FTC Proposes Holding Drizly CEO Personally Responsible for Security Failures that Led to Data Breach
The U.S. Federal Trade Commission (FTC) announced a proposed consent agreement designed to hold the alcohol marketplace Drizly and its CEO accountable for alleged security failures that led to a data breach exposing personal information of 2.5 million customers.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “CEOs who take shortcuts on security should take note.”
Drizly operates an online marketplace that allows legal consumers to place orders with retailers to buy alcohol for delivery using Uber. Customer data is stored by Drizly on Amazon Web Services (AWS) cloud computing service, including email, postal addresses, phone numbers, unique device identifiers, geolocation information, and data purchased from third parties.
In 2018, a Drizly employee posted corporate cloud computing login information on GitHub; hackers then used that information to mine cryptocurrency until Drizly changed the login information for the account. But the FTC complaint finds that Drizly and its CEO, James Cory Rellas, did not take steps to adequately address the company’s security problems while publicly claiming they had appropriate security protections in place. In 2020, another hacker breached an employee account and was able to access Drizly’s corporate GitHub login information, gained access to the company’s database, and stole customers’ information, according to the FTC complaint.
Additionally, the FTC alleges that Drizly and Rellas failed to implement basic security practices—such as requiring employees to use two-factor authentication for GitHub or limit employee access to personal data. The commission also charged that Drizly stored critical database information on an unsecured platform, neglected to monitor its networks for security threats, and exposed customers to hackers and identity thieves.
As part of the consent agreement, Drizly and Rellas would be required to destroy unnecessary data and limit future data collection to that which is necessary for specific purposes outlined in a retention schedule and is publicly communicated to consumers.
The company would also be required to implement a comprehensive information security program and establish security saeguards to protect against security incidents outlined in the complaint. These measures include providing security training for employees, designating high-level employees to oversee the information security program, implementing controls on who can access personal data, and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.
The consent agreement also applies personally to Rellas—requiring him to implement information security programs at Drizly and any future company he works for if that business collects consumer information from more than 25,000 individuals or if he is a majority owner, CEO, or senior officer with information security responsibilities.
“In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record,” according to the FTC press release. “Recognizing that reality, the commission’s proposed order will follow Rellas even if he leaves Drizly.”
The FTC commissioners voted 4-0 to accept the proposed consent agreement. But one FTC commissioner dissented from the portion of the settlement agreement that applied personally to Rellas, arguing that large companies must be allowed to decide whether or not to pay attention to data security.
“Respectfully, we disagree,” said FTC Chair Lina M. Khan and Commissioner Alvaro M. Bedoya in a joint statement. “Overseeing a big company is not an excuse to subordinate legal duties in favor of other priorities. The FTC has a role to play in making sure a company’s legal obligations are weighed in the boardroom. Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”
The proposed consent order will be open for 30 days for public comment, after which the FTC will issue a decision on finalizing the order.