Personal Liability for Executives in the Wake of Cyber Incidents: An Emerging Tool in Cybersecurity Enforcement – Lexology




Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
Introduction
A new and potentially significant tool in regulatory enforcement is emerging for executives whose companies suffer a cybersecurity incident. The Federal Trade Commission ("FTC"), in a recently proposed Decision and Order, held James Rellas, the Chief Executive Officer ("CEO") of Drizly LLC ("Drizly"), personally liable for presiding over the company's failure to implement and apply appropriate information security practices, which led to a data breach resulting in the exposure of 2.5 million consumers' personal information.1
The decision marks the first time a senior corporate officer has been found to have personal civil liability arising from a company's security breach. The Drizly Decision and Order, in particular, reinforces a key point made by Commissioner Rebecca Slaughter in recent years: poor cybersecurity practices may no longer be punished only by fines and consent decrees to the companies. Instead, where their actions–or inaction–related to cybersecurity are deemed egregious, company executives may be held personally liable.2 The potential for civil sanctions against executives is now a key part of the risk analysis for companies and senior leadership as they consider the company's cybersecurity strategy generally, and their decision-making in response to a cybersecurity incident specifically.3
Background
The FTC's decision to sanction an executive personally should be considered in light of the specific facts and circumstances of this incident and the role executives played in it.
Drizly is a web-based alcohol ordering and delivery service. In or around July 2020, a threat actor was able to breach a Drizly executive's GitHub account by reusing credentials that had been acquired via an unrelated breach. Drizly used GitHub for the development, management, and storage of source code, so the threat actor's access to the GitHub account allowed it to analyze the source code for vulnerabilities and modify security settings in the company's AWS database. Moreover, Drizly employees apparently stored credentials in the GitHub repository, despite security guidance from GitHub dating to at least 2013 warning against the practice.
This was the second time Drizly's GitHub account was accessed and leveraged by a threat actor. The first time, in 2018, the threat actor used the access to establish crypto mining operations on Drizly servers and cloud instances. This time, the threat actor was able to leverage these to exfiltrate the personal information of nearly 2.5 million consumers.
Most of the FTC's decision follows the FTC's precedent for data security matters. For example, Drizly is required to implement, maintain, and annually certify an information security program based on principles of data minimization and data retention limits. Where it differs, however, is with respect to Drizly CEO James Rellas, who, according to the FTC, "is responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices."4 By way of example, the FTC's Complaint alleges that he "failed to hire a senior executive responsible for the security of consumers' personal information collected and maintained by Drizly."5 As a result, the FTC imposes penalties directly on Rellas: for the next 10 years, any future company that handles the data of more than 25,000 people for which he is a majority owner (or for which he serves as "a senior officer with direct or indirect responsibility for information security") must implement an information security program within 180 days of his joining the company.6
What Does This Mean for Companies and Executives?
With this action, regulators have signaled the opening of a new front in privacy and cyber enforcement. While there are still many open questions–e.g., how frequently, and under what circumstances, regulators will seek to impose personal liability–it is clear that regulators increasingly see personal liability for executives as a powerful "stick" to encourage good corporate cybersecurity practices. For example, in a joint statement on the Drizly Decision and Order, FTC Chair Lina Khan and Commissioner Alvaro Bedoya emphasize that "holding individual executives accountable . . . can further ensure that firms and the officers that run them are better incentivized to meet their legal obligations."7
The Drizly Decision is particularly helpful insofar as it offers some clear examples of the types of actions–or inaction– likely to be considered unfair and deceptive and therefore to violate the FTC Act. In particular, the FTC faulted Drizly– and CEO Rellas–for failing to take steps to protect consumers' data from hackers despite having been alerted to security problems two years prior to the breach and highlighted some of the steps that Drizly could have taken in the wake of the 2018 incident, such as its failure to implement multifactor authentication for employees or to limit access to customer data, and its storing of database login information on an unsecured platform.
The FTC's actions also send a clear signal that the Commission expects executives to address cybersecurity vulnerabilities and undertake associated remediation, and to consistently and proactively monitor (or designate an information security officer to monitor) the company's data protection and cybersecurity practices. Given that, some key takeaways for companies include:
Conclusion
The Drizly case is a warning that regulators may be prepared to bring civil charges against both the companies and their executives if companies do not prioritize and reasonably address data protection and cybersecurity issues. As consumer privacy continues to be an FTC priority going forward, companies should be alert for more developments as the Commission finds–and uses–new tools for enforcement.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top