FTC Sanctions Drizly and Its CEO Over Data Security Failures

Updated on 2022-10-30: FTC brings action against Drizly CEO over data breach

Here’s a novel one to look out for: the Federal Trade Commission is bringing action against the former CEO of alcohol delivery site Drizly, which had a sizable data breach back in 2020. I remember because I obtained a portion of the data — containing phone numbers, IP addresses and geolocation data — and verified it as authentic. Now, the FTC is holding Drizly — and its former CEO — liable for the breach. (If you’re wondering why it took so long, that’s just the glacial pace at which the FTC works.) In its complaint, the federal regulator dug into the company’s security practices and found — no surprise — that they were not good! In one case an employee posted internal credentials to GitHub by mistake that was later abused for mining cryptocurrency. On the bright side it means that CEOs who walk away from their own house fires can be held responsible for the damage caused on their watch. Read more:

• Alcohol delivery service Drizly confirms data breach
• Venture capital will soon be brimming with ghosts
• FTC holds alcohol delivery app Drizly and its CEO liable for lax data security before 2020 hack

Updated on 2022-10-27: FTC Sanctions Drizly and Its CEO Over Data Security Failures

The US Federal Trade Commission has sanctioned online alcohol marketplace Drizly and its CEO over poor customer data protection that resulted in the theft of 2.4 million user records. Drizly and CEO James Cory Rellas were alerted to security concerns two years before the breach occurred, but they had not taken steps to improve the security. The FTC’s “proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness.” The order’s requirements will follow Rellas: He will be required to implement security programs at companies he runs if they collect data from 25,000 or more individuals.

Note

• While on the surface this seems like a good one to show your CEO, I doubt this action against Drizly’s CEO will stand up to any formal appeal or legal challenge. As Commissioner Wilson’s dissent points out, this is saying that if any business decision made to take a security or privacy risk turns out to be the wrong decision, a CEO could be sanctioned. That seems unrealistic.
• With this sanction, the FTC is shining a light on the CEO and indirectly, the company executive team. While unlikely that the order will survive on appeal, it serves notice to every CEO that they are fully accountable for implementing and actively managing the company cyber security program.
• As Drizly is now part of Uber, the proposed order applies to the company as well as the former CEO, not only requiring increased security and training but also deletion of unnecessary data. The FTC intends the message to be: protecting American’s data is not discretionary and is to be prioritized. Keep an eye out for new FTC orders raising the bar on cyber security expectations. The proposed order, when finalized, will be in effect for twenty years.
• Interesting move by the FTC. This is a perfect case to set precedence over corporate maleficence and oversight. We will have to watch this one more closely, as if this does follow the CEO from company to company, we may see changes in the boardroom based on this.

Read more in

• FTC brings action against CEO of alcohol delivery company over data breach
• FTC slaps down Drizly CEO after 2.4m user records stolen from ‘careless’ booze app biz
• FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
• DECISION AND ORDER (PDF)

Updated on 2022-10-26: A Person Just Got Slapped With An FTC Consent Decree

The Federal Trade Commission has issued a proposed order against alcohol delivery service Drizly that is noteworthy for applying to its CEO, James Cory Rellas, even if he leaves Drizly and works elsewhere.

In a press statement, Samuel Levine, the Director of the FTC’s Bureau of Consumer Protection said “our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness. CEOs who take shortcuts on security should take note.”

Drizly and Rellas will be required to destroy unnecessary data, limit future data collection and implement and information security program. FTC Commissioner Christine Wilson issued a dissenting statement that disagreed with holding Rellas liable, but we are ok with it as those requirements don’t seem much more than what responsible companies should be doing anyway. Read more:

• FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
• Concurring and Dissenting Statement of Commissioner Christine S. Wilson

Overview: First FTC ruling of its kind

The US Federal Trade Commission reached a settlement with online alcohol delivery service Drizly relating to its 2020 security breach that exposed the personal data of more than 2.5 million of its users. The settlement requires that the company, which has since been acquired by Uber, destroy unnecessary data it collected about its users and further restricts Drizly from similar broad data collection in the future. In addition, the settlement is the first of its kind, as it also includes a clause against Drizly CEO James Cory Rellas. Read more:

• FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
• FTC seeks action against Drizly — and its CEO — for cybersecurity failures

“Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. […] Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”