The Federal Trade Commission announced it settled with AshleyMadison.com over the 2015 data breach, which exposed the personal data of about 36 million users in 46 countries, including account security and billing information.
The settlement requires Ashley Madison to implement a comprehensive data-security program, including third-party assessments and pay $1.6 million to settle FTC and state actions, according to an FTC statement.
The FTC’s complaint alleges the company engaged in practices that both misled consumers and failed to provide reasonable data security. The agency said Ashley Madison lured thousands of users with false promises, fake profiles and assurances that their data would be "100% secure and anonymous."
The FTC’s five-count complaint alleges both deception and unfairness.
Over the past decade the FTC has established itself as the government’s chief cybersecurity enforcer. But several entities have challenged the FTC’s authority to police cybersecurity shortcomings.
The Ashley Madison case goes beyond the typical data breach cases the FTC has brought against companies like LabMD and LifeLock because Ashley Madison also made multiple false promises and misrepresentations.
"So, what’s the lesson learned from the Ashley Madison case? Businesses must keep their promises. And if you collect sensitive personal information, you must protect it," according to the FTC’s statement about the case.