Seven months after Ashley Madison agreed to pay $1.65 million to settle federal and state probes into its lax security and deceptive practices, the company is back with another settlement that will see users whose personal information was breached when the adultery site was hacked in July 2015 recoup up to $3,500 for their troubles.
Ashley Madison parent company Ruby Corp, previously Avid Life Media, agreed to a settlement in the class-action lawsuit last week.
The settlement [PDF], which must still be approved by a federal judge, puts an end to a consolidated consumer class-action lawsuit [PDF], accusing the company of using inadequate data security practices and misrepresentations regarding the Ashley Madison website.
For instance, the complaint points to the Ashley Madison claim used since 2011 that the site was awarded a “Trusted Security Award.”
Despite this, the consolidated class-action complaints alleged that Avid Life (now Ruby) misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure.
However, in July 2015 the site was breached, leading to the exposure of nearly 36 million users’ personal information including names, addresses, telephone numbers, credit or debit card numbers, email addresses, dates of birth, date of creation of accounts, last account update, account type, nickname, gender, ethnicity, sexual preferences, and relationship status.
To make matters worse, the complaint claims that Ruby failed to notify users in a timely manner after the July 2015 breach was discovered. As a result, users say they were unable to protect themselves, suffering financially loss and other harm.
Under the proposed settlement, Ruby — which does not admit any wrongdoing — will pay a total of $11.2 million to a settlement fund that will provide, among other things, payments to settlement class members.
Users who submit “valid claims for alleged losses resulting from the data breach and alleged misrepresentations” can receive up to $3,500 from the settlement fund. For instance, users who present valid claims that the breach resulted in identity theft could receive up to $2,000 for the claim.
The claim form, which asks for customers’ personal information, includes questions related to customers who paid for a “full delete” of their Ashley Madison profile prior to the breach and whether users paid to communicate with “engagers.”
The FTC previously described engager profiles as fakes “created by [Ashley Madison] staff who communicate with consumers in the same way that consumers would communicate with each other — as a way to engage or attract additional consumers to AshleyMadison.com.” Users who submit a valid claim that includes purchasing engager credits could receive up to $500.
As for the full delete service, Ashley Madison sold customers the promise of removing 100% of their “digital trail” for a payment of $19. Customers submitting a claim that relates to the full delete option could receive up to $500 under the settlement.
They Might Not Have Been Users
In a statement on the settlement, Ruby notes that just because someone’s name was associated with the site through the breach, doesn’t mean they were actually a user of the site.
The company states that credentials breached were “not verified for accuracy during this timeframe and accounts may have been created using other individuals’ information.”
“Therefore, Ruby wishes to clarify that merely because a person’s name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison,” the company said.
The company also notes that since the July 2015 breach it has implemented numerous remedial measures to enhance the security of its customers’ data, such as requiring mandatory security training for employees, provide the full delete service for no charge, and completed a comprehensive third-party review of protections now in place.