Ashley Madison and the FTC announced a settlement of the investigation into the breach data breach of 36 million AshleyMadison.com users that was being pursued by the FTC and several states’ attorneys general. The cost to Ashley Madison is substantial:
- a total judgment of $17.5 million (though only $1.6 million is currently due because of inability to pay the remainder, thus, that amount is suspended),
- required corrective measures, including implementing a comprehensive cybersecurity program, and
- required cybersecurity assessments by a “qualified, objective, independent third-party professional” every two years.
Business insecurity leaders would be well advised to pay close attention to the specific shortcomings that the FTC found with Ashley Madison’s cyber security practices:
- no written information security policy,
- no reasonable access controls,
- inadequate security training of employees,
- no knowledge of whether third-party service providers were using reasonable security measures, and
- no measures to monitor the effectiveness of their system security.
After looking at the foregoing list, ask yourself this question: “does my company have any of these same problems?” If your answer is “Yes,” “Maybe,” or “I don’t know,” then your company could easily find itself in the same position as Ashley Madison being pursued by the FTC should it have a data breach.
The FTC also listed the following issues by Ashley Madison as giving rise to the investigation:
- the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure,
- that they had received a “Trusted Security Award”,
- that they would delete all of the information of consumers who utilized their Full Delete service, and
- engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.
Here is the full FTC announcement of the settlement.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.