According to the FTC, Drizly CEO James Cory Relas was warned of a potential security loophole two years after a data breach that exposed the personal information of 2.5 million customers of the alcohol delivery service. rice field. According to the agency, Rellas’ behavior was so egregious that his company not only faces a series of data privacy requirements for him, but Rellas himself, even if he is no longer employed by Drizly. prize. Baker Donelson’s Alisa Chester and Greta Messer unravel this unprecedented order.
As an example, the FTC announced an enforcement action against online alcohol marketplace Drizly in late October 2022. This FTC action is Drizly’s 2020 data breach when an internal data security failure affected the information of 2.5 million customers.
FTC enforcement on privacy is common, but the FTC’s renewed focus on the role of management in privacy and information security is unprecedented. On January 10, the FTC finalized his Drizly consent order, requiring Drizly to implement and maintain a data protection program. This is a common result of privacy-related consent orders. However, it has not been very common for the FTC to require Drizly CEO Rellas to implement an information security program in future companies that meet certain specifications.
In this unprecedented move, Rellas owns the personal data of more than 25,000 consumers whose majority interests he holds, is involved with, serves as CEO or holds a management position. , must ensure that it is implemented by all businesses in which he is involved. Maintain a formal information security management program.
Presentation In the lawsuit against Drizly and Rellas in October, the agency specifically emphasized this mandate. [order] Opposing Drizly not only limits what the company can keep and collect going forward but also ensures that the CEO faces the consequences of the company’s negligence.
therefore, FTC Final Determination It’s pretty significant in its depth and breadth, highlighting two key violations by Drizly.
- Not implementing out-of-the-box, low-cost data protection measures
- Using company websites to disguise compliance with commercially reasonable security practices
Among these violations, the FTC noted that the company’s documented policies and procedures, including those requiring employee training and the failure to put qualified professionals at the helm of its data security program, points out that there are no steps.
Drizly also excused its flawed encryption technology, poor credential management, lack of multi-factor authentication, and inability to monitor data exfiltration as it failed to implement other standard safeguards and policies. I’m sorry. The FTC specifically took notice of Drizly’s inadequate privacy and security practices, namely: 2018 incident Drizly’s parent company, Uber, is involved.
Drizly is currently responsible for implementing an information security program that includes the following policies and procedures:
- Specify data retention, destruction, and minimization limits
- Implementing data access control
- Test your safety measures regularly
- employee training
- Create measures to prevent the storage of unsecured access keys or credentials
In addition, the program undergoes biennial third-party evaluations to ensure its ability to protect personal information.
Going forward, the FTC’s ongoing oversight of Drizly and Rellas will help alert companies to government expectations for the development of data protection programs and accountability for misrepresentation of compliance with reasonable security practices.
Conclusion for your company and its management and officers: Get a realistic understanding of the risks