This proposed order against both Drizly and its CEO means that executives and the companies they lead must add the FTC to the alphabet soup of agencies regulating their privacy policies and cybersecurity posture.
On October 24, 2022, the Federal Trade Commission announced its proposed action against the online alcohol marketplace Drizly and its CEO, James Cory Rellas, over its failure to take measures to prevent a security breach that compromised the personal data of approximately 2.5 million consumers who used its marketplace to place retail orders for beer, wine, and liquor for delivery. Drizly had learned of the security problems well before the breach happened, but they failed to take basic steps to secure their customers’ data.
In 2018, a Drizly employee posted account login information on the software development platform GitHub. In that incident, hackers used Drizly’s servers to mine cryptocurrency until Drizly changed its cloud server login credentials. Drizly stated that they had employed new security measures to prevent future problems, but two years later, a hacker broke into Drizly’s GitHub information using a compromised employee account and stole the customer information.
The FTC’s complaint alleged that Drizly and Rellas:
- Claimed to have but failed to implement security measures following the 2018 breach
- Stored login information on GitHub’s unsecured platform against its guidance
- Failed to monitor its network for threats, exposing consumers to hackers and identity thieves
Who It Applies To
Interestingly, the enforcement action applies not just to Drizly, but also to its CEO in the event that he leaves the company and joins another company that collects personal data on over 25,000 consumers. The FTC included this language in recognition that executives today frequently move from one company to another, holding Rellas personally accountable for lessons he should have learned in these incidents.
What It Covers
The proposed order requires Drizly and Rellas to destroy unnecessary data, limit data collection in the future, and implement a security program. The proposed order will be published in the Federal Register and open for public comment for 30 days after publication, at which point the FTC will decide whether to make the order final. Failure to comply with the order, if finalized, would result in civil penalties and fines.
Expert Analysis by Travis Brennan, Chair, Privacy & Data Security Practice, Stradling Yocca Carlson & Rauth
The FTC’s emphasis on limiting the collection and use of personal information is in line with legislative and regulatory developments at the state level. For example, the California Privacy Rights Act, which takes effect on January 1, 2023, requires that covered businesses limit collection, use and retention to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” The draft implementing regulations from the California Privacy Protection Agency go a step further – they would require a business to obtain consent before using personal information for any purpose that is not consistent with the “reasonable expectations of the consumer” at the time the consumer’s personal information was collected. These are just some of the concrete steps that authorities at both the state and federal levels are taking to move the U.S. beyond the traditional “notice and transparency” framework of privacy regulation.
Data Privacy Tip
Organizations should develop and implement defensible, operational data retention policies to minimize the risk of data breaches if they occur. Learn the fundamentals of data retention in Exterro’s Data Retention Handbook.