A hefty judgement against Ashley Madison, the dating site for adulterers, is just the tip of the iceberg when it comes to penalties the company must pay as a result of the theft and public posting of its customers' data when the company was hacked last year.
Ruby Corp., the parent company of Ashley Madison agreed to pay $8.75 million fine to the Federal Trade Commission and another $8.75 million to 13 states that also filed complaints. It will wind up paying just $1.6 million because it is strapped for assets.
Beyond that, Ruby Corp. has agreed to 20 years' worth of the Federal Trade Commission overseeing its network security, adding another layer of complexity and scrutiny to the already demanding task of securing customer data held by online sites.
The case is a cautionary tale for online vendors who don’t take appropriate steps to secure the personal information of their customers. Failure to do so can be costly and long-lasting in addition to being damaging to the reputation of the affected company.
"All companies have a responsibility to protect the privacy and personal information of consumers," says New York State Attorney General Eric T. Schneiderman in a statement about the settlement.“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated."
While the company doesn’t admit or deny any wrongdoing, it will pay the cash and follow prescribed actions to establish and maintain a secure network that protects its customers’ data, and to have that action verified periodically by third-party security auditors.
Information about 36 million Ashley Madison customers was stolen and the FTC says Ashley Madison failed in some cases to delete customer data from its system despite charging a fee for doing so, the FTC complaint says.
The complaint says the company engaged in deceptive practices by promising its site and transactions were secure and that it made up a “trusted security award” it claimed had been awarded to the site.
Ashley Madison agreed to a federal court order that requires it to:
- Install a director if IS
- Perform a risk assessment to protect customer data
- Upgrade systems based on the assessments
- Offer periodic assessment of controls put in place to safeguard against the risks
- Conduct biennial third-party review of the security by a CISSP, CISA, holder of GIAC from SANS Institute or someone else who is deemed qualified by the FTC for 20 years
- Require similar safeguards from their service providers
A separate segment of the order prohibits the company from misrepresenting how secure its sites are and how well it maintains customer privacy. It is also prohibited from making false claims about any security programs it participates in and any awards it receives.
Sign up for CIO Asia eNewsletters.