The Ashley Madison data breach had its enforcement postscript this month, with the dating website’s parent company agreeing to settle with privacy authorities by paying $US1.6 million.

The settlement follows a joint investigation by the Australian and Canadian Privacy Commissioners, and enforcement action by the US Federal Trade Commission and US state authorities, into the Canada-based company’s massive July 2015 data breach.

Ashley Madison’s parent company has agreed to settle FTC charges and charges brought by American state authorities that they deceived consumers and failed to protect 36 million users’ account and profile information. The information, which included that of members from 46 countries, was stolen in a massive July 2015 data breach.

As well as the $US1.6 million settlement, the deal also requires Ashley Madison’s operators – formerly Avid Life Media, since rebranded as Ruby Corp - to implement a comprehensive data-security program. An FTC media release with details of the settlement can be found here.

Australian and Canadian investigation

It comes after the Australian and Canadian Privacy Commissioners released joint findings earlier this year which were highly critical of the dating website’s privacy and security practices around personal information. It is the first time the Australian, Canadian and American privacy authorities have worked together to enforce privacy protections and they used the APEC cross-border enforcement framework to do so.

Both Australian and Canadian offices provided assistance to the FTC investigation and reached their own settlements with the company. To cooperate with its Canadian and Australian partners, the FTC relied on key provisions in the US Safe Web Act which allows it to share information with foreign counterparts to fight deceptive and unfair practices across national borders

In order to secure the settlement, the US investigation was also domestically complex. The FTC worked with a coalition of 13 states -­ Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont and the District of Columbia.

Fake profiles and bad protection

The case against Ashley Madison’s owners included claims the website’s operators lured customers with fake profiles of women designed to convert them into paid members. The company had assured users their personal information such as date of birth, relationship status and sexual preferences was private and securely protected, but the case showed this was demonstrably false.

The Australian Privacy Commissioner Timothy Pilgrim says cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.

Canada’s Privacy Commissioner Daniel Therrien says it is imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.

This result provides closure on one of the world’s most widely reported data breaches. You can read an earlier blog post from us about the Ashley Madison breach here. You can find more information about the APEC cross border privacy enforcement framework on our blog here.

Image credit: Italian traffic sign - via Wikimedia Commons

International, breach, Asia Pacific, technology