Continuing the recent trend of holding company executives personally liable for a company’s alleged violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), the Federal Trade Commission (FTC) announced a complaint and consent agreement with Drizly, LLC (“Drizly”), an alcohol delivery app, and Chief Executive Officer James Cory Rellas over the failure to implement reasonable information security practices.
As alleged in the complaint, Drizly and Rellas became aware of data security deficiencies following a 2018 security incident. Drizly failed to adequately address the security deficiencies, but publicly stated that it had appropriate security protections in place. Two years after the initial security incident, Drizly suffered a new security incident, resulting in the loss of personal information of 2.5 million consumers.
The FTC alleged in the complaint that this is both unfair and deceptive and therefore a violation of the FTC Act because Drizly (1) stated it had appropriate security practices in place to protect customer information, but did not require employees to use two-factor authentication to access software, limit employee access to customer data, “develop adequate written security policies, or train employees on those policies;” (2) stored database login information on an unsecured platform; (3) failed to monitor its network for security threats; and (4) exposed customers to hackers and identity thieves.
The failure to employ reasonable security practices was unfair according to the FTC because it “caused or is likely to cause substantial injury to consumers that is not outweighed by the countervailing benefits to consumers or competition and is not reasonable avoidable by consumers themselves.”
Rellas is personally liable, as alleged by the FTC, because he had the authority to control, or participated in, the company’s deficient data security practices as CEO, including his “fail[ure] to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly.” Notably, the proposed order imposes data security compliance obligations on Rellas, even if he leaves Drizly.
Commissioner Christine S. Wilson issued a separate statement, concurring with the decision to hold Drizly liable, but dissenting on holding Rellas individually liable for Drizly’s deficient data practices. Commissioner Wilson reasoned that “CEOs have hundreds of issues and numerous regulatory obligations to navigate. Companies, not federal regulators, are better positioned to evaluate what risks require the regular attention of a CEO.”
If the proposed order is made final by the FTC, Drizly and Rellas are required to:
- Destroy unnecessary consumer personal information;
- Limit the future collection of personal information; and
- Implement a comprehensive data security program.
Further, Drizly is required to conduct biennial security assessments for the next twenty years, and Rellas is required to ensure that any future company where he is the majority owner or senior executive officer maintains a comprehensive data security program. The FTC’s requirements for the comprehensive data security program include:
- Vulnerability testing of the network and applications every four months; and
- Penetration testing the business’s network and applications every twelve months.
Businesses and executives should take note—data protection is an enforcement priority for regulators. For more information reach out to the authors or your relationship partner at the firm. For more, stay tuned. CPW is there to keep you in the loop.