Ashley Madison Data Breach Results in $11.2 Million Settlement
Insights
7.25.17
On Friday, July 21, users of the “married dating” website, ashleymadison.com, received preliminary approval of an $11.2 million class action settlement. This settlement seeks to resolve a number of consolidated lawsuits against Avid Life Media, some of which also named the owners and operators of the website. This settlement will conclude all the civil claims against Avid Life Media and a number of individually named owners and operators of the business arising from the data breach that brought the website to heightened notoriety in 2015. This $11.2 million class action settlement is separate from the Federal Trade Commission’s $1.6 million settlement with Ruby Corp., Avid’s parent company, which resolved charges that customers had been misled, not only with regard to the retention of private information, but also with regard to alleged fake profiles of female users made to attract new users.
The settlement will be paid to class members whose personal information was not deleted from Ashley Madison systems, despite those customers having paid specifically for their information to be deleted. The settlement fund is also intended to compensate users for losses associated with the data breach.
Perhaps the most disturbing piece of information from this case is the fact that the operators of ashleymadison.com apparently intended to allow their customers to have their private information deleted. In fact, a good amount of personal information had been deleted, such as a user’s name, address, phone number, and personal dating preferences. However, importantly, the service did not delete several other pieces of information, such as the users’ GPS coordinates, and personal details such as weight, height, date of birth, and ethnicity. Avid likely had innocuous intentions in the preservation of this information: to better understand its market and to track its performance metrics. However, we presume that Avid lacked the benefit of a clear understanding of the data-retention requirements in the jurisdictions it operated in. Many U.S. jurisdictions may have allowed the company to avoid liability had it encrypted consumer information. Had the operators of the website known of those laws, Avid presumably could have avoided some of its cumulative $12.8 million in settlement liability.
It should be emphasized that the settlements are not entirely attributable to mismanagement of personally identifiable information. Indeed, the settlement agreement provides reimbursement of purchased credits to communicate with “Engagers,” which may have been automated chat bots.
The court is expected to grant final approval to the settlement on November 20, 2017.