On December 14, the FTC, along with a coalition of 13 states and the District of Columbia, entered into a settlement agreement with Ashley Madison over allegations that the online dating site deceived consumers and failed to protect 36 million users’ account and profile information in relation to a massive July 2015 data breach.  The settlement requires the defendants to implement a comprehensive data security program, including third-party assessments.  In addition, Ashley Madison will pay a total of $17.5 million (about $15.8 million of which is suspended) to the FTC and state AGs as part of the agreement.

Ashley Madison, whose slogan was “Life is Short. Have an Affair,” is a website that catered to individuals wishing to have secret, romantic affairs without their spouses’ or partners’ knowledge.  In July 2015, hackers gained access to the Ashley Madison website and posted online information pertaining to millions of Ashley Madison members, including photographs, user names, email addresses, and other profile information.  The FTC/attorney general probe uncovered lax data security practices at the company, including a failure to maintain information security policies or to use multi-factor authentication to secure remote access, according to the statement.

The settlement is noteworthy in several ways.  First, according to the complaint, the defendants had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.  The website also misrepresented the quality of its security controls to users, and sold a “full delete” option which it did not carry out in all instances.  This misrepresentation (considered “deception” under Section 5 of the FTC Act) and Ashley Madison’s lack of proper controls and information security policy likely compounded the penalty assessed.

Second, the FTC and state AGs uncovered during their investigation of Ashley Madison that the website used “fembots” to impersonate real humans on the site.  The FTC and AGs alleged that these “fembots” unlawfully tricked users into signing up for paid memberships, thinking that they were interacting with actual women.  Vermont Attorney General William H. Sorrell, who took the lead among the attorneys general, said “[C]reating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website.”  Dating websites and similar social media platforms should take notice that “bots” designed to lure customers into paying for services (i.e., deception) will not be tolerated by federal and state regulators.

Third, Ashley Madison will only pay about $1.7 million as part of the settlement in light of Ashley Madison’s financial condition.  Half of the amount will go to the FTC, and half will be divided among the states represented in the investigation.  The remainder of the $17.5 million settlement will be suspended.  According to the settlement, if it is later discovered that Ashley Madison has misrepresented its financial condition, the full amount will immediately become due.

Additionally, the settlement agreement with the FTC stipulates that the $828,500 to be paid to the to the FTC will be used for “equitable relief, including consumer redress and any attendant expenses for the administration of any redress fund.”  Any money left over would go either to “other equitable relief” (including consumer information and education related to the cyber security and privacy practices) or into the U.S. Treasury’s coffers as “disgorgement.”

Finally, the states involved in the settlement appear to be the states typically associated with an FTC/state AG settlement.  In addition to the District of Columbia, the settlement included Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont.   As we noted here, here, and here, state attorneys general have been active in investigating data breaches and in promoting effective cyber security standards.  The recent settlement with Ashley Madison demonstrates the states continued interest in investigating data breaches.

Notably, however, Connecticut, Massachusetts, Texas, and Illinois were not party to the settlement agreement.  As we previously noted here, here, and here, state attorneys general from those four states are widely considered as leaders in the cyber security and privacy space.  Therefore, it is unclear whether we can expect further orders related to the Ashley Madison data breach.