Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches
The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data breach exposed the personal information of 2.5 million customers of the alcohol delivery service. So egregious were Rellas’ actions, according to the agency, that not only will his company face a series of data privacy requirements but Rellas himself will as well, even when he’s no longer employed by Drizly. Alisa Chestler and Greta Messer from Baker Donelson unpack this unprecedented order.
If your management team and board of directors are not talking often about cyber liability and risk management, they soon will be. As a matter of both corporate and individual liability, recent enforcement makes it clear that management cannot rely on generic privacy policy language at the expense of meaningful operations supporting the statements it posts and publicizes.
As an example, the FTC announced an enforcement action against the online alcohol marketplace Drizly in late October 2022. This FTC action comes after Drizly’s data breach in 2020 when internal data security failures affected the information of 2.5 million customers.
FTC enforcement in privacy is common, but the agency’s new focus on management’s role in privacy and information security is unprecedented. On Jan. 10, the FTC finalized the Drizly consent order requiring the company to implement and maintain a data protection program, which is a common outcome of any privacy-related consent order. Less common to date, however, is the FTC’s requirement that Rellas, Drizly’s CEO, implement an information security program at any future companies he works for that meet certain specifications.
In this unprecedented move, Rellas will be required to ensure that any business with which he is involved that is in possession of the personal data of more than 25,000 consumers and in which he holds a majority interest, serves as CEO or holds a management position implements and maintains a formal information security management program.
Announcing the action against Drizly and Rellas in October, the agency specifically underscored this mandate: “Our [order] against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in the agency’s news release.
Accordingly, the FTC’s final decision is fairly substantial in its depth and breadth, highlighting two key violations by Drizly:
- Failure to implement readily available, low-cost data safeguards
- Using the company’s website to misrepresent compliance with commercially reasonable security practices
Within these violations, the FTC points to the absence of written policies and procedures at the company, such as those requiring employee training, and neglecting to place qualified professionals at the helm of a data security program.
Drizly also failed to implement certain other standard safeguards and policies, which allowed for faulty encryption technology, poor credential management, absence of multi-factor authentication and inability to monitor for the exfiltration of data. The FTC found that Rellas should have been aware of these issues, especially given a prior incident that served as constructive notice to Rellas of Drizly’s inadequate privacy and security practices, namely a 2018 incident involving Drizly’s parent company, Uber.
Now, Drizly is tasked with implementing an information security program, including policies and procedures for:
- Specifying data retention, destruction and minimization limits
- Introducing data access controls
- Routinely testing safeguards
- Training employees
- Creating measures to prevent storage of unsecured access keys or credentials
Further, this program will be subject to biennial third-party assessments to ensure its ability to protect personal information.
Moving forward, the FTC’s ongoing monitoring of Drizly and Rellas serves to alert companies to the government’s expectations for the development of data protection programs and accountability for misrepresentations of compliance with reasonable security practices.
The bottom line for your company and its management and officers: Get real about your risk
Management cannot rely on a one-size-fits-all privacy policy. Businesses — and their individual leaders — must accept responsibility for evaluating the company’s operations and adopting meaningful operations that support the statements it posts and publicizes.
![Baker Donaldson Law , PR Headshots of Alisa Chestler]()
Alisa Chestler, a shareholder in Baker Donelson’s Nashville and Washington, D.C. offices and chair of the firm’s Data Protection, Privacy and Cybersecurity Team, concentrates her practice in privacy, security and records management issues; health care and insurance regulatory compliance; and corporate transactions matters.
Alisa Chestler![Messer_Greta]()
Greta Messer is an associate in Baker Donelson’s Nashville office and focuses her practice on commercial transactions and assists in the development of platform agreements, terms of use, and compliance policies related to client privacy, cybersecurity, and information practices.
Greta Messer
Source link
