Investigative & Security Professionals for Legislative Action

AshleyMadison.com Case: U.S. FTC, Australia & Canada Receive Award

27 Sep 2017 2:12 PM | Anonymous member (Administrator)

The U.S. Federal Trade Commission, along with privacy law enforcement agencies in Australia and Canada, has received a global data protection award for its cross-border investigation of the massive AshleyMadison.com data breach in July 2015, which affected consumers in nearly 50 countries.

The FTC charged the dating website’s operators with deceiving consumers and failing to protect customer information in 36 million users’ accounts. In 2016, a court settlement required the defendants to implement a comprehensive data-security program and pay a total of $1.6 million to settle FTC and state actions.

The Grand Award for Innovation was presented on September 26 in Hong Kong by the International Conference of Data Protection and Privacy Commissioners (ICDPPC), regarded as the premier global forum for privacy authorities, representing 119 data protection entities. The three agencies also received the top award for “Dispute Resolution, Compliance and Enforcement.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner contributed to the FTC’s investigation and reached their own settlements with the company. The FTC relied on key provisions of the U.S. SAFE WEB Act that allow it to share information with foreign counterparts to combat deceptive and unfair practices that cross national borders.

In presenting the award to the FTC, the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada, ICDPPC Chair John Edwards called the agencies’ work “a model on how to achieve cross-border cooperation in privacy enforcement.” The FTC’s efforts were led by its Division of Privacy and Identity Protection and Office of International Affairs.

In December 2015, the operators of the Toronto-based AshleyMadison.com dating site agreed to settle FTC charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to a massive July 2015 data breach of their network. The site had members from over 46 countries.

The settlement required the defendants to implement a comprehensive data-security program, including third-party assessments. In addition, the operators were to pay a total of $1.6 million to settle FTC and state actions.

“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said Edith Ramirez, who was FTC Chairwoman at that time. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website,” said Vermont Attorney General William H. Sorrell, “I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live,” said Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada.

“My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework,” said Australian Privacy Commissioner Timothy Pilgrim. “Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

According to the FTC complaint, until August 2014, operators of the site lured customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members. Only users who paid to access the site could use all of its features, such as sending messages, chatting online in real time, and sending virtual gifts.

According to the FTC complaint, the defendants assured users their personal information, such as date of birth, relationship status and sexual preferences, was private and securely protected. But the FTC alleged that the security of AshleyMadison.com was lax.

According to the complaint, the defendants had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system’s security.

Intruders accessed the companies’ networks several times between November 2014 and June 2015, but due to their lax data-security practices, the defendants did not discover the intrusions, the agency has alleged.

On July 12, 2015, the companies’ network experienced a major data breach that received significant media coverage. In August of 2015, the hackers published sensitive profile, account security, and billing information for more than 36 million AshleyMadison.com users. According to the complaint, this included information that the defendants had retained on users who had paid $19 for a “Full Delete” service to purportedly remove their data from the site network.

The complaint charged the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure, that they had received a “Trusted Security Award”, and that they would delete all of the information of consumers who utilized their Full Delete service. The complaint also charged the defendants with misrepresenting that communications received by members were from actual women when in fact they were from fake engager profiles.

Finally, the FTC alleged that defendants engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.

In addition to the provisions prohibiting the alleged misrepresentations and requiring a comprehensive security program, the federal court order sought an $8.75 million judgment which would be partially suspended upon payment of $828,500 to the Commission. If the defendants are later found to have misrepresented their financial condition, the full amount will immediately become due. An additional $828,500 will be paid to the 13 states and the District of Columbia.

The FTC worked with Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont – and the District of Columbia, to secure a settlement against the following defendants: 1) ruby Corp, formerly known as Avid Life Media Inc.; 2) ruby Life Inc., also doing business as AshleyMadison.com, and formerly known as Avid Dating Life Inc.; and 3) ADL Media Inc.

Let’s see how the FTC and other U.S. and State regulators handle the recent Equifax databreach.

Bruce H. Hulme, CFE, BAI

ISPLA director of Government Affairs

www.ISPLA.org

Resource to Investigative & Security Professionals

                                                         ISPLA

Powered by Wild Apricot. Try our all-in-one platform for easy membership management