FTC takes Action Against Drizly and its CEO: Will Protecting Data Become a Priority for CEOs?
Privacy Plus+
Privacy, Technology and Perspective
FTC takes Action Against Drizly and its CEO: Will Protecting Data Become a Priority for CEOs? This week, in advance of the holidays, let’s take a look that the latest in privacy and data security case from the Federal Trade Commission.
Late in October, the FTC accepted, subject to final approval, an agreement containing a Proposed Consent Order (“Proposed Order”) from Drizly, an Uber subsidiary, and its CEO James Cory Rellas (“Rellas”), individually and as an officer of Drizly.
Drizly operates an online marketplace where local retailers of alcohol can sell their products online to consumers, and arrange for delivery. The company collects and stores a wide range of personal information from consumers such as email, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties, all stored on AWS.
In 2018, an employee publicly posted his account login information. As a result, hackers gained access to consumer database and stole personal information.
In its complaint, the FTC faulted Drizly for misrepresenting its privacy practices in its privacy notice. Strikingly, the FTC also faulted Drizley and its CEO for failing to take “well known, readily available, and relatively low-cost measures” to secure consumer data, including failing to hire a “senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly.”
Under the proposed order, both Drizly and Rellas are required to:
Destroy unnecessary data: Drizly is required to destroy any personal data it has collected that is not necessary for it to provide products or services to consumers. It must also document and report to the Commission what data it destroyed.
Limit future data collection: Going forward, Drizly must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also publicly detail on its website the information it collects and why collecting that information is necessary.
Implement an information security program: Drizly must also implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.
You can read the text of the FTC’s proposed order with Drizly and Rellas by clicking below:
This action by the FTC is remarkable primarily because it penalizes an individual executive as well as a company, and marks the first time that the FTC has held a CEO personally accountable for the data security failures of a company under Section 5 of the FTC Act. Further, the order is designed to follow Rellas into his future businesses, binding him to data security obligations even after he leaves Drizly. In a joint statement, Chair Lina Kahn and Commissioner Alvaro M. Bedoya reportedly stated:
“Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.