On July 21, 2017, a U.S. District Court granted preliminary approval of a proposed settlement of a consolidated class action lawsuit relating to the 2015 Ashley Madison data breach.

Background

In 2015, the Ashley Madison discreet affair website operated by Ruby Corp. (previously known as Avid Life Media) (“Ruby”) was subject to a cyber-attack by hackers who published the details (including sensitive personal information) of approximately 36 million Ashley Madison user accounts. The data breach resulted in a joint investigation by the Canadian and Australian Privacy Commissioners, lawsuits by the United States Federal Trade Commission (“FTC”) and a number of U.S. states, and class action lawsuits in Canada and the United States.

In August 2016, the Privacy Commissioners issued a joint report setting out findings that Ruby had committed numerous breaches of the Canadian Personal Information Protection and Electronic Documents Act and the Australian Privacy Act, and announced that Ruby had entered into settlement agreements with the Privacy Commissioners. In December 2016, the FTC announced that Ruby had agreed to settle the FTC and state lawsuits by making a $1.6 million settlement payment and agreeing to a stipulated order that required Ruby to establish, implement and maintain a comprehensive, fully documented information security program, including appropriate administrative, technical and physical safeguards reasonably designed to protect the security, confidentiality and integrity of personal information held by Ruby. (More information about the Privacy Commissioners’ investigation and the FTC lawsuit is available here).

Settlement of U.S. Class Action Lawsuit

The U.S. consolidated class action lawsuit resulted from multiple putative class action lawsuits against Ruby and its former chief executive officer relating to alleged inadequate data security practices and alleged misrepresentations about the Ashley Madison website.

The proposed settlement applies to all United States residents who used the Ashley Madison website before the announcement of the data breach, unless they elect to opt-out of the settlement. The settlement requires the defendants to pay $11.2 million into a settlement fund to be distributed to settlement class members after deductions of settlement administration costs and court-approved lawyers’ fees and costs. Each settlement class member may claim a maximum of $3,500, comprised of compensation for demonstrated unreimbursed losses (to a maximum of $3,000) and for the public release of the class member’s personal information (to a maximum of $500). Any remaining settlement funds will be donated to approved charities.

The settlement does not impose any data security obligations on Ruby. Nevertheless, the settlement notes that, after the data breach was announced and as a result of the lawsuits, Ruby had implemented numerous remedial measures to enhance the security of customer data. The settlement also references Ruby’s settlement with the FTC, which requires Ruby to implement a comprehensive data security program for the benefit of its customers.

The settlement confirms that the class plaintiffs’ lawyers intend to apply for court approval of legal fees in an amount to not exceed one third of the $11.2 million settlement fund and reimbursement of reasonable costs and expenses.

The settlement expressly provides that the defendants deny any wrongdoing or liability. The settlement is subject to final court approval.

Canadian Class Action lawsuits

Ruby’s Canadian customers commenced Canadian class action lawsuits relating to the Ashley Madison data breach. The settlement of the U.S. consolidated class action lawsuit does not apply to Canadian customers. The Canadian class action lawsuits remain unresolved.