[BreachExchange] Importance of Maintaining Cybersecurity Measures – Assessing the Ashley Madison Data-Breach Settlement

[Audrey McNeil]

http://www.jdsupra.com/legalnews/importance-of-maintaining-cybersecurity-
72785/

Daily headlines of data breaches, resulting class actions, governmental
investigations and enforcement actions, and the settlements of those
actions serve as constant reminders of the need to implement and maintain
reasonable cybersecurity measures. Yet another example can be found in the
recent announcement by the Federal Trade Commission, which states that the
operators of the well-known website AshleyMadison.com have agreed to settle
the charges brought against them by the FTC and over a dozen state
attorneys generals arising out of the July 2015 data breach of
AshleyMadison.com’s network. Analyzing the settlement also provides
additional guidance on what regulators mean when they refer to reasonable
safeguards.

In its complaint, the FTC alleged that AshleyMadison.com’s parent company,
Ruby Corp. (f/k/a Avid Life Media, Inc.), and a pair of related entities
failed to adequately protect their approximately 36 million users’ accounts
and profile information. (The FTC also alleged various misrepresentations
that are not relevant here.) According to the FTC complaint, the defendants
collected a broad range of personal information from its customers,
including full names, addresses, dates of birth, payment card numbers,
sexual preferences and desired encounters. The defendants also collected
and maintained their customers’ communications with each other, such as
messages and chats.

In collecting this information, defendants assured customers that their
personal information was private and securely protected. Moreover, the
defendants assured customers that they could always delete their “digital
trail,” including by paying $19 for a “full delete,” which was supposed to
permanently delete the customer’s personal information and communications.

As was widely reported in the press, on July 12, 2015, the companies’
network experienced a major data breach, in which the hackers were able to
access and obtain customers’ sensitive profile, account and billing
information, including the information of many customers who had paid for
the “full deletion” service. In August, the hackers published this
information online.

The FTC complaint charged defendants with misrepresenting that they had
taken reasonable cybersecurity measures and that they would delete all of
the information of consumers who utilized their “full delete” service. The
FTC also charged defendants with engaging in unfair security practices by
failing to take reasonable steps in order to prevent unauthorized access to
personal information on their network, causing substantial consumer harm.

Indeed, according to the FTC complaint, notwithstanding their assurances of
privacy and data security, the defendants had no written organizational
information security policy; failed to implement reasonable access
controls; failed to adequately train employees; had no knowledge of whether
third-party service providers were using reasonable security measures; and
failed to use readily available security measures to monitor the
effectiveness of their system security. The FTC further alleged that,
notwithstanding of their representations that personal information would be
“full[y] delete[d]”, defendants continued to retain customers’ personal
information even after the customers paid $19 for the “full delete” service.

In settling the charges, defendants agreed to a judgment of $8.75 million
with the FTC, $875,000 of which was due immediately with the remainder
being suspended due to a claimed lack of financial resources. The
defendants also agreed to pay the same amounts to state regulators.

Additionally, the settlement requires the defendants to implement a
comprehensive data-security program, including third-party assessments.
Notably, the focus of the complaint and the settlement reinforce those
overarching steps that the FTC (and state regulators) consistently
emphasizes as being the hallmarks of an adequate security program:

- Identifying risks: companies must assess legal requirements, existing
data retention and security measures and identify and remediate potential
internal and external risks;

- Identified safeguards: companies must create, maintain and update written
policies for protecting personal information (including administrative,
technical and physical safeguards) and for responding to a breach;

- Implementation: companies must implement these policies internally –
including by designating an employee (or employees) to be responsible for
security and by training other employees – and externally – including by
selecting third-party vendors capable of providing adequate safeguards and
requiring them, by contract, to maintain appropriate safeguards;

- Integrity: companies must ensure the efficacy of their safeguards by
periodically testing their safeguards and adjusting those safeguards to
account for changes in the size and scope of their business, as well as
changes in the law, technology and hacking techniques.

In conclusion, the AshleyMadison.com settlement may seem like just another
in a long line of cybersecurity related headlines, but when viewed through
the proper lens, it serves as another guidepost in understanding what
specific measures companies can take to defend themselves from liability
and governmental enforcement when a data breach occurs. In that vein, it
reinforces the need for all companies to invest in implementing and
updating specific written cybersecurity and data breach response policies
and ensuring that those policies are followed – not only internally but by
third party partners, as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161219/53588a5e/attachment.html>