Privacy & Information Security Law Blog

On December 14, 2016, the FTC announced that the operating companies of the AshleyMadison.com website (collectively, the “Operators”) have settled with the FTC and a coalition of state regulators over charges that the Operators deceived consumers and failed to protect users’ personal information. The FTC worked with a coalition of 13 states, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner to resolve this matter, which was initiated in the wake of the website’s July 2015 data breach.

According to the complaint, the Operators deceived their website users in several ways. These included (1) posting fake profiles of attractive women on the website to encourage men to become paid members of the website; (2) retaining consumers’ personal information after they requested the “Full Delete” option to remove their profiles, photos, messages and any other personally identifiable information; and (3) advertising the website as secure, risk-free and completely anonymous. The complaint also alleged that the Operators committed unfair trade practices by failing to have in place a written information security policy, implement reasonable access controls or monitor the security of the AshleyMadison.com website effectively. According to the complaint, the website’s inadequate information security culminated in a data breach in July 2015, in which hackers published the personal information for more than 36 million AshleyMadison.com users.

In the settlement, the Operators agreed to each pay $828,500 to the FTC and the coalition of states. They also agreed to not make any misrepresentations regarding their websites or mobile applications and to develop and implement a written information security program that will require the Operators to:

• designate an employee or employees to coordinate and be responsible for the information security program;
• identify the internal and external risks to the security, confidentiality and integrity of personal information they retain;
• develop and implement reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures;
• develop a program to select and retain service providers capable of appropriately safeguarding personal information; and
• evaluate and adjust the information security program in light of security testing and monitoring or any material changes to their operations or business arrangements.

Finally, the settlement obligates the Operators to engage an independent third party to conduct initial and biennial assessments of the program for the 20-year term of the settlement.

In the press release announcing the settlement, FTC Chairwoman Edith Ramirez noted the wide scope of the breach and stated that “[t]he global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.” Vermont Attorney General William H. Sorrell commented that he “was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner.”

The FTC vote authorizing the staff to file the complaint and stipulated final order was 3-0. The FTC filed the complaint and final order in the U.S. District Court for the District of Columbia.