The FTC announced today that it has reached a settlement with the operators of (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  FTC Chairwoman Edith Ramirez referred to the case as “one of the largest data breaches that the FTC has investigated to date.”

According to the FTC’s complaint, despite Ashley Madison’s representations that it was “100% secure” and “risk free,” the website failed to implement reasonable data security practices.  Specifically, the FTC cited several data security failures, including the lack of a written information security policy, reasonable access controls, employee data security training, or oversight over third-party service providers, and a failure to use “readily available security measures” to monitor its systems.  The complaint also alleged that Ashley Madison staff deceptively created fake profiles as a way to attract users, with no way for users to tell real profiles from fake ones.

The FTC’s investigation was coordinated with several state and foreign investigations in Australia and Canada.  (Ashley Madison is based in Canada, and in August 2016 the Canadian Privacy Commissioner released a report on the case, expressing concern that Ashley Madison had a “lack of a comprehensive privacy and security framework.”)  Today’s settlement, which also applies to investigations by 13 states and the District of Columbia, includes total payments of $1.6 million to the FTC and the states.  Per the terms of the settlement, which lasts for 20 years, Ashley Madison is prohibited from misrepresenting the extent of its data security program or its user base and must implement a written information security program with specific requirements and biennial third-party audits.  Ashley Madison also is subject to annual compliance reporting requirements to the FTC.