Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

AshleyMadison.com—a website that offers to connect married people seeking to have an affair—suffered a data breach in July 2015.  A month later, the hackers released 9.7 gigabytes of information obtained from the hack, including the full names, usernames, and e-mail addresses of the website’s customers.  Notably, the released data included information about users who had previously paid $19 to have their accounts deleted.  All told, more than 36 million users (nearly all men) had their information publicly disclosed as a result of the hack.

The settlement requires the AshleyMadison.com owners to pay a total of $1.6 million to resolve the FTC and state actions.  But the consequences are not just financial.  The website must also establish a “comprehensive information security program” and obtain initial and biennial data security assessments from a “qualified, objective, independent third-party professional” for the next 20 years.

The mandatory data security program imposed in the settlement requires the owners of AshleyMadison.com to develop a “reasonably designed” program to protect users’ data.  Rather than taking a prescriptive approach, the FTC order sets out general principles, “the content and implementation of which must be fully documented and in writing.”  The program must contain safeguards appropriate to the business’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers.  This approach—setting forth principles rather than specific requirements—offers a glimpse into the FTC’s thinking about how to assess what constitutes a “reasonable” data security program.

Not only did the AshleyMadison.com breach expose customer data, it also revealed that employees for the website had created thousands of fake profiles—all but three of which purported to be women—to entice users to join the website.  According to the FTC’s complaint, these fake profiles were created by using information, including photographs, from members of the website.  As part of the settlement, employees of AshleyMadison.com are permanently prohibited from creating fake profiles, mispresenting how they “collect” or “use” personal information, and lying about the number of actual users on their websites. 

Even with this settlement, the website’s troubles are far from over.  It faces multiple class action lawsuits, most which have been consolidated in the Eastern District of Missouri, though the plaintiffs in those suits have faced additional embarrassment by having to reveal their true identities.  But all is not lost for AshleyMadison.com. Despite the reputational hit the company took as a result of the breach, with a little rebranding, the website has reportedly gained an additional 7 million users since July of this year.