[BreachExchange] In Ashley Madison Data-Breach Settlement, FTC Asserts Role as Cyber Cop

Wed Dec 14 22:46:29 EST 2016

http://www.nationallawjournal.com/id=1202774674673/In-Ashley-Madison-DataBreach-Settlement-FTC-Asserts-Role-as-Cyber-Cop?slreturn=20161114215540

AshleyMadison.com, a website built to help cheating lovers meet their
match, has agreed to settle claims that lax cybersecurity was responsible
for a data breach that exposed the personal information of millions of
customers last year.

As *part of an agreement
<https://assets.documentcloud.org/documents/3238509/161214ashleymadisonorder1.pdf>*
with the Federal Trade Commission and several state attorneys general, the
parent company, Ruby Corp., will pay $1.6 million to resolve charges
connected to the July 2015 hack. The breach exposed millions of customers’
addresses, credit card numbers and sexual preferences.

The sanctions announced Wednesday amounted to $17.5 million, but that
penalty was largely suspended because of the company’s inability to pay,
FTC Chairwoman Edith Ramirez told reporters on a conference call. If
regulators later determine Ashley Madison’s parent company misrepresented
its financial condition, it will have to pay the entire settlement amount.

“This case represents one of the largest data breaches that the FTC has
investigated to date, implicating 36 million individuals worldwide,”
Ramirez said in a statement. “The global settlement requires
AshleyMadison.com to implement a range of more robust data security
practices that will better-protect its users’ personal information from
criminal hackers going forward.”

In August 2015, a month after the breach, hackers published the personal
information of more than 36 million AshleyMadison.com users online.
AshleyMadison.com retained some of that information after charging
customers $19 for the “full delete” service to permanently remove their
data from the site’s network.

James Halpert, co-chairman of DLA Piper’s cybersecurity practice,
represented Ashley Madison and its parent company, formerly known as Avid
Life Media Inc. Halpert was not immediately reached for comment Wednesday.

According to the FTC, Ashley Madison advertised that it received a “Trusted
Security Award” when, in fact, it had received no such award and failed to
take adequate data security measures.

The FTC and attorneys general also alleged that the website created fake
profiles to lure in new users. That portion of the FTC’s complaint *mirrored
charges the agency brought
<http://www.law.com/sites/almstaff/2016/07/05/lessons-from-the-ftcs-first-action-against-a-dating-website/>*
in 2014 against another online dating site, the England-based JDI Dating
Ltd. The company agreed to pay $616,165 in redress to resolve claims that
it used computer-generated profiles to trick customers into upgrading their
accounts and charged users a recurring monthly fee without their consent.

According to the FTC, AshleyMadison.com employed a similar strategy through
August 2014, using fake profiles of women to entice 19 million U.S.
residents into upgrading to paid accounts.
*'Unprecedented' international cooperation*

Regulators in Canada and Australia assisted the FTC in the investigation
and reached separate settlements with Ashley Madison’s Toronto-based parent
company. Ramirez said Wednesday the investigation involved an
“unprecedented level” of international cooperation.

Ramirez said she expects the FTC to step up its cooperation with overseas
regulators as it continues to enforce data-security standards.

“Certainly the fact that these issues impact consumers worldwide means
international cooperation is becoming increasingly important,” she said.

“I see it as the beginning,” she added. “I think that’s going to be
happening increasingly going forward.”

The FTC has established itself as a top cybersecurity cop in recent years.
On Wednesday, Ramirez said she believes cybersecurity is “going to continue
to be a top priority” for the agency after President-elect Donald Trump
takes office next year.

The FTC was joined in the settlement by 13 states, along with the District
of Columbia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161214/cb6788c1/attachment.html>