The Federal Trade Commission (“FTC”) announced on Monday that it is settling a case against Drizly and its CEO stemming from a 2020 data breach that impacted roughly 2.5 million consumers. The proposed order not only contains a laundry list of security-related obligations for Drizly that span twenty years, but also names and targets its CEO James Cory Rellas personally, hitting him with obligations that will follow him for a decade, even if he moves to other organizations. There are also hints that the FTC intends to elevate information security issues to boards of directors and other top-level executives.
In its press release announcing the settlement, the FTC stated, “In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission's proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”
According to the FTC's complaint, Drizly and its CEO, James Cory Rellas (who was individually named in the complaint), became aware of information security issues at Drizly following an earlier security incident in 2018, but failed to take adequate steps to fix them, all the while publicly claiming to have appropriate security protections in place. Specifically, the FTC's complaint alleges that Drizly and Rellas:
The proposed order requires Drizly to undertake a number of short and long-term security-related responsibilities, some of which extendtwenty years. These include:
While the obligations on Drizly are extensive alone, what many are likely to find most surprising and groundbreaking is that, in a rare move, the proposed order names Drizly's CEO Rellas personally, and includes obligations that will follow him for a decade. For ten years following the final order, Rellas must implement a comprehensive information security program at any organization that collects, uses, stores or discloses personal information of 25,000 or more consumers where he is either (1) a majority owner, or (2) a CEO or other senior officer.
To satisfy the information security program requirements, Rellas must ensure the following, at a minimum:
Clearly, the FTC is serious about information security and about holding top executives responsible for it. Here are a few takeaways from the proposed order.
Information Security is a Leadership and C-Suite Responsibility. Long gone are the days of information security oversight resting solely with designated security or IT personnel in an organization – the FTC makes clear that leadership must be plugged into information security and will be held responsible for security failures.
Personal Consequences for Executives. This is the big one. The FTC proposed order includes extensive personal obligations that last a decade and will follow Drizly's CEO even if he moves to a different company. Samuel Levine, Director of the FTC's Bureau of Consumer Protection, made the FTC's position on this quite clear, stating, “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company's carelessness.” There is also reason to believe that this trend that will continue, as Levine further noted, “CEOs who take shortcuts on security should take note.”
The FTC's Concept of Reasonable Security is Crystalizing. In its proposed order, the FTC prescribed an extensive recipe of information security program ingredients that Drizly's CEO is required to implement at future organizations that he is involved with, and a list of what the FTC views to be material security shortcomings. These lists contain various information security concepts that have appeared repeatedly in prior FTC complaints and orders, so it is a fair conclusion that the FTC considers these measures to be integral components of reasonable security that it expects organizations to have in place.
No More Hoarding Data. The data minimization requirements in the proposed order go beyond what we have seen in information security program requirements built into prior FTC enforcement actions. Data minimization standards are a hallmark of compliance with such data privacy laws as GDPR (Article 5), the California Privacy Rights Act (§1798.100(c)), and the Virginia Consumer Data Protection Act, as well as new laws coming into force in Connecticut, Colorado, and Utah. The premise is simple: If you don't have the data, hackers cannot get at the data. Companies should review (or implement) rigorous data retention policies and not retain personal data longer than necessary for the purposes for which such data was collected. You should not be keeping data “just because you can.”
Organizations Cannot Outsource Security or Piggyback on their Vendors' Security. Though Drizly used large and reputable third party cloud hosting providers, according to the FTC, Drizly did not have its own sufficient information security program. Organizations often mistakenly believe that they can “piggyback” and rely solely on the security measures of their hosting providers and other vendors. The FTC complaint made clear that this does not fly, and an organization must have its own extensive security program, even if it uses large and reputable vendors.
Boards of Directors and Other Leadership May be on the FTC's Radar. It is interesting to note that as part of Drizly's CEO's future obligations at Drizly and other organizations he is involved with, the FTC requires that he provide written information security programs, evaluations, and updates to each organization's board of directors, governing body, or other senior leadership at least once every 12 months. It is not entirely clear whether the FTC intends this obligation to be (1) an oversight mechanism over the CEO; (2) a signal that the FTC expects that boards and leadership start taking a more active role in information security; or (3) both. It is worth drawing a parallel to the Securities and Exchange Commission (SEC) new proposed cybersecurity disclosure rules for public companies, which, among other things, are designed to standardize cybersecurity-related incident reporting, governance, and risk management and emphasize the increasing importance of cybersecurity as a dimension of corporate governance, including requiring companies to identify the level of cybersecurity expertise among their board members. You can read more details about the proposed SEC cybersecurity rules here.
In the absence of Congressional action on new federal privacy laws addressing security of personal data, it is clear that there is a trend across federal agencies to prioritize information security and elevate its organizational importance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.