Proposed FTC Order Targets Drizly and Its CEO for Allegedly Lax Information Security Standards Following Data Breach

On Oct. 24, the Federal Trade Commission (FTC) issued a proposed decision and order against Drizly LLC and its CEO regarding allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers in 2020. The order mandates that Drizly implement a wide range of data security and privacy protocols and requires Drizly’s CEO, James Cory Rellas, to personally ensure that any company he joins in an ownership or managerial capacity maintains an adequate information security program as stipulated by the terms of the order.

The proposed order, including a two-decade penalty imposed on Drizly and a 10-year penalty imposed on Rellas, highlights the FTC’s focus on information security and its willingness to levy harsh penalties against individual top executives for security failures. As Samuel Levine, director of the FTC’s Bureau of Consumer Protection, stated, “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness … CEOs who take shortcuts on security should take note.”

Background

The action arises from a 2020 data breach in which a hacker gained access to an employee’s login credentials and subsequently stole consumer information. According to the FTC’s complaint, Drizly — the online alcohol delivery marketplace and subsidiary of Uber — allegedly stored critical database information on an unsecured platform and failed to monitor its network for security threats. It also allegedly failed to implement basic measures to secure the personal information it collected, limit employee access to personal data, or develop adequate written security policies and train employees on those policies.

Consent Order Requirements for Drizly LLC

The FTC alleged that Drizly’s acts and practices constitute unfair and/or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act. If the FTC’s proposed consent order is finalized in its current form, Drizly would be required to implement a litany of data security and privacy policies. The consent order would require Drizly to:

• Destroy any unnecessary personal data it has collected and document and report to the FTC what data was destroyed.
• Document, make publicly available and submit to the FTC a retention schedule outlining what personal information Drizly collects; the purpose for which that data is collected; and a time frame for the deletion of that data.
• Refrain from collecting or storing personal data not necessary for a specific purpose outlined in a retention schedule (unless required by law, regulation, court order or contractual obligation).
• Update its retention schedule to correspond with any future decisions to collect new types of personal information.
• Implement a comprehensive information security program, which includes measures such as providing security training for employees, designating a high-level employee to oversee the information security program, implementing controls on who can access personal data and requiring multi-factor authentication to access consumer data.
• For the next 20 years, obtain biennial assessments from a qualified, objective and independent third-party professional who will examine Drizly’s information security program and identify any gaps, weaknesses or instances of material noncompliance.
• Submit a copy of the biennial assessment to the FTC and submit annual certifications to the FTC stating Drizly’s continued compliance with the FTC’s consent order.
• Immediately submit a report to the FTC within 10 days of a notification to any U.S. federal, state or local entity of a covered incident (such as a data breach).

These requirements notably stress the principle of data minimization, which means that companies should limit the collection of data to what is directly relevant and necessary to accomplish a specified purpose. This principle is a key aspect of compliance with the General Data Protection Regulation in Europe and state privacy laws in the United States, such as the California Privacy Rights Act and the Virginia Consumer Data Protection Act. 

Consent Order Requirements for CEO James Cory Rellas

The proposed consent order also applies personally to Drizly CEO James Cory Rellas and, if implemented in its current form, would bind him for 10 years following the issuance of the order. The stringent personal penalties imposed on Rellas stem from the authority he maintained at Drizly. Rellas co-founded Drizly and was the chief operating officer prior to becoming CEO, and according to the FTC, “at all times relevant to the allegations in this Complaint, Rellas had the authority to control, or participated in, Drizly’s information security practices.”

The consent order states that should Rellas become a majority owner, CEO or senior officer with information security responsibilities at a different business that collects consumer information for more than 25,000 individuals, he would be required to ensure that the business he joins has information security protocols in place that largely mirror the mandates within the FTC’s order for Drizly itself. Rellas would be required to ensure that the new business:

• Documents its information security program or methods/protocols for protecting personal data.
• Designates an employee responsible for the business’s information security program and provides a yearly report to the board of directors or governing body evaluating its information security program.
• Conducts a yearly assessment of internal and external risks to personal data.

Additionally, for 10 years following the issuance of the order, for every business Rellas either individually or collectively owns or controls, he must deliver a copy of this order to:

• All principals, officers, directors, and LLC managers and members.
• All employees, agents and representatives with managerial responsibilities for a Covered Business’s data security, collection of consumer information and decision-making about the use of consumer information
• Any employees having primary responsibility for a Relevant Business’s data security, collection of consumer information and decision-making about the use of consumer information.

In its press release, the FTC explained that because corporate executives frequently move from company to company in the modern economy, the aggressive move will help ensure that companies are protecting consumers’ data and that CEOs learn from past mistakes. 

Conclusion

The action stresses the responsibility of businesses that collect consumer data to manage and protect that information from both internal and external threats. It is another example of the FTC’s use of its unfair trade practice authority to police privacy and data minimization all in the absence of a uniform federal privacy law. As the amount of consumer data being collected by businesses continues to expand across sectors, the FTC stated in August that it is actively exploring new rules to regulate insufficient data security practices. 

Importantly, the inclusion of reporting requirements to the boards of directors or equivalent managing bodies, coupled with the direct penalties levied against Drizly’s CEO, underscores that the protection and privacy of consumer personal information should involve top-level employees. Senior executives and managers should take note that lax handling of consumer personal information could have both companywide and individual consequences.