FTC targets Drizly CEO in proposed order following 2020 data breach

The Federal Trade Commission said Monday it plans to take individual actions against James Cory Rellas, the CEO of alcohol-delivery company Drizly, for mishandling a data breach that exposed the personal data belonging to 2.5 million consumers.

Why it matters: It's rare for the FTC to target an individual executive in data security and privacy cases.

• These actions are more frequent in fraud and misleading advertising cases, the Washington Post reports, citing an anonymous FTC official.

Details: According to the FTC's proposed order, Uber-owned Drizly and Rellas were both aware for two years of the cybersecurity problems that led to a 2020 data breach. As such, the agency plans to enforce a number security requirements for both Drizly and Rellas:

• Drizly will be required to destroy any unnecessary customer data it stored; restrict what data it collects and retains, and implement a comprehensive information security program that includes employee security training.
• Rellas will be required to implement an information security program at any future company that collects data from more than 25,000 consumers that he's a majority owner or senior executive at.

Catch up quick: The FTC had been previously criticized for not naming Meta CEO Mark Zuckerberg in its settlement over the Cambridge Analytica data-scrapping scandal.

The big picture: FTC Chair Lina Khan has pledged to strengthen the FTC's orders — including by naming individual executives — to ensure companies and executives take retaliatory actions from the agency seriously.

• Under current statute, the agency has a limited toolkit for imposing stricter penalties on companies, especially after their first violations. Financial penalties can't be levied against first-time offenders in data security and privacy cases.
• The FTC has already started including tighter security requirements in its orders, including calling on companies to implement specific practices like multi-factor authentication and ordering companies to settle algorithms built using inappropriately obtained data.

What they're saying: "Today's settlement sends a very clear message: protecting Americans' data is not discretionary," said Khan and Democratic Commissioner Alvaro Bedoya in a joint statement. "It must be a priority for any chief executive."

• Khan and Bedoya also said they hope the order puts other companies "on notice."

What's next: The agency, which voted 4-o to support the order, will collect public comments on its proposed order for 30 days. After which, the agency will vote to finalize the order.

Go deeper: FTC considers strengthening its consent decree security hammer