Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

If management and boards don’t talk about cyber responsibility and risk management often, they will soon. As a matter of both corporate and personal responsibility, recent enforcement has shown that we cannot rely on generic privacy policy language at the expense of meaningful operations in support of statements that administrators post and publish. became clear.

As an example, the FTC announced an enforcement action against online alcohol marketplace Drizly in late October 2022. This FTC action is Drizly’s 2020 data breach when an internal data security failure affected the information of 2.5 million customers.

FTC enforcement on privacy is common, but the FTC’s renewed focus on the role of management in privacy and information security is unprecedented. On January 10, the FTC finalized his Drizly consent order, requiring Drizly to implement and maintain a data protection program. This is a common result of privacy-related consent orders. However, it has not been very common for the FTC to require Drizly CEO Rellas to implement an information security program in future companies that meet certain specifications.

In this unprecedented move, Rellas owns the personal data of more than 25,000 consumers whose majority interests he holds, is involved with, serves as CEO or holds a management position. , must ensure that it is implemented by all businesses in which he is involved. Maintain a formal information security management program.

Presentation In the lawsuit against Drizly and Rellas in October, the agency specifically emphasized this mandate. [order] Opposing Drizly not only limits what the company can keep and collect going forward but also ensures that the CEO faces the consequences of the company’s negligence.

therefore, FTC Final Determination It’s pretty significant in its depth and breadth, highlighting two key violations by Drizly.

• Not implementing out-of-the-box, low-cost data protection measures
• Using company websites to disguise compliance with commercially reasonable security practices

Among these violations, the FTC noted that the company’s documented policies and procedures, including those requiring employee training and the failure to put qualified professionals at the helm of its data security program, points out that there are no steps.

Drizly also excused its flawed encryption technology, poor credential management, lack of multi-factor authentication, and inability to monitor data exfiltration as it failed to implement other standard safeguards and policies. I’m sorry. The FTC specifically took notice of Drizly’s inadequate privacy and security practices, namely: 2018 incident Drizly’s parent company, Uber, is involved.

Drizly is currently responsible for implementing an information security program that includes the following policies and procedures:

• Specify data retention, destruction, and minimization limits
• Implementing data access control
• Test your safety measures regularly
• employee training
• Create measures to prevent the storage of unsecured access keys or credentials

In addition, the program undergoes biennial third-party evaluations to ensure its ability to protect personal information.

Going forward, the FTC’s ongoing oversight of Drizly and Rellas will help alert companies to government expectations for the development of data protection programs and accountability for misrepresentation of compliance with reasonable security practices.

Conclusion for your company and its management and officers: Get a realistic understanding of the risks

Management cannot rely on a one-size-fits-all privacy policy. Companies and their individual leaders must take responsibility for evaluating their company’s operations and adopting meaningful operations that support the statements they post and publish.