The operators of the AshleyMadison.com dating website have settled with the FTC and a coalition of state regulators over charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to a massive July 2015 data breach of their network.

According to the FTC’s complaint, Ashley Madison’s operators deceived their website users in several ways, including by creating fake profiles of attractive women on the website to encourage men to become paid users and by retaining users’ personal information after they had selected the “Full Delete” option to eliminate their profiles, messages, photos and any other personally identifiable information.

In addition, according to the complaint, despite Ashley Madison’s representations that the website was secure, risk-free and entirely anonymous, the dating website failed to implement reasonable data security practices. In this respect, Ashley Madison lacked a written information security policy, reasonable access controls, employee data security training, supervision over third-party service 

In the settlement, Ashley Madison’s operators agreed to pay a total of $1.6 million. They also agreed not to make any misrepresentations concerning their websites or mobile applications and to implement a comprehensive data security program that will, amongst other things, require the dating website's operators:

  • To identify the internal and external risks to the security, confidentiality and integrity of personal information which they retain;
  • To evaluate and adjust the data security program in light of security testing and monitoring of any material changes to their operations or business arrangements; To designate an employee or employees to coordinate and be responsible for the data security program;
  • to develop a program to select and retain service providers capable of appropriately safeguarding personal information;
  • to develop and implement reasonable safeguards to control the risks identified through risk assessment, and conduct regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures and
  • to engage an independent third-party to conduct initial and biennial assessments of the program for the 20-year term of the settlement.