FTC targets Drizly CEO in proposed order following 2020 data breach
Add Axios as your preferred source to
see more of our stories on Google.
Photo: Thiago Prudêncio/SOPA Images/LightRocket via Getty Images.
The Federal Trade Commission said Monday it plans to take individual actions against James Cory Rellas, the CEO of alcohol-delivery company Drizly, for mishandling a data breach that exposed the personal data belonging to 2.5 million consumers.
Why it matters: It's rare for the FTC to target an individual executive in data security and privacy cases.
- These actions are more frequent in fraud and misleading advertising cases, the Washington Post reports, citing an anonymous FTC official.
Details: According to the FTC's proposed order, Uber-owned Drizly and Rellas were both aware for two years of the cybersecurity problems that led to a 2020 data breach. As such, the agency plans to enforce a number security requirements for both Drizly and Rellas:
- Drizly will be required to destroy any unnecessary customer data it stored; restrict what data it collects and retains, and implement a comprehensive information security program that includes employee security training.
- Rellas will be required to implement an information security program at any future company that collects data from more than 25,000 consumers that he's a majority owner or senior executive at.
Catch up quick: The FTC had been previously criticized for not naming Meta CEO Mark Zuckerberg in its settlement over the Cambridge Analytica data-scrapping scandal.
The big picture: FTC Chair Lina Khan has pledged to strengthen the FTC's orders — including by naming individual executives — to ensure companies and executives take retaliatory actions from the agency seriously.
- Under current statute, the agency has a limited toolkit for imposing stricter penalties on companies, especially after their first violations. Financial penalties can't be levied against first-time offenders in data security and privacy cases.
- The FTC has already started including tighter security requirements in its orders, including calling on companies to implement specific practices like multi-factor authentication and ordering companies to settle algorithms built using inappropriately obtained data.
What they're saying: "Today's settlement sends a very clear message: protecting Americans' data is not discretionary," said Khan and Democratic Commissioner Alvaro Bedoya in a joint statement. "It must be a priority for any chief executive."
- Khan and Bedoya also said they hope the order puts other companies "on notice."
What's next: The agency, which voted 4-o to support the order, will collect public comments on its proposed order for 30 days. After which, the agency will vote to finalize the order.
Go deeper: FTC considers strengthening its consent decree security hammer
