Oct 24, 2022 - Technology

FTC targets Drizly CEO in proposed order following 2020 data breach

Image of the Drizly logo

Photo: Thiago Prudêncio/SOPA Images/LightRocket via Getty Images.

The Federal Trade Commission said Monday it plans to take individual actions against James Cory Rellas, the CEO of alcohol-delivery company Drizly, for mishandling a data breach that exposed the personal data belonging to 2.5 million consumers.

Why it matters: It's rare for the FTC to target an individual executive in data security and privacy cases.

  • These actions are more frequent in fraud and misleading advertising cases, the Washington Post reports, citing an anonymous FTC official.

Details: According to the FTC's proposed order, Uber-owned Drizly and Rellas were both aware for two years of the cybersecurity problems that led to a 2020 data breach. As such, the agency plans to enforce a number security requirements for both Drizly and Rellas:

  • Drizly will be required to destroy any unnecessary customer data it stored; restrict what data it collects and retains, and implement a comprehensive information security program that includes employee security training.
  • Rellas will be required to implement an information security program at any future company that collects data from more than 25,000 consumers that he's a majority owner or senior executive at.

Catch up quick: The FTC had been previously criticized for not naming Meta CEO Mark Zuckerberg in its settlement over the Cambridge Analytica data-scrapping scandal.

The big picture: FTC Chair Lina Khan has pledged to strengthen the FTC's orders — including by naming individual executives — to ensure companies and executives take retaliatory actions from the agency seriously.

  • Under current statute, the agency has a limited toolkit for imposing stricter penalties on companies, especially after their first violations. Financial penalties can't be levied against first-time offenders in data security and privacy cases.
  • The FTC has already started including tighter security requirements in its orders, including calling on companies to implement specific practices like multi-factor authentication and ordering companies to settle algorithms built using inappropriately obtained data.

What they're saying: "Today's settlement sends a very clear message: protecting Americans' data is not discretionary," said Khan and Democratic Commissioner Alvaro Bedoya in a joint statement. "It must be a priority for any chief executive."

  • Khan and Bedoya also said they hope the order puts other companies "on notice."

What's next: The agency, which voted 4-o to support the order, will collect public comments on its proposed order for 30 days. After which, the agency will vote to finalize the order.

Go deeper: FTC considers strengthening its consent decree security hammer

Go deeper