The Federal Trade Commission (FTC) has released a new proposed order against Boston-based online alcohol marketplace Drizly over its lax security practices, requiring the company to destroy unnecessary data, restricting the data that it can collect, and - in a rare move for the FTC - binding its CEO to specific data security requirements as well.
The proposed order comes on the heels of a data breach at Drizly in 2020 that exposed the personal data of 2.5 million consumers. According to the FTC, the company and its CEO, James Cory Rellas, were alerted to various security issues two years before the breach after a Drizly employee posted company account login information on GitHub, allowing hackers to launch a cryptomining attack using Drizly servers. However, even after this incident the company did not take the necessary steps to secure customer data, alleged the FTC. These steps included requiring two-factor authentication for GitHub, limiting employee access to personal data and monitoring its network for unauthorized attempts to access data. At the same time, the FTC alleged that the company and its CEO did not develop security policies or put a senior executive in charge of making sure its data was secure.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement on Monday. “CEOs who take shortcuts on security should take note.”
The order directs Drizly to destroy any personal data collected that is not necessary for its products or services, and going forward to refrain from collecting personal data unless necessary for these specific purposes. Drizly also must implement a comprehensive security program with a designated “high-level employee” to oversee that program. The program must outline measures like security training for employees and MFA requirements, and the implementation of controls on who can access data.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness.”
These mandates also apply to Rellas, with the order specifying that Rellas will also be required to implement an information security program even at future companies, if he takes a role of CEO or majority owner at a business collecting consumer data from more than 25,000 people. The order is partially reminiscent of a 2021 FTC case against the operators of MoviePass. The case, which primarily alleged that the service’s CEO and parent company’s CEO misrepresented their business practices, also included allegations that the operators left a database with subscribers' personal information unencrypted and exposed.
However, Ben Rossen, special counsel with Baker Botts, who is a former senior attorney at the FTC with experience handling high-profile privacy and data security investigations, said that historically the FTC has leveraged orders holding CEOs accountable for cases related to fraud as opposed to data security or privacy practices.
“Here, there are some fairly unique facts about the prior data breaches that a company has had, and perhaps some direct notice, that will better support these allegations,” he said. “That’s not necessarily going to be true in every case, and it will be interesting to see how aggressively the FTC tries to push the envelope with this."
In a statement, FTC Commissioner Christine Wilson said that the FTC was not alleging that Rellas oversaw day-to-day operations of data security practices or was responsible for decisions around these operations, but instead that Rellas did not appropriately prioritize hiring a senior executive responsible for privacy or data security.
“It’s getting more into the weeds and helping us understand what the FTC means when it wants companies to implement data minimization practices.”
However, though the FTC voted 4-0 to accept the consent agreement, Wilson said she did not support holding Rellas liable, because by naming Rellas the FTC has “signaled the agency will substitute its own judgment about corporate priorities” for companies rather than targeting ineffective data security practices.
“There is no doubt that robust data security is important… But CEOs have hundreds of issues and numerous regulatory obligations to navigate,” said Wilson in a statement. “Companies, not federal regulators, are better positioned to evaluate what risks require the regular attention of a CEO. And when companies err in making those assessments, the government will hold them accountable. Accordingly, I dissent from the inclusion of the individual defendant in the complaint and settlement in this matter.”
The lawsuit is the latest move by the FTC around data security and privacy policies under Lina Khan's administration since she was sworn in as the FTC chair in June 2021. In March, the FTC cracked down on online retailer CafePress after the company allegedly covered a major data breach and failed to secure customers’ sensitive data, while in August the commission announced its intent to scrutinize the surveillance and data collection tactics of big tech and ad tech firms. Recently, the FTC also filed a lawsuit against an Idaho-based data broker called Kochava, alleging that its customized data feeds allow purchasers to track end users at sensitive locations like places of worship and addiction recovery centers.
Cobun Zweifel-Keegan, managing director of the Washington D.C. office of the International Association of Privacy Professionals (IAPP), said that in particular the FTC has been focusing at a granular level on data minimization policies, with this most recent order providing tight specifics for companies around charting out how data is collected, retained and deleted.
“It’s getting more into the weeds and helping us understand what the FTC means when it wants companies to implement data minimization practices,” said Zweifel-Keegan. “This signals the future course of a lot of FTC actions. I think there will be a common set of requirements under consent orders to help to effectuate this goal of robust data minimization.”