FTC Holds CEO Individually Responsible for Organization’s Data Breach
On October 24, 2022, the Federal Trade Commission (FTC) issued a press release indicating it was initiating action against Drizly, LLC (“Drizly”), an online alcohol marketplace, and its chief executive officer (CEO), James Cory Rellas, for a data breach that resulted in approximately 2.5 million consumers’ personal data being exposed.
In its complaint[1], the FTC provides that, following a security incident in 2018, Drizly was alerted that it had failed to “use appropriate information security practices to protect consumers’ personal information” and yet the organization failed to take steps to protect consumers’ data from hackers.
According to the FTC, Drizly violated the Federal Trade Commission Act (FTA) by failing to
implement and train its employees on “adequate” written standards, policies, procedures, or practices for the process of information security;
store critical information, including login credentials in a secure manner;
impose reasonable data access controls relating to entity passwords, access controls, and authentication methods;
monitor transfer attempts and perform regular monitoring and assessments of their protection measures;
“test, audit, assess or review” the organization’s safety features and procedures;
establish a policy, procedure, or practice for “inventorying and deleting consumers’ personal information stored on its network that was no longer necessary.”
Due to these violations, pursuant to FTC’s Decision and Order[2] (“Order”), Drizly will be required to:
delete or destroy consumers’ personal and identifying information that is not currently being used or retained in connection with the provision of goods or services to these consumers and provide a written statement to the FTC “specifically enumerating which types of information were [d]eleted or destroyed”;
refrain from collecting or maintaining any consumer information that is not necessary for the provision of the organization’s products or services and maintain a list, which will be produced to the FTC, of data that is being retained for these specific purposes;
establish a security program that complies with the specific requirements of the Order, including the appointment of a qualified employee(s) who will be responsible for the implementation of the program, the internal and external risks to the organization’s security, confidentiality, or integrity, and safeguards for the controls of these risks.
Additionally, Drizly’s CEO, or any senior corporate manager or senior officer that replaces the acting CEO (the “Corporate Respondent”), will be required to submit to the FTC an annual certification that the organization
“has established, implemented, and maintained the requirements of this Order”;
is not aware of any “material noncompliance” that has not been corrected or disclosed to the FTC; and
has incurred a “Covered Incident” that the that Corporate Respondent will be required to identify during the certified period.
Notably, the CEO of Drizly is being held personally responsible for violations of the FTCA. Under the Order, Drizly’s acting CEO during the first security incident and the data breach that led to this FTC action will be required to deliver the Order to “principals, officers, directors, and LLC managers and members”, employees of the organization whose primary responsibility involves the collection, utilization, or security of a consumers’ personal information, and any entities that are formed as a result of a change in organizational structure for a period of 10 years.
According to a statement by the Director of the FTC’s Bureau of Consumer Protection, Samuel Levine, “[o]ur proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness[.]” Levine further warned that “CEOs who take shortcuts on security should take note.”