Life's Not That Short. Protect Consumer Data. Life's Not That Short. Protect Consumer Data.

Life's Not That Short. Protect Consumer Data.

Takeaways From The FTC's AshleyMadison Settlement

The Federal Trade Commission (FTC) has announced a settlement with the operators of AshleyMadison.com,[1] ("the website") resolving FTC and state charges of consumer deception and failure to safeguard users' account and profile information. The agency brought its action under Section 13(b) of the FTC Act,[2] seeking a permanent injunction, restitution, refund of monies paid, disgorgement, and other equitable relief for defendants' acts or practices in connection with the marketing and sale of online dating services.[3] The settlement – which took the form of a Stipulated Order – requires the defendants to implement a comprehensive data security program, including third-party assessments, and pay a total of $1.6 million to the federal government, various states, and the District of Columbia.[4] Federal District Court Judge Reggie B. Walton (D. D.C.) signed the Stipulated Order on December 18, 2016.

The Canada-based dating website made headlines in the summer of 2015, when a massive data breach resulted in hackers publishing 9.7 gigabytes of information online pertaining to more than 36 million consumers who were AshleyMadison members. The published data included such personally identifying information (PII) as full names and billing information of paying customers, usernames and email addresses of non-paying customers, and other profile/account information. In a cross-border investigation, the FTC worked with a coalition of 13 states[5] and the District of Columbia, as well as the Privacy Commissioner of Canada and the Australian Information Commissioner. Commenting on the settlement, Canadian Commissioner Daniel Therrien noted: "In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live."

The AshleyMadison breach and its resolution offer important insight into consumer protection, including that within the sphere of legitimate business activities, data security and privacy are for everyone.

What Happened at AshelyMadison.com?

According to the FTC's complaint:

The defendants operate a number of dating websites, including this website, targeted to individuals who are interested in having an affair with other consenting adults. AshleyMadison is the defendants' most profitable website, earning approximately $47.4 million in U.S. revenue in 2015 alone. Most of the site’s members reside in the United States - since the site's inception in 2002, almost 19 million U.S. residents had created a profile with the website.

Potential members visited the website and established a profile by entering their email address and other personal information. The activities in which members could then engage were tiered: some activities were free, others required a one-time monetary payment for access, and still others required a monthly paid subscription. More than 1.4 million U.S. customers paid for services from 2002 through 2015.

To provide the services through the website, the defendants collected, maintained, and transmitted myriad personal information including full name, username, gender, address (including ZIP code), relationship status, date of birth, ethnicity, height, weight, email address, sexual preference and desired encounters, desired activities, photographs, payment card numbers, hashed passwords, answers to security questions, and travel locations and dates. The defendants also collected and maintained members' communications with each other through the site.

Alleged Consumer Deception

Engager Profiles

Until August 2014, defendants used engager profiles to engage non-paying members (e.g., members without any credits in their accounts) or to attract potential members to the website. Engager profiles consisted of fake profiles created by defendants’ employees using profile information (including photographs) from existing members who had not had account activity for an extended period of time. The defendants used the engager profiles (a/k/a "bots") to communicate with non-paying/potential members in the same manner in which active members would communicate with each other. Accordingly, communications generated by engager profiles were generally indistinguishable from those generated by actual members. In many instances, non-paying members were induced to upgrade to a full membership in order to continue communicating with the fake profiles.

Account Deletion

When members signed up for the website, the defendants explained that their system is private and secure because consumers can delete their "digital trail" from the site.



If consumers wanted to delete their website profile, they could click a "Delete Profile" link that was provided in their profile settings. The profile deletion mechanism offered two options: "Basic Deactivation" and "Full Delete." The Basic Deactivation option allowed consumers to remove their profile from search results, but profile information and messages were still accessible to members with whom the consumer had communicated. Basic Deactivation was offered as a free and reversible option, should the consumer decide to return to the website and reactivate their profile. The defendants marketed the Full Delete option as a way to completely remove a profile from the website:


 
Until July 2015, the defendants charged $19 for the Full Delete option.

