On December 14, 2016, the Federal Trade Commission (the “FTC”) announced that ruby Corp., ruby Life Inc., and ADL Media Inc. (the “Defendants”) agreed to a settlement with the FTC, 13 states, and the District of Columbia.  The Defendants operate the AshleyMadison.com website, which was the target of a 2015 data breach that exposed the personal information of more than 36 million users.  In addition to $1.66 million in monetary fines, the 20-year settlement order requires the Defendants to establish and maintain a comprehensive data security program and obtain biennial independent data security assessments.

According to the FTC’s complaint, throughout 2014 and most of 2015, the Defendants stored password encryption keys in plain text on their server and in employee emails, allowing intruders to access the Defendants’ corporate network.  In August 2015, the intruders published personal information pertaining to more than 36 million AshleyMadison.com users, including full names, sexual preferences, and desired sexual activities. 

The FTC alleged that the Defendants represented the AshleyMadison.com website as “100% secure,” “risk free,” and “completely anonymous.”  The website also displayed an image indicating that it had received a “Trusted Security Award.”  The FTC’s complaint alleges that the Defendants never received any such award from any organization.  The Defendants also charged over 125,000 users $19 each for a “Full Delete” feature to remove user profiles permanently.  Per the FTC, the Defendants nevertheless retained those users’ personal information for up to 12 months.

Under the settlement order, for a period of 20 years, the Defendants must refrain from making further misrepresentations to their users regarding the security and confidentiality of their services.  The Defendants also must implement and maintain a comprehensive data security program with administrative, technical, and physical safeguards appropriate to the Defendants’ size and complexity, the nature of their business activities, and the sensitivity of the personal information they collect.  The mandated program must include a risk-based security assessment, employee training, regular program testing, and third-party vendor risk management controls.  Every two years during the 20-year term of the settlement order, the Defendants must engage qualified, objective, and independent third-party professionals to assess the mandated data security program.  The Defendants must submit the biennial assessments to the FTC. 

The settlement order also requires the Defendants to pay $828,500 to the FTC and an equal amount to be split between 13 states and the District of Columbia.  The assessment of monetary fines is a rare move for the FTC, whose settlements more typically impose only injunctive relief.

As quoted in the FTC’s press release, FTC Chairwoman Edith Ramirez stated: “This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide.  The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users’ personal information from criminal hackers going forward.”