USA: FTC proposes order against Drizly and its CEO for security failures
The Federal Trade Commission ('FTC') announced, on 24 October 2022, that it had issued a proposed order against Drizly, LLC and its CEO, James Cory Rellas, over allegations that the company's security failures had led to a data breach exposing the personal information of approximately 2.5 million consumers, and violating § 5(a) of the Federal Trade Commission Act ('the FTC Act').
Background to the case
Specifically, the FTC initiated an investigation into certain acts and practices of Drizly and Rellas.
Findings of the FTC
Following the investigation, the FTC issued a complaint against Drizly, highlighting that it had reason to believe that Drizly and Rellas violated the provisions of § 5(a) of the FTC Act by failing to use appropriate information security practices to protect consumers' personal information. More specifically, the FTC detailed that Drizly did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.
Furthermore, the FTC also noted that Drizly stored critical database information on an unsecured platform and neglected to monitor its network for security threats including not putting a senior executive in charge of ensuring that the company was keeping its data secure, nor monitoring its network for unauthorised attempts to access or remove personal data. To this end, the FTC concluded that these failures allowed a malicious actor to access Drizly's consumer database and steal information relating to 2.5 million consumers.
In light of the above, the FTC noted that its proposed order includes several requirements to ensure that Drizly take steps to address the problems outlined in the FTC's complaint. As such, the FTC specified that this would require Drizly to, among other things:
- Destroy any personal data collected that is not necessary for it to provide products or services to consumers. The data destroyed must be documented and reported to the FTC.
- Refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule, and publicly detail on its website the information it collects and why such data collection is necessary.
- Implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint including:
- providing security training for its employees;
- designating a high-level employee to oversee the information security program;
- implementing controls on who can access personal data; and
- requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.
Notably, the FTC clarified that the order applies personally to Rellas, noting that the FTC's proposed order will follow Rellas even if he leaves Drizly. Specifically, the FTC highlighted that Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.
On the above, Commissioner Christine S. Wilson clarified that she dissented from the inclusion of Rellas in the complaint and settlement. Specifically, Wilson explained that "To seek injunctive relief with respect to a CEO or other principal, the FTC must show only that the individual 'participated directly in the deceptive practices or had authority to control those practices', and does not require the FTC to show a 'specific link from [the individual] to the particular deceptive [acts] and instead looks at whether [the individual] had authority to control the corporate entity's practices".