After consumers purchased the Full Delete option, the defendants notified them for the first time that "[s]ome information will be retained for 6-12 months due to legal and financial reasons after which it will be removed as well." In many instances, defendants removed consumer profiles from the website within 48 hours, but retained personal information for up to 12 months. In other instances, the defendants failed to remove consumer profiles from their internal systems. From December 2012 until December 2015, a number of U.S. consumers (125,714) paid a total of $2,388,566 for the Full Delete option.

Data Security and Privacy

Until at least October 2015, the defendants represented that the website was secure. The defendants prominently displayed icons including "Trusted Security Award," "SSL Secure Site," and "100% Discreet Service:"


 
Defendants advertised the site as "secure," "anonymous," and "risk free." The defendants' executives also stated the website was "100% secure," "risk free," and "completely anonymous." The website's Privacy Policy states in pertinent part: "We treat data as an asset that must be protected against loss and unauthorized access. To safeguard confidentiality and security of your PII, we use industry standard practices and technologies, including but not limited to 'firewalls,' encrypted transmission via SSL … and strong data encryption of sensitive personal and/or financial information when it is stored to disk."

The FTC alleged in its complaint that defendants engaged in practices that, when taken together, "failed to provide reasonable security to prevent unauthorized access to personal information on their network," including:
  • Failure to implement a written organizational information security policy;
  • Failure to implement reasonable access controls, including:
    • Failure to regularly monitor unsuccessful login attempts;
    • Failure to secure remote access;
    • Failure to revoke passwords for terminated employees of their service providers;
    • Failure to restrict system access based on employees' job functions;
    • Failure to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on the defendants' network;
    • Allowing employees to reuse passwords to access multiple servers and services;
  • Failure to adequately train workforce members to perform their data security duties and responsibilities;
  • Failure to ascertain that third-party service providers implemented reasonable security measures to protect personally identifying information; and
  • Failure to use "readily available" security measures to monitor their system and assets at discrete intervals to identify data security events and verify that protective measures were effective,
The FTC also alleged that defendants never received a "Trusted Security Award" from any organization.

The Data Breach

Defendants’ employees could access the defendants’ corporate network using their own unique password together with a second, shared password common to all legitimate users. As a result of the alleged failures described above, neither password was adequately secure. For example, individual passwords and encryption keys were stored on the network as plain text in emails and text files, and a text file containing the shared password for the defendants' virtual private network (VPN) was available on the defendants' Google Drive account.

Intruders were able to access these passwords and log on to the defendants' networks in 2014 and 2015, including defendants' VPN (allowing remote access to the corporate network), and the network of one of the defendants' payment processors. Because the defendants did not regularly monitor their system logs, they were not aware that unauthorized individuals had access to employee and service provider credentials, and did not learn of these unauthorized logins until after the data breach.

On July12, 2015, workforce members detected a large data transfer from one database to another. The next day, a notice appeared on two of the defendants' customer service computers stating that the company had been hacked, and warned that if the website were not immediately and permanently shut down, the hackers would release all customer records, as well as employee documents and email. [6]


 
On August 18 and 20, 2015, a group calling itself "The Impact Team" published 9.7 gigabytes of personally identifying and sensitive information pertaining to the website's members (as well as members of another of defendants' dating sites) on the "Dark Web," not readily accessible to the average Internet user.  However, enterprising individuals with technical savvy accessed the data and posted it, in searchable format, on the open web.

As the FTC alleged in its complaint, the defendants' failure to provide "reasonable security" for the information they collected, transmitted, and stored – including sexual preferences and desired encounters, desired activities, email addresses, security questions and answers, real names, billing addresses, and credit card numbers – has subjected and will continue to subject consumers to extortion, fraud, disclosure of sensitive personal information, and other harm. The subsequent searchable databases exacerbated these harms.[7]

Nature of the FTC's Complaint

The FTC brought its complaint under Section 5(a) of the FTC Act,[8] prohibiting "unfair or deceptive acts or practices in or affecting commerce." An act or practice is "unfair" where it causes or is likely to cause substantial injury to consumers, cannot be reasonably avoided, and is not outweighed by benefits to consumers or competition.[9] Misrepresentations or deceptive omissions of material fact are deceptive practices under the FTC Act.

