The operators of Ashley Madison, the dating website for married people that became famous following its massive data breach in 2015, settled claims brought by the Federal Trade Commission (“FTC”) regarding that breach and their security practices and representations. Ruby Corp., Ruby Life Inc., and ADL Media Inc. (collectively, “Ruby”), named as defendants, were responsible for the operation of ashleymadison.com.
Hackers breached Ashley Madison—a site with over 18 million users in the United States alone—in 2014 and 2015, with intruders reportedly gaining access to Ruby’s networks multiple times. Ruby did not detect the breach until July 2015, when an employee noticed large data transfers.
Ruby has agreed to pay $1.6 million to resolve charges relating to the hack to the FTC and state regulators, with several million more of the judgment suspended in light of financial limitations of the company The FTC, 13 states, and the District of Columbia entered into a settlement to resolve the complaint. Earlier this year, Ruby also entered into a compliance agreement with the Office of the Privacy Commissioner of Canada and an enforceable undertaking with the Office of the Australian Information Commissioner. Additionally, multidistrict class action litigation brought by numerous former Ashely Madison customers continues against Ruby.
The FTC filed a complaint in the District Courts for the District for Columbia. Among the allegations raised in the complaint were that Ruby:
- Failed to have a written organizational information security policy
- Failed to secure remote access, regularly monitor unsuccessful login attempts, revoke passwords of ex-employees, restrict access to systems based on employee job functions, implement controls to protect against retention of passwords and encryption keys, and permitting employees to reuse passwords
- Failed to proper train employees to perform data-security measures related to their jobs
- Failed to ensure that third-party providers utilized reasonable security measures
- Failed to monitor their system at random intervals to identify security breaches and to ensure the effectiveness of their protective measures.
- The complaint also alleged that Ruby falsely:
- Assured users that their information was private and protected
- Created fake profiles to attract new users, and consumers had no way to distinguish between real and fake profiles
- Claimed it had received a “Trusted Security Award,” as well as stating that it was “100% secure,” “risk free,” and “completely anonymous”
- Required consumers were required to purchase the right to fully delete their profiles, and were only told after payment that their information would be retained for 6 to 12 months thereafter. Ruby then either retained the information for up to 12 months, or completely failed to remove the information.
In addition to enjoining Ruby from misrepresentations as to its security practices and its utilization of fake profiles, the Settlement Agreement set forth a series of data security practices that Ruby is required to implement, with initial and biennial assessments of compliance required.The Settlement Agreement requires Ruby to obtain its assessments from an objective third-party professional that will monitor Ruby and the execution of its new security program. The Settlement Agreement also prevents Ruby from using personal information received from the online dating sites obtained prior to the entry of the Settlement Agreement, unless it complies with the requirements discussed above regarding the cessation of its misrepresentations to consumers. Ruby must also submit a compliance report to the FTC.
The complaint and subsequent Settlement Agreement is only the latest in the FTC’s exercise of its asserted power to investigate and prosecute companies for inadequate data security. The mandated security program outlined in the Settlement, for example, provides a useful roadmap that proactive businesses may utilize to preemptively show that their compliance is in line with FTC expectations. The Settlement Agreement provides warnings to those who freely throw about statements and self-award seals regarding the security of their platforms. The complaint and settlement also reinforce the importance of restricting access to systems based on services providers, employee job functions, and the importance of internal employee and vendor controls regarding password usage and retention.
- The FTC noted that 36 million individuals worldwide were affected, making it one of the largest data breaches it has investigated.
- Finally, Ruby was ordered to pay $8,750,000 in satisfaction of the judgment, but this amount was suspended. Instead, Ruby will pay $828,500 to the FTC, and $828,500 to the 13 states and DC, for a total of approximately $1.6 million. Should Ruby be found to have misrepresented its financial condition, Ruby will immediately owe the full amount of the judgment.
- The Settlement Agreement outlines a comprehensive data security program for personal information collected. In doing so, it stated that the program was to be “appropriate to Defendants’ size and complexity, the nature and scope of Defendants’ activities, and sensitive of the personal information collected from or about consumers,” signaling that the FTC are not promoting a one-size-fits-all approach to data security. The safeguards ordered, however, are of the type that are likely to be expected of most companies. For example, the FTC requires that Ruby designate an employee to take responsibility for the program, create protocols to identify and resolve internal and external risks, and to conduct a risk assessment to assess the sufficiency of, necessity for, and implementation of various safeguards. The Settlement also requires the creation of a process to select and retain third-party service providers that will be capable of safeguarding any information they receive from Ruby.
- The parties quickly settled the matter following the filing of the Complaint. The Settlement Agreement—a stipulated order for permanent injunctive and other relief—was entered into by the FTC, 13 states, and the District of Columbia against Ruby.
- The FTC brought charges alleging unfair security practices, and misrepresentations regarding network security, user profiles, terms and conditions for deleting profiles, and data security seals.
As New York Attorney General Schneiderman stated: “This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated.” (New York will receive $81,330.94 of the payment being made, since up to 652,627 New York residents were members of Ashley Madison at the time of the security breach). Businesses who want to take an active approach to data security compliance can glean much from the FTC’s complaint and settlement here.