FTC Announces Million-Dollar Settlement with Ashley Madison Website over 2015 Data Breach

The Federal Trade Commission (FTC or Commission) announced a $1.6 million dollar settlement with the operators of the Ashley Madison website due to a 2015 data breach that resulted in the publishing of personal account and profile information of 36 million users. In August 2015, hackers gained access to the company’s network and published almost 10 gigabytes of sensitive profile and billing information. Victims of the data breach allegedly included users who paid an additional fee for a “Full Delete” service to ensure that their data was removed from the site.

In a joint investigation with 13 states, the Office of Privacy Commissioner of Canada, and the Office of the Australian Information Commissioner, the FTC identified several of the company’s allegedly lax data-security practices. According to the complaint, the company allegedly failed to establish a formal written information security policy, failed to implement reasonable access controls, failed to provide adequate security training to employees, and failed to monitor the effectiveness of their security system. The complaint further claimed that the operators of the website lured customers into becoming paid members with fake profiles of women and misrepresented that they had made reasonable efforts to ensure that the site was secure. The settlement required the company to institute a comprehensive data-security program and pay a $1.6 million penalty, reduced from the initial $17.5 million penalty due to the company’s inability to pay.

As FTC Chairwoman Edith Ramirez stated, “this case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide.” The million dollar settlement demonstrates the FTC’s willingness to use the FTC Act’s prohibition against unfair business practices to institute litigation for egregious data-security violations. Each of the website’s claimed inadequate data security measures in this case have already been highlighted exhaustively in the basic principles the FTC outlined in its Start with Security guide for businesses. Companies that collect personal information should follow these principles to ensure that they employ adequate data security measures and help lower the risk of future expensive litigation. Further, companies that have made promises to protect consumer data should take this guidance into account.