The FTC alleged that defendants engaged in deceptive practices by misrepresenting several material aspects of the website:

  • Misrepresentations regarding network security;
  • Misrepresentations regarding user profiles (i.e., the "engager profiles");
  • Misrepresentations regarding the terms and conditions of deleting user profiles; and
  • Misrepresentations regarding the data security seal (i.e., the "Trusted Security Award" icon)
The FTC also alleged that defendants engaged in unfair security practices regarding the website by failing to take reasonable steps to prevent unauthorized access to personal information on the network.
The FTC claimed that as a result of these unfair and deceptive trade practices, defendants were unjustly enriched and consumers suffered (or were likely to suffer) substantial injury. Without injunctive relief, the defendants were likely to "continue to injure consumers, reap unjust enrichment, and harm the public interest."[10]

The Settlement

The FTC and defendants signed a Stipulated Order for Permanent Injunction and Other Equitable Relief on or about November 10, 2016. The Order was executed simultaneously with similar judgments in Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The Order contains three primary provisions: a prohibition against further misrepresentations, a mandated data security program, and a mandated third party data security assessment.

Prohibition Against Misrepresentations

Defendants are permanently enjoined from expressly or impliedly misrepresenting:

  • The extent to which they collect, use, or maintain personal information, or protect the privacy, confidentiality, security, or integrity of personal information (including the extent to which consumers may exercise control over collection, use, and disclosure);
  • The extent to which they use or deploy engager profiles;
  • Whether the defendants created the profiles appearing on the website or mobile application;
  • The actual number of site users;
  • Terms and conditions for deleting user accounts or profiles;
  • The extent to which they receive third-party awards or seals; and
  • The extent to which they are members of, adhere to, comply with, are certified or endorsed by, or otherwise participate in any third-party data privacy or security program.
Mandated Security Program

Defendants are ordered to establish, implement, and maintain a reasonable "comprehensive information security program" to safeguard the security, confidentiality, and integrity of personal information collected from or about U.S. consumers. The program must be documented in writing and contain administrative, technical, and physical safeguards appropriate to the defendants' size and complexity, the nature and scope of their activities, and the sensitivity of the personal information collected. At a minimum, the defendants must:

  • Designate an employee or employees to coordinate and be responsible for the information security program;
  • Perform a risk assessment by identifying internal and external risks to the security, confidentiality, and integrity of personal information that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise; and assessing the sufficiency of security measures in place to control these risks. The risk assessment must consider "each area of relevant operation," including (1) employee training and management; (2) information systems (network and software design; information processing, storage, transmission, and disposal); and (3) prevention, detection, and response to attacks, intrusions, or other system failures;
  • Implement a risk management plan by designing and implementing reasonable and appropriate safeguards to control the identified risks, and by regularly testing or monitoring their effectiveness;
  • Develop reasonable steps to select and retain service providers capable of appropriately safeguarding personal information received from the defendants, and contractually requiring service providers to implement and maintain appropriate safeguards; and
  • Evaluate and adjust to reflect the results of testing and monitoring, any material changes to the defendants' operations or business arrangements, or "any other circumstances that Defendants know or have reason to know may have an impact on the effectiveness of the information security program."       
Third-Party Data Security Assessments

The defendants must obtain initial and biennial assessments (continuing for 20 years) of their mandated security program. The assessments must:

  • Be performed by a "qualified, objective, independent third party professional, who uses procedures and standards generally accepted by the profession." The assessor must be an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, or FTC;
  • Describe the specific administrative, technical, and physical safeguards that the defendants have implemented and maintained during the reporting period;
  • Explain how the safeguard are appropriate to the defendants’ size and complexity, the nature and scope of their activities, and the sensitivity of the personal information collected from or about consumers;
  • Explain how the safeguards meet or exceed the protections required by the mandated security program; and
  • Certify that the security program has operated to reasonably protect the security, confidentiality, and integrity of personal information.
Defendants must share these assessments with FTC.

