“Ding Dong” -- FTC-Drizly Data Breach Settlement Will follow CEO Personally for a Decade
By Christopher J. Buontempo, Cynthia J. Larose
The Federal Trade Commission (“FTC”) announced on Monday that it is settling a case against Drizly and its CEO stemming from a 2020 data breach that impacted roughly 2.5 million consumers. The proposed order not only contains a laundry list of security-related obligations for Drizly that span twenty years, but also names and targets its CEO James Cory Rellas personally, hitting him with obligations that will follow him for a decade, even if he moves to other organizations. There are also hints that the FTC intends to elevate information security issues to boards of directors and other top-level executives.
In its press release announcing the settlement, the FTC stated, “In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”
Complaint and Background
According to the FTC’s complaint, Drizly and its CEO, James Cory Rellas (who was individually named in the complaint), became aware of information security issues at Drizly following an earlier security incident in 2018, but failed to take adequate steps to fix them, all the while publicly claiming to have appropriate security protections in place. Specifically, the FTC’s complaint alleges that Drizly and Rellas:
Failed to implement basic security measures: The FTC alleged that despite statements claiming the company used appropriate security practices to protect consumer data, Drizly failed to implement reasonable safeguards, did not require employees to use two-factor authentication, did not limit employee access to personal data, did not develop adequate written security policies, and did not train employees on those procedures.
Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on its hosting platform contrary to the platform’s own guidance and well-publicized security incidents involving that platform.
Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.
Exposed consumers to hackers and identity thieves: According to the FTC, personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web.
Proposed Order
The proposed order requires Drizly to undertake a number of short and long-term security-related responsibilities, some of which extend twenty years. These include:
Delete all unnecessary data and document and report such destruction to the FTC.
Limit future data collection to only what is necessary, and publicly detail on its website the information it collects and why such data collection is necessary.
Implement an information security program and establish security safeguards to protect against the security incidents as outlined in the FTC’s complaint, including employee security training, program oversight, assessment and documentation of security risks no less than annually, personal data access controls, and multi-factor authentication.
Obtain third-party biennial security assessments for twenty (20) years, with detailed requirements set out in the order, and submit the results of such assessments to the FTC.
Drizly’s CEO Targeted Personally
While the obligations on Drizly are extensive alone, what many are likely to find most surprising and groundbreaking is that, in a rare move, the proposed order names Drizly’s CEO Rellas personally, and includes obligations that will follow him for a decade. For ten years following the final order, Rellas must implement a comprehensive information security program at any organization that collects, uses, stores or discloses personal information of 25,000 or more consumers where he is either (1) a majority owner, or (2) a CEO or other senior officer.
To satisfy the information security program requirements, Rellas must ensure the following, at a minimum:
Information Security Program: Document the content, implementation and maintenance of the information security program in writing.
Board of Directors and Leadership Involvement: Provide the information security program to the board of directors and other leadership.
Employee Responsibility: Designate personnel to coordinate and be responsible for the information security program.
Annual Security Assessments: Annually assess and document security risks to the organization and the sufficiency of security safeguards
Regular Security Testing and Audits: Test and monitor the effectiveness of safeguards at least annually, including vulnerability testing at least every four months; and penetration testing at least every twelve months.
Service Provider Oversight: Adequately assess service providers and contractually require them to implement adequate security safeguards.
Information Security Program Updates: At least annually evaluate and adjust the information security program in light of business and technological changes.
Takeaways
Clearly, the FTC is serious about information security and about holding top executives responsible for it. Here are a few takeaways from the proposed order.
Information Security is a Leadership and C-Suite Responsibility. Long gone are the days of information security oversight resting solely with designated security or IT personnel in an organization – the FTC makes clear that leadership must be plugged into information security and will be held responsible for security failures.
Personal Consequences for Executives. This is the big one. The FTC proposed order includes extensive personal obligations that last a decade and will follow Drizly’s CEO even if he moves to a different company. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, made the FTC’s position on this quite clear, stating, “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness.” There is also reason to believe that this trend that will continue, as Levine further noted, “CEOs who take shortcuts on security should take note.”
The FTC’s Concept of Reasonable Security is Crystalizing. In its proposed order, the FTC prescribed an extensive recipe of information security program ingredients that Drizly’s CEO is required to implement at future organizations that he is involved with, and a list of what the FTC views to be material security shortcomings. These lists contain various information security concepts that have appeared repeatedly in prior FTC complaints and orders, so it is a fair conclusion that the FTC considers these measures to be integral components of reasonable security that it expects organizations to have in place.
No More Hoarding Data. The data minimization requirements in the proposed order go beyond what we have seen in information security program requirements built into prior FTC enforcement actions. Data minimization standards are a hallmark of compliance with such data privacy laws as GDPR (Article 5), the California Privacy Rights Act (§1798.100(c)), and the Virginia Consumer Data Protection Act, as well as new laws coming into force in Connecticut, Colorado, and Utah. The premise is simple: If you don’t have the data, hackers cannot get at the data. Companies should review (or implement) rigorous data retention policies and not retain personal data longer than necessary for the purposes for which such data was collected. You should not be keeping data “just because you can.”
Organizations Cannot Outsource Security or Piggyback on their Vendors’ Security. Though Drizly used large and reputable third party cloud hosting providers, according to the FTC, Drizly did not have its own sufficient information security program. Organizations often mistakenly believe that they can “piggyback” and rely solely on the security measures of their hosting providers and other vendors. The FTC complaint made clear that this does not fly, and an organization must have its own extensive security program, even if it uses large and reputable vendors.
Boards of Directors and Other Leadership May be on the FTC’s Radar. It is interesting to note that as part of Drizly’s CEO’s future obligations at Drizly and other organizations he is involved with, the FTC requires that he provide written information security programs, evaluations, and updates to each organization’s board of directors, governing body, or other senior leadership at least once every 12 months. It is not entirely clear whether the FTC intends this obligation to be (1) an oversight mechanism over the CEO; (2) a signal that the FTC expects that boards and leadership start taking a more active role in information security; or (3) both. It is worth drawing a parallel to the Securities and Exchange Commission (SEC) new proposed cybersecurity disclosure rules for public companies, which, among other things, are designed to standardize cybersecurity-related incident reporting, governance, and risk management and emphasize the increasing importance of cybersecurity as a dimension of corporate governance, including requiring companies to identify the level of cybersecurity expertise among their board members. You can read more details about the proposed SEC cybersecurity rules here.
In the absence of Congressional action on new federal privacy laws addressing security of personal data, it is clear that there is a trend across federal agencies to prioritize information security and elevate its organizational importance.