Ashley Madison Settles Data Breach Allegations for $11.2M

Ashley Madison Settles Data Breach Allegations for $11.2M

Rudy Verner and Rylee Johnston

-- 

On July 21, users of the online dating website, ashleymadison.com, received preliminary approval from U.S. District Judge John A. Ross of an $11.2 million dollar class action settlement with the site’s former parent company, Avid Life Media, now Ruby Life, Inc.

The settlement follows a very public data breach of the website’s network that occurred in July 2015. According to a proposed settlement filed in the Missouri-based multidistrict litigation, hackers posted the details after the company refused to comply with their demands to shut down.

AshleyMadison.com is a website that purports to promote side relationships for customers married or in otherwise committed relationships. Its slogan is “Life is short. Have an affair.” In In re Ashley Madison Customer Data Security Breach Litigation, plaintiffs, a class of affected users, brought claims against the owner and operator of the site after the data security breach resulted in the disclosure of the  users’ sensitive information, including their names, addresses, financial information, and sexual preferences.

The lawsuit claimed that Ashley Madison misled customers about its data security measures in violation of RICO, the Federal Stored Communications Act, and several federal data breach notification statutes. Plaintiffs also asserted a number of state law claims.

Ruby Life, Inc. denied wrongdoing but said in a statement that it settled to “avoid the uncertainty, expense, and inconvenience associated with continued litigation.” Plaintiffs’ lead counsel said there is no estimate on how many people will seek part of the settlement money, which could range from as little as $19 for those victimized by the hack, up to $2,000 for those who were victims of identity theft as a result of the data breach.

Ruby Life Inc. said that since the initial hack, it has implemented several measures to make customer data more secure. Prior to reaching any settlement agreement, the company agreed to end certain deceptive practices, including to stop creating fake profiles, and to develop a stronger data security program in addition to paying monetary penalties to the Federal Trade Commission. The court is expected to grant final approval to the settlement on November 20, 2017.  

This high profile case highlights the risks faced by online companies that collect and store sensitive personal information of its users. It also underscores the importance of making accurate disclosures regarding the data security measures a company has in place and, ultimately, ensuring that such measures are robust and meet industry best practices.