AshleyMadison: (Data Security and Privacy) Takeaways

Despite the controversial nature of AshleyMadison's offerings, the breach and its aftermath followed a pattern typical of breaches (and aftermaths) across service sectors.[11] As such, the FTC settlement is surprisingly plain-vanilla, largely indistinguishable from breach-related settlements with financial, health care, and consumer entities. In many respects, then, the takeaways from the AshleyMadison breach are unremarkable. As the settlement makes clear, all companies that maintain PII should: 

  • Implement reasonable physical, technical, and administrative safeguards – appropriate to the company's size, resources, and type and volume of information maintained – to protect the confidentiality, integrity, and availability of PII.
  • Perform a risk assessment to identify risks and vulnerabilities to PII.
  • Implement a risk management plan to manage identified risks and vulnerabilities to a reasonable and appropriate level.
  • Revisit the risk analysis and risk management plan when changes in technology or the company's interior and exterior environment may impact the confidentiality, integrity, or availability of PII.
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Identify the workforce member or members responsible for information security.
  • Implement role-based access to PII, and modify or terminate access as appropriate when employees leave the company or are reassigned.
  • Implement written security management policies and procedures, train workforce members on them, and apply appropriate sanctions for violations.
However, because AshleyMadison’s services are so controversial, the plain-vanilla nature of FTC’s settlement makes an important and perhaps unexpected point. In the realm of what's legal (and for whatever personal feelings the site may stir, its services are not illegal), data privacy and security are blind to moral outcry. The hackers themselves would not have had it so; rather, they operated on the assumption that data security and privacy are not for everyone. In this case, the group the hackers selected for exclusion from privacy protections was polarizing – consumers who sought extramarital affairs online. As extrapolated, however, excluded groups could encompass anyone whose personal standards deviate from those of a person with access or technical know-how sufficient to exert leverage. This cannot be. If the FTC had engaged in less-than-rigorous enforcement against an entity offering an ethically divisive but legal product, it would have sent the message that privacy protection stems not from consumer status, but the nature of the commodity consume ("And then they came for me ….").

A second takeaway is perhaps less surprising given the recent prevalence of medical identity theft in health care: entities that create, maintain, or transmit PII should anticipate that consumers will suffer more than financial harm if their PII is compromised. "Sensitive" PII clearly extends beyond the standard package of name, date of birth, Social Security number, and financial account number that can enable financial identity theft. In the vast and varied Internet marketplace, consumers may also share such data points as physical and mental health status, sexual preference, gender identity, and even sexual proclivities – and when they do so to purchase services of a legal nature, the purveyors will be expected to reasonably safeguard that information, not deceive or mislead, and make good on their promises of protection.

Takeaway three highlights the importance of a concept foundational to the FTC's recommendations for consumer protection: privacy by design. The central tenet of privacy by design is that companies should promote consumer privacy throughout their organizations, and at every stage of developing their products and services.[12] To implement privacy by design, companies should incorporate substantive privacy protections into all areas of their practices, including data security, reasonable collection limits, sound retention and disposal, and data accuracy. Companies should also maintain comprehensive data management procedures throughout the product or service lifecycle. It is easy to see how building privacy into all areas of the defendants' business practices – particularly data security, retention and disposal, and collection limits – might have prevented, or at least mitigated, the impact of the data breach.

Accordingly, companies should incorporate and maintain data security and privacy protections into their practices at each applicable level – including implementing reasonable collection limits and sound retention and disposal practices, as well as ensuring data integrity and confidentiality.

