By Aaron Wais
Daily headlines of data breaches, resulting class actions, governmental investigations and enforcement actions, and the settlements of those actions serve as constant reminders of the need to implement and maintain reasonable cybersecurity measures. Yet another example can be found in the recent announcement by the Federal Trade Commission, which states that the operators of Ashley Madison have agreed to settle the charges brought against them by the FTC and over a dozen state attorneys generals arising out of the July 2015 data breach of Ashley Madison’s network. Analyzing the settlement also provides additional guidance on what regulators mean when they refer to reasonable safeguards.
In its complaint, the FTC alleged that Ashley Madison’s parent company, Ruby Corp. (f/k/a Avid Life Media, Inc.), and a pair of related entities failed to adequately protect their approximately 36 million users’ accounts and profile information. (The FTC also alleged various misrepresentations that are not relevant here.) According to the FTC complaint, the defendants collected a broad range of personal information from its customers, including full names, addresses, dates of birth, payment card numbers, sexual preferences and desired encounters. The defendants also collected and maintained their customers’ communications with each other, such as messages and chats.
In collecting this information, defendants assured customers that their personal information was private and securely protected. Moreover, the defendants assured customers that they could always delete their “digital trail,” including by paying $19 for a “full delete,” which was supposed to permanently delete the customer’s personal information and communications.
As was widely reported in the press, on July 12, 2015, the companies’ network experienced a major data breach, in which the hackers were able to access and obtain customers’ sensitive profile, account and billing information, including the information of many customers who had paid for the “full deletion” service. In August, the hackers published this information online.
The FTC complaint charged defendants with misrepresenting that they had taken reasonable cybersecurity measures and that they would delete all of the information of consumers who utilized their “full delete” service. The FTC also charged defendants with engaging in unfair security practices by failing to take reasonable steps in order to prevent unauthorized access to personal information on their network, causing substantial consumer harm.
Indeed, according to the FTC complaint, notwithstanding their assurances of privacy and data security, the defendants had no written organizational information security policy; failed to implement reasonable access controls; failed to adequately train employees; had no knowledge of whether third-party service providers were using reasonable security measures; and failed to use readily available security measures to monitor the effectiveness of their system security. The FTC further alleged that, notwithstanding of their representations that personal information would be “full[y] delete[d]”, defendants continued to retain customers’ personal information even after the customers paid $19 for the “full delete” service.
In settling the charges, defendants agreed to a judgment of $8.75 million with the FTC, $875,000 of which was due immediately with the remainder being suspended due to a claimed lack of financial resources. The defendants also agreed to pay the same amounts to state regulators.
Additionally, the settlement requires the defendants to implement a comprehensive data-security program, including third-party assessments. Notably, the focus of the complaint and the settlement reinforce those overarching steps that the FTC (and state regulators) consistently emphasizes as being the hallmarks of an adequate security program:
- Identifying risks: companies must assess legal requirements, existing data retention and security measures and identify and remediate potential internal and external risks;
- Identified safeguards: companies must create, maintain and update written policies for protecting personal information (including administrative, technical and physical safeguards) and for responding to a breach;
- Implementation: companies must implement these policies internally – including by designating an employee (or employees) to be responsible for security and by training other employees – and externally – including by selecting third-party vendors capable of providing adequate safeguards and requiring them, by contract, to maintain appropriate safeguards;
- Integrity: companies must ensure the efficacy of their safeguards by periodically testing their safeguards and adjusting those safeguards to account for changes in the size and scope of their business, as well as changes in the law, technology and hacking techniques.
In conclusion, the Ashley Madison settlement may seem like just another in a long line of cybersecurity related headlines, but when viewed through the proper lens, it serves as another guidepost in understanding what specific measures companies can take to defend themselves from liability and governmental enforcement when a data breach occurs. In that vein, it reinforces the need for all companies to invest in implementing and updating specific written cybersecurity and data breach response policies and ensuring that those policies are followed – not only internally but by third party partners, as well.