The Vermont attorney general joined the Federal Trade Commission chairwoman this afternoon to announce a settlement with the operators of Toronto-based dating site AshleyMadison.com after the company deceived consumers and failed to protect account information before a July 2015 data breach.
The data breach of the international dating site Ashley Madison involved more than 36 million users with members from over 46 countries.
The Federal Trade Commission worked with authorities from Canada and Australia along with the attorneys general from 13 states during the investigation. FTC Chairwoman Edith Ramirez noted that while financial data such as credit cards or bank accounts are attractive targets, sensitive personal information is often hacked. “The harm resulting from the misuse of this kind of information can be very significant. The Ashley Madison data breach is one of the largest that the FTC has ever addressed and the information that was compromised included people’s names, their sexual preferences, email addresses and security questions and answers.”
Following the July 2015 data breach, an investigation into the practices of ruby Corp, the company that owns Ashley Madison, began. Ramirez says the FTC alleged that ruby Corp and its subsidiaries engaged in deceptive and unfair acts or practices. “We challenged the company’s failure to maintain reasonable steps to ensure that AshleyMadison.com was secure, the practice of generating profiles of fake women to lure customers into paid memberships and the failure to delete customer profiles after promising consumers they would delete their profiles and charging them $19 to do so. The failure to fulfill this promise proved particularly consequential in the July 2015 breach.”
Canada and Australia aided in the probe. Canadian Office of Privacy Commissioner Daniel Therrien said the incident involved a Canadian company with obligations under Canadian law to respect privacy rights, but the scale of the breach had global implications. “In the digital age privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders. Our collective action also sends a strong message to all companies, not only the operators of Ashley Madison, that safeguarding personal information is important and that deceptive actions will not be tolerated.”
The FTC and 13 states have reached a settlement agreement requiring the defendants implement a comprehensive data security program and pay a $1.6 million fine. Attorney General Bill Sorrell says Vermont was the lead state in the investigation due to its strong consumer protection laws. “Vermont’s penalties tend to be higher than many other states under our Consumer Protection Act. And in the data privacy arena Vermont clearly has one of the more aggressive statutes of the states that have consumer privacy laws in terms of protecting consumers’ data.”
Vermont will receive about $116,000 from the settlement and the incoming administration and legislature will determine how it will be spent. Vermont’s attorney general estimates about 16,000 Vermonters were members of Ashley Madison.com during the time of the data breach.