The Federal Trade Commission (FTC) has entered into a multimillion dollar settlement with the owners and operators of AshleyMadison.com, a dating website for people interested in having discreet affairs, related to the hacking and posting online of customer data in the summer of 2015. The FTC conducted its investigation—one of its largest relating to a data breach—in conjunction with investigations by multiple state attorneys general and privacy regulators in Canada and Australia.

According to a civil complaint filed simultaneously with the settlement agreement in U.S. District Court for the District of Columbia, hackers repeatedly accessed the Ashley Madison corporate network and that of a service provider in 2014 and 2015 by utilizing stolen employee user credentials. In July 2015, the attackers contacted the company and claimed to have stolen all customer records for the websites AshleyMadison.com and EstablishedMen.com. They threatened to release the stolen data unless the company immediately shut down both websites. After the company failed to heed their demands, a group identifying itself as "The Impact Team" published online 9.7 gigabytes of data related to 36 million Ashley Madison customers and to the company owners and operators.

The FTC's complaint alleged that Ashley Madison violated Section 5 of the FTC Act by engaging in unfair security practices and misrepresentation. The FTC claimed that Ashley Madison acted unfairly by failing to employ reasonable data security standards to prevent unauthorized access to personal information on company networks. The deficiencies cited by the FTC included:

  • Absence of a written information security policy;

  • Lack of reasonable access controls, including weak password policies, login and data security event monitoring, and insecure remote access;

  • Failure to provide adequate data security training to employees; and

  • Failure to require implementation of reasonable data security measures by third-party service providers.

The misrepresentation claims had three components:

  • Misrepresentations concerning the website’s security practices, including the claim that it had received a "Trusted Security Award;"

  • Retention of account information, which was purloined in the hack, even after customers had paid $19 for a "Full Delete" service to remove their information from the Ashley Madison network; and

  • Use of "engager profiles" in which customers believed they were receiving communications from interested women, but in fact where receiving communications from "fembot" profiles created and maintained by Ashley Madison staff.

As part of the settlement, Ashley Madison agreed to pay a fine of $8.75 million to the FTC, of which all but $828,500 was suspended due to the company's inability to pay, and agreed to pay the same amount to settle claims made by 13 states and the District of Columbia. In addition, Ashley Madison agreed not to misrepresent the security of customer information and its use of engager profiles and further agreed to implement stringent data securities policies and procedures to better protect consumer information in the future. These changes include implementation and maintenance of a comprehensive information security program commensurate with the size, complexity, and nature of Ashley Madison’s business, as well as biennial data security assessments to be conducted by a third party for 20 years.

This investigation and settlement show that governmental regulators are collaboratively engaged in investigating security practices related to consumer data, and will seek stiff fines and onerous, long-term supervision of non-compliant companies that suffer sophisticated cyberattacks. Consistent with the terms of regulatory settlements like this one, businesses that maintain and process consumer data should maintain comprehensive data security measures to mitigate potential loss and liability.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cyber incident response team assists organizations of all sizes in preparing for and responding to cyber incidents, and the investigations and litigation that often follow them. Our attorneys also regularly work with companies on structuring and properly documenting cross-border data transfers, drafting privacy policies, third-party vendor agreements, and information security policies and procedures as necessary to comply with the requirements of the General Data Protection Regulation and the EU–U.S. Privacy Shield.


Copyright © 2016 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.




Related Practices