences—from its system even after twelve months.

The FTC also concluded that AshleyMadison/Ruby’s statements that the AshleyMadison.com website was “100% secure,” “risk free” and “completely anonymous,” and advertisements describing AshleyMadison.com as “secure,” “anonymous” and “risk free,” were misrepresentations regarding network security.

In its press release, the FTC reported that operators of the Toronto-based AshleyMadison.com dating website agreed to settle FTC and state charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to the July 2015 data breach. The settlement requires AshleyMadison/Ruby to implement a comprehensive data-security program, including third-party assessments. The settlement includes an immediate payment of $1,657,000 divided amongst the states and the Federal Trade Commission. The remainder of the $17.5 million payment is suspended based on AshleyMadison/Ruby’s inability to pay, according to a press release on the website for the New York State Attorney General.

The FTC worked with a coalition of the District of Columbia and thirteen states—Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee and Vermont—on the investigation and settlement. In addition, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner provided assistance to the FTC’s investigation and reached their own settlements with AshleyMadison/Ruby. (Provisions in the U.S. SAFE WEB Act allowed the FTC to share information with its foreign counterparts, here Canada and Australia, to combat deceptive and unfair practices that cross national borders.) The FTC’s announcement of the settlement included comments from the government officials involved in the FTC’s investigation of and settlement with AshleyMadison/Ruby, which in turn provide insight into the state of user privacy concerns and cross-border collaboration on privacy issues:

  • Vermont Attorney General William H. Sorrell – “Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website.”
  • Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada – “In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”
  • Australian Privacy Commissioner Timothy Pilgrim – Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.

The 2016 AshleyMadison/Ruby data breach case is one of the largest that the FTC has investigated to date, and like many such events, there seems to have been a number of warning signs prior to the breach, if only the company had recognized them. In its announcement, the FTC noted that before the 2015 data theft in question, “Intruders accessed the [AshleyMadison/Ruby’s] networks several times between November 2014 and June 2015, but due to their lax data-security practices, the defendants did not discover the intrusions.”

There are several lessons from this outcome.

First, government agencies are actively prosecuting companies with lax data security practices. In its announcement about the settlement, New York State Attorney General Schneiderman stated that “All companies have a responsibility to protect the privacy and personal information of consumers, and my office will continue to work with other state and federal authorities to protect consumers from online threats,” and that “[t]his settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated.” In this case, a settlement of $17 million was negotiated, and with this settlement it is clear that the real cost of data breaches are increasing, and will continue to increase.

Second, government agencies involved in consumer protection and data security are working together across borders to ensure the privacy rights of consumers. Meeting the demands of these agencies requires planning and a sustained compliance effort for businesses that retain user data on their systems.

Third, data theft is often not discovered until long after the theft has occurred. As the FTC explained, lax data security practices caused AshleyMadison/Ruby to miss that it had already been compromised in 2014 and 2015. Regular, routine cybersecurity audits preformed internally and by third-parties are critical to be able to timely detect and react to data theft.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury’s Social Media & Games Law Blog | Attorney Advertising

Written by:

Pillsbury’s Social Media & Games Law Blog
Contact
more
less

Pillsbury’s Social Media & Games Law Blog on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!