Home » Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by delta
0 comment

According to the FTC, Drizly CEO James Cory Relas was warned of a potential security loophole two years after a data breach that exposed the personal information of 2.5 million customers of the alcohol delivery service. rice field. According to the agency, Rellas’ behavior was so egregious that his company not only faces a series of data privacy requirements for him, but Rellas himself, even if he is no longer employed by Drizly. prize. Baker Donelson’s Alisa Chester and Greta Messer unravel this unprecedented order.

If management and boards don’t talk about cyber responsibility and risk management often, they will soon. As a matter of both corporate and personal responsibility, recent enforcement has shown that we cannot rely on generic privacy policy language at the expense of meaningful operations in support of statements that administrators post and publish. became clear.

As an example, the FTC announced an enforcement action against online alcohol marketplace Drizly in late October 2022. This FTC action is Drizly’s 2020 data breach when an internal data security failure affected the information of 2.5 million customers.

FTC enforcement on privacy is common, but the FTC’s renewed focus on the role of management in privacy and information security is unprecedented. On January 10, the FTC finalized his Drizly consent order, requiring Drizly to implement and maintain a data protection program. This is a common result of privacy-related consent orders. However, it has not been very common for the FTC to require Drizly CEO Rellas to implement an information security program in future companies that meet certain specifications.

In this unprecedented move, Rellas owns the personal data of more than 25,000 consumers whose majority interests he holds, is involved with, serves as CEO or holds a management position. , must ensure that it is implemented by all businesses in which he is involved. Maintain a formal information security management program.

Presentation In the lawsuit against Drizly and Rellas in October, the agency specifically emphasized this mandate. [order] Opposing Drizly not only limits what the company can keep and collect going forward but also ensures that the CEO faces the consequences of the company’s negligence.

therefore, FTC Final Determination It’s pretty significant in its depth and breadth, highlighting two key violations by Drizly.

  • Not implementing out-of-the-box, low-cost data protection measures
  • Using company websites to disguise compliance with commercially reasonable security practices

Among these violations, the FTC noted that the company’s documented policies and procedures, including those requiring employee training and the failure to put qualified professionals at the helm of its data security program, points out that there are no steps.

Drizly also excused its flawed encryption technology, poor credential management, lack of multi-factor authentication, and inability to monitor data exfiltration as it failed to implement other standard safeguards and policies. I’m sorry. The FTC specifically took notice of Drizly’s inadequate privacy and security practices, namely: 2018 incident Drizly’s parent company, Uber, is involved.

Drizly is currently responsible for implementing an information security program that includes the following policies and procedures:

  • Specify data retention, destruction, and minimization limits
  • Implementing data access control
  • Test your safety measures regularly
  • employee training
  • Create measures to prevent the storage of unsecured access keys or credentials

In addition, the program undergoes biennial third-party evaluations to ensure its ability to protect personal information.

Going forward, the FTC’s ongoing oversight of Drizly and Rellas will help alert companies to government expectations for the development of data protection programs and accountability for misrepresentation of compliance with reasonable security practices.

Conclusion for your company and its management and officers: Get a realistic understanding of the risks

Management cannot rely on a one-size-fits-all privacy policy. Companies and their individual leaders must take responsibility for evaluating their company’s operations and adopting meaningful operations that support the statements they post and publish.

You may also like

Leave a Comment


Delta-Compliance.com is a premier news website that provides in-depth coverage of the latest developments in finance, startups, compliance, business, science, and job markets.

Editors' Picks

Latest Posts

This Website is operated by the Company DELTA Data Protection & Compliance, Inc., located in Lewes, DE 19958, Delaware, USA.
All feedback, comments, notices of copyright infringement claims or requests for technical support, and other communications relating to this website should be directed to: info@delta-compliance.com. The imprint also applies to the social media profiles of DELTA Data Protection & Compliance.

Copyright ©️ 2023  Delta Compliance. All Rights Reserved

Newsletter Signup

Subscribe to our weekly newsletter below and never miss the latest product or an exclusive offer.