The operators of the Ashley Madison and related dating sites that suffered a devastating hack in 2015 have escaped paying a multi-million dollar fine.

Instead Ruby Corp. , Ruby Life Ltd. and ADL Media have agreed to pay only have to pay US$1.6 million to the U.S. government and a number of states to settle charges they deceived consumers and failed to protect 36 million users’ account and profile information in the data breach. The full settlement is US$17.5 million, according to the New York State attorney general, but Ruby is being allowed to write a cheque for the the lesser amount due to an inability to pay.

But, according to the settlement, if the three companies are found to have misrepresented their financial shape they will have to pay the full amount to Washington and the states.

The settlement was outlined Wednesday by the U.S. Federal Trade Commission (FTC), which includes requiring the operating companies to implement a comprehensive data-security program, including third-party assessments.

“This case represents one of the largest data breaches that the FTC has investigated to date,” said FTC chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”

In addition to criticizing Ruby Corp. (formerly Avid Life Media) for poor data security Ramirez also hammered the company for creating fake profiles of women looking for relationships to lure subscribers.

The FTC worked with Canada’s federal privacy commissioner in its investigation. In August that office, along with the office of the privacy commissioner of Australia, issued a report, which concluded poor administrator identity and access management controls were at the heart of  the breach, attributed to a group calling itself “The Impact Team” The group threatened to release all of the website’s user information unless Ashley Madison shut down. The company refused. Soon after subscriber information was released.

According to the FTC complaint the sites operators assured users their personal information such as date of birth, relationship status and sexual preferences was private and securely protected. But the company had “no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.”

Intruders accessed the companies’ networks several times between November 2014 and June 2015, the FTC complaint says, alleging that due to lax data-security practices, the intrusions weren’t discovered.

In  a blog on the FTC Web site, Lisa Weintraub Schifferle, a lawyer with the commission’s bureau of consumer protection, concludes with this: “So, what’s the lesson learned from the Ashley Madison case? Businesses must keep their promises. And if you collect sensitive personal information, you must protect it.”