The FTC voted 4-0 to accept a consent agreement with alcohol delivery app Drizly to settle a complaint alleging that the company ignored known security problems, resulting in a 2020 breach of 2.5 million consumers’ personal data.
The complaint also specifically names Drizly CEO Cory Rellas as a co-defendant, stating that he failed to delegate information security responsibilities or hire an executive to implement an information security program.
As part of the FTC order, Drizly and Rellas are required to implement a security program requiring multi-factor authentication for access to databases with consumer information. They are also required to destroy any personal data collected not necessary to its services, limit future data collection and publicly outline publicly the purpose for the collected data.
Such safeguards are an “important step that the FTC is taking towards implementing this connection between data minimization and security,” says Cobun Zweifel-Keegan, a privacy attorney and managing director of the International Association of Privacy Professionals’ Washington office.
According to the complaint, Drizly and Rellas were first alerted to security issues at the company in 2018, two years prior to the breach that exposed consumer data. In 2018, an employee posted a company login on GitHub, allowing hackers to use Drizly’s servers to mine cryptocurrency. The company changed the login but two years later a hacker breached another employee’s account, accessed the company’s GitHub account and infiltrated a database of customers’ information. That information then wound up in the hand of criminals, according to the FTC complaint.
The FTC alleges that the company failed to place “reasonable safeguards” such as limiting employee access to personal data and requiring strong passwords and ignored best practices by continuing to store sensitive data on its GitHub account after the first breach and other well-publicized security incidents involving GitHub, including a 2018 Uber breach.
The order comes as the FTC explores a rulemaking process to address data security and consumer surveillance and could signal what’s to come.
In a concurring statement, Democratic Commissioner Rebecca Slaughter called for a data minimization framework that includes a “reasonable expectation that there should be limits on the collection and use of [consumer] information based on the service they’ve actually requested.”
“She’s taking a position on the framework through which you would think about data minimization. And that could be one part of where we see the rulemaking going,” says Zweifel-Keegan.
In a press release announcing the order, the agency emphasized “aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.”
By agreeing to the order, Rellas will be required to implement an information security program at any future company where he is a majority owner or CEO that also collects the data of more than 25,000 individuals.
In 2021, Uber bought Drizly in a reported $1.1 billion deal.
While all four commissioners voted to approve the order, Republican Commissioner Christine Wilson dissented in part to the naming of Rellas in the order.
“In most large companies, I would expect CEOs to have little to no involvement with, and no direct knowledge of, practices that are the subject of an FTC investigation,” Wilson wrote in her dissent.
“By naming Rellas, the Commission has not put the market on notice that the FTC will use its resources to target lax data security practices,” she wrote. “Instead, it has signaled that the agency will substitute its own judgment about corporate priorities and governance decisions for those of companies.”
FTC Chair Lina Khan, a Democrat, and Democratic Commissioner Alvaro Bedoya responded in a joint statement.
“Respectfully, we disagree,” they wrote. “Overseeing a big company is not an excuse to subordinate legal duties in favor of other priorities.”
The statement is a signal that personal liability for executives could become a more frequent enforcement tool in data and security cases, says privacy lawyer Whitney Merrill.
“I think just saying that shows that if they feel that people are not taking privacy and security seriously, or that they chose not to do privacy and security because of something else, that the FTC is going to take action if they can,” said Merrill, who formerly worked at the FTC.
The order is not the first time the FTC has held a CEO personally liable, but it is a first for a privacy and security case.
“I think that their hope is that it will change the culture of how people think about privacy and security as opposed to just a trade-off,” said Merrill.
Rellas did not respond to a request for comment sent to Drizly’s press email. “We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson responded.
Updated Oct. 4, 2022: To include comments from Whitney Merrill.