FTC draft order targets Drizly and its CEO for allegedly lax information security standards following data breach – Security
To print this article, all you need to do is be registered or log in to Mondaq.com.
On October 24, the Federal Trade Commission (FTC) released a proposal
decision and order against Drizly LLC and its CEO regarding allegations that the company’s security lapses led to a data breach exposing the personal information of approximately 2.5 million consumers in 2020. The order requires Drizly to put in implements a wide range of data security and privacy protocols and requires Drizly CEO James Cory Rellas to personally ensure that any company he joins as owner or manager maintains an information security program adequate, as stipulated by the terms of the order.
The proposed order, including a two-decade sentence imposed on Drizly and a 10-year sentence imposed on Rellas, highlights the FTC’s emphasis on information security and its willingness to impose tough penalties to senior executives for security failures. As Samuel Levine, Director of the FTC’s Consumer Protection Bureau, declared“Our proposed order against Drizly not only restricts what the company can retain and collect in the future, but also ensures that the CEO faces the consequences of the company’s negligence…CEOs who take shortcuts by safety issues should take note.”
The action stems from a 2020 data breach in which a hacker gained access to an employee’s login credentials and then stole consumer information. According to the FTC complaint, Drizly – the online alcohol delivery marketplace and subsidiary of Uber – allegedly stored critical database information on an unsecured platform and failed to monitor its network for security threats. It also allegedly failed to implement basic measures to secure personal information collected, limit employee access to personal data, or develop adequate written security policies and train employees on those policies.
Consent Order Requirements for Drizly LLC
The FTC alleged that Drizly’s acts and practices constituted unfair and/or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act. If the FTC’s proposed consent order is finalized in its current form, Drizly would be required to implement a litany of security and data privacy policies. The consent order would require Drizly to:
- Destroy any unnecessary personal data it has collected and document and report to the FTC what data was destroyed.
- Document, make publicly available, and submit to the FTC a retention schedule describing personal information collected by Drizly; the purpose for which this data is collected; and a deadline for the deletion of this data.
- Refrain from collecting or storing personal data not necessary for a specific purpose described in a retention schedule (unless required by law, regulation, court order or contractual obligation).
- Update its retention schedule to match any future decisions to collect new types of personal information.
- Implement a comprehensive information security program, which includes measures such as employee security training, appointment of a high-level employee to oversee the information security program, implementing controls on who can access personal data and requiring multi-factor authentication to access consumer data.
- For the next 20 yearsObtain biannual assessments from a qualified, objective, and independent third-party professional who will review Drizly’s information security program and identify gaps, weaknesses, or material non-compliance.
- Submit a copy of the biennial assessment to the FTC and submit annual certifications to the FTC that Drizly continues to comply with the FTC’s consent order.
- Immediately submit a report to the FTC within 10 days of notifying any U.S. federal, state, or local entity of a covered incident (such as a data breach).
These requirements insist in particular on the principle of minimization of data, which means that companies must limit the collection of data to what is directly relevant and necessary to accomplish a given purpose. This principle is a key aspect of complying with the General Data Protection Regulation in Europe and national privacy laws in the United States, such as the California Privacy Rights Act and the Virginia Consumer Data Protection Act.
Consent Order Requirements for CEO James Cory Rellas
The proposed consent order also personally applies to Drizly CEO James Cory Rellas and, if implemented in its current form, would bind him for 10 years after the order is issued. The harsh personal penalties imposed on Rellas stem from the authority he maintained at Drizly. Rellas co-founded Drizly and was COO before becoming CEO, and according to the FTC“At all times relevant to the allegations in this complaint, Rellas had the authority to monitor or participate in Drizly’s information security practices.”
The consent order states that if Rellas becomes a majority owner, CEO, or senior executive with information security responsibilities at a different company that collects consumer information for more than 25,000 people, he would be required to ensure that the company he joins has information security protocols in place that largely mirror the FTC’s command mandates for Drizly himself. Rellas would be required to ensure that the new business:
- Documents its information security program or personal data protection methods/protocols.
- Designates an employee responsible for the company’s information security program and provides an annual report to the board of directors or governing body evaluating its information security program.
- Performs an annual assessment of internal and external risks to personal data.
In addition, for 10 years after the order is issued, for each company owned or controlled, individually or collectively, Rellas must deliver a copy of this order to:
- All directors, officers, directors and managers and members of LLC.
- All employees, agents, and representatives with management responsibilities for a Covered Business’s data security, collection of consumer information, and decision-making regarding the use of consumer information
- Any employee with primary responsibility for data security of a relevant business, collecting consumer information, and making decisions about the use of consumer information.
In its press release, the FTC explained that because business leaders frequently move from company to company in the modern economy, this aggressive move will help ensure that companies protect consumer data and that CEOs learn from past mistakes.
The action underscores the responsibility of companies that collect consumer data to manage and protect that information from internal and external threats. This is another example of the FTC’s use of its unfair trade practices authority to control privacy and data minimization, all in the absence of a uniform federal privacy law. As the amount of consumer data collected by companies continues to grow across industries, the FTC said in August that it was actively exploring new rules regulate insufficient data security practices.
Importantly, the inclusion of reporting requirements to boards of directors or equivalent management bodies, coupled with the direct sanctions imposed on Drizly’s CEO, underscores that the protection and privacy of consumers’ personal information must involve high-level employees. Executives and managers should note that lax handling of consumers’ personal information could have both company-wide and individual-level consequences.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: USA Technology