FTC, Ruby Settle Ashley Madison Data Breach Case
Infidelity website Ashley Madison parent ruby will be required to pay out $1.66 million of a $17.5 million monetary settlement with the FTC and attorneys general of 13 states and Washington, D.C., officials announced Wednesday. That is part of a larger settlement with federal and state officials to end a joint case on claims that Ashley Madison deceived consumers and failed to protect the account information of the 36 million users whose data were exposed in a July 2015 breach, the FTC said. The data breach targeted Ashley Madison’s parent firm, then known as Avid Life Media, and resulted in the exposure of about users’ personal and financial information. Published information included users’ real names and addresses, as well as their sexual preferences on the site that helped those seeking sex affairs match up (see 1507200017).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
This “represents one of the largest data breaches that the FTC has investigated,” said Chairwoman Edith Ramirez during a conference call with reporters. The monetary settlement and a commitment from ruby to implement a “comprehensive” data security program are aimed at preventing the company from “making misrepresentations” about the security of its users’ information in the future, Ramirez said. Every consumer “has a right to online privacy and a right not to be scammed no matter the user’s lifestyle,” said Vermont Attorney General William Sorrell. Vermont led the states’ involvement in the FTC investigation, Sorrell said. The other states were Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island and Tennessee.
Ramirez noted that the FTC received significant data cooperation from the offices of Australian Information Commissioner and of the Office of the Privacy Commissioner of Canada. Australia and Canada found in August that ruby violated privacy laws in those countries by falsely presenting itself as a secure service while having inadequate cybersecurity (see 1608230045). That collaboration allowed the three governments “to achieve a more effective remedy in the wake” of the breach, Canada Privacy Commissioner Daniel Therrien told reporters.
The FTC said in the proposed settlement filed Wednesday that it agreed to suspend all but $828,500 of the $8.75 million monetary settlement due to the agency, while the 14 U.S. jurisdictions involved in the settlement agreed to suspend all but $828,500 of the $8.75 million owed to them. Ramirez repeatedly defended the FTC’s decision to suspend the vast majority of the monetary settlement ruby was required to pay, telling reporters that the $1.66 million the company still must pay will ensure it isn’t “profiting from unlawful conduct.”
The governments agreed to suspend most of the monetary settlement after an analysis of ruby’s finances showed the company wasn’t able to pay more, Ramirez said. An “avalanche clause” in the settlement will require ruby to pay out the rest of the $17.5 million settlement if the FTC determines the company misrepresented its financial status, Ramirez said. The $1.66 million will go directly into government coffers because it’s too small to be used to compensate affected users, Ramirez said. The FTC’s aim in calculating a monetary settlement in the ruby case was not to “put them out of business,” she said.
The commission determined the original $17.5 million settlement amount based on the amount it believed was needed to recover revenue ruby gained by charging users $19 for a “Full Delete” of their profile information and then failing to do so, Ramirez said. The FTC didn’t attempt to factor in compensation for any reputational damage that affected users experienced as a result of the exposure of their personal information, she said. The FTC has urged Congress to pass comprehensive data security legislation that would include a provision giving the agency the authority to issue civil penalties related to data security issues, Ramirez said. Such a provision “would give us a greater ability to address these issues,” she said.
It’s “important not to overlook the strong injunctive provisions” included in the settlement, Ramirez told reporters. The settlement prohibits ruby from “misrepresenting” the company’s collection of personal information and the security of its systems, including “the extent to which consumers may exercise control over the collection, use, or disclosure of personal information.” Ruby is also prohibited from falsely claiming to have received security awards or certifications from third-party firms or falsely stating the terms and conditions for deleting a user’s information, the settlement said.
The settlement mandates that ruby establish and implement a “comprehensive” data security plan that includes a cyber risk assessment of the company’s assets and “reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.” An FTC-approved third party will assess ruby’s security plan within 180 days of the settlement’s adoption and will review it biennially for the next 20 years, the agency said.
“Today is a pivotal day for our members and for Ashley Madison,” said CEO Rob Segal in a statement. “Today's settlement closes an important chapter on the company's past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company.”