For more information on data security, contact Kim Metzger or another member of Ice Miller's Data Security and Privacy group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 


[1] Defendants included ruby Corp., f/k/a Avid Life Media Inc. (a holding company for a number of entities that operate dating websites, including the other two defendants); ruby Life, Inc., d/b/a AshleyMadison.com, f/k/a Avid Dating Life Inc. (owner and operator of the AshleyMadison.com website); and ADL Media Inc. (collector of AshleyMadison.com's U.S. revenue from various payment processors).
[2] 15 U.S.C. 53(b)
[3] Federal Trade Commission v. Ruby Corp. et al., No. 1:16-cv-02438-RBW (D. D.C.).
[4] The FTC Order imposes an $8.75 million judgment which will be partially suspended (based on the defendants' financial position) upon payment of $828,500 to the Commission. If the defendants are later found to have misrepresented their financial condition, the full amount will immediately become due. An additional $828,500 will be paid to the 13 states in fn. 4, infra, and the District of Columbia.
[5] Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont.
[6] The graphic below does not appear in the FTC Complaint. Rather, it is taken from a civil lawsuit filed in the District Court for the Northern District of Texas (Doe et al. v. Avid Life Media, Inc., Case 3:15-cv-02750-N ("Doe Lawsuit"), since transferred to MDL 2666 (discussed in fn. 7, infra).
[7] The Doe Lawsuit (fn. 4, infra) alleges that Avid Life Media, Inc. may have been on notice of the potential for security breaches:
 
28. …. Upon information and belief, in an internal company file called 'Areas of concern – customer data.docx,' an unnamed employee at the company lists technical issues that could lead to a data breach occurring, as well the legal problems that may come with that. Under a section called 'Data leak/threft issues [sic],' the author lists customer data being exposed by phishing or SQL injection being a possible problem, when malicious requests are punched into an entry field, typically in order to dump the site database. Another employee worried about remote code execution—when an attacker can run code on a victims computer over the internet—and yet another employee pointed to employees being infected with malware, 'allowing hackers access to our user data.'
 
(Doe Complaint ¶ 28). The Doe Complaint does not provide a time frame for this alleged file, or the two other employees' alleged concerns..
[8] 15 U.S.C.§ 45
[9] 15 U.S.C. § 45(n)
[10] A number of civil lawsuits have also been filed related to the breach. Multidistrict litigation is proceeding in the District Court for the Eastern District of Missouri (In re Ashley Madison [sic] Customer Data Security Breach Litigation, MDL No. 2669, 4:15-md-02669-JAR) and as of December 15, 2016 contained 18 active cases (23 historical). The 81-page First Amended Consolidated Class Action Complaint, filed June 24, 2016 in the real names of 18 representative plaintiffs, alleges Violation of the Racketeer Influenced and Corrupt Organization Act (RICO), 18 USC § 1962 (Count I); Violation of the Federal Stored Communications Act, 18 USC § 2702 (Count II);  Negligence and Negligence Per Se (Count III); Breach of Implied Contract – Data Breach (Count IV); Breach of Contract – Paid Delete (Count V); Unjust Enrichment (Count VI); Negligent Misrepresentation (Count VII); Violation of Consumer Fraud and Protection Acts (Count VIII); Violation of the California Consumer Records Act (Count IX); and Violation of State Data Breach Notification Statutes (Count X). Plaintiffs allege they provided their personal information "in reliance on Defendants' promise of absolute discretion …." (e.g., ¶¶ 22, 25).   Defendants have filed a motion to stay the case and compel arbitration, which is fully briefed and scheduled for oral argument on February 17, 2017.
 
[11] The not-so-atypical AshleyMadison path: The company's security management process failed in material respects; opportunistic third-parties exploited the resulting risks and vulnerabilities to PII; the confidentiality, integrity, and/or accessibility of PII maintained by the company was compromised; consumers were left vulnerable to recognized and compensable harms; the government investigated and inventoried the company's security management flaws; and the company agreed to implement a corrective action plan, submit to monitoring, and pay a fine.
[12] See FTC's 2012 report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.

View Full Site View Mobile Optimized