The FTC recently issued a proposed order that would settle an enforcement action against Drizly, LLC and its co-founder and CEO, James Rellas, arising from data breaches in 2018 and 2020 that affected over 2.5 million customers. The FTC’s proposed order is unusual in that applies to Rellas personally. The order requires Rellas to implement various data security practices at any company he owns or oversees in the next decade, even if Rellas moves to a company unrelated to Drizly.

Let’s take a look at the data security breaches that led to the FTC’s enforcement action and some of the key takeaways that result from the FTC’s unusual proposed order.

Drizly’s Data Security Breaches

Founded in 2012 and acquired by Uber in 2021, Drizly characterizes itself as “North America’s largest online marketplace for alcohol.” The company is an online platform through which customers can purchase alcohol from local retailers for home delivery. After co-founding the company, Rellas held various positions within Drizly and has been the company’s CEO since 2018.

According to the FTC’s draft complaint, Drizly’s first data security breach came in 2018, after a Drizly employee posted credentials to the company’s Amazon Web Services (AWS) account in a public-facing GitHub repository. Hackers were able to use those credentials to access Drizly’s AWS servers and mine cryptocurrency using the servers until Drizly learned of the breach and changed the credentials.

The second breach came in 2020. Long before this breach, in order to facilitate an unnamed executive’s participation in a one-day coding event, Drizly gave the executive access to the company’s GitHub repository, but failed to revoke the access after the one-day event. That executive used the same credentials for personal and work accounts, and after an unrelated breach exposed credentials for one of the executive’s personal accounts, hackers were able to parlay the exposed personal credentials to access Drizly’s GitHub repositories. Those repositories included credentials for Drizly’s AWS account. The hackers accessed Drizly’s AWS account—which contains Drizly’s databases of customer data including contact information, order and payment history, geolocation, demographic information, and other data—and copied records for more than 2.5 million Drizly customers, at least some of which were then posted for sale on dark web forums.

FTC’s Proposed Order

The FTC preliminarily settled with Drizly and Rellas before formally issuing the complaint. On October 24, the FTC released its draft complaint and a proposed consent order that name both Drizly and Rellas as respondents. The draft complaint charges Drizly and Rellas with two counts under the FTC Act: one count for engaging in unfair acts by failing to employ reasonable data-security measures and a second count for making false or misleading statements about Drizly’s use of appropriate safeguards to protect customer information. The proposed order is open for public comment until December 1, after which point the FTC will decide whether to issue the complaint and order.

As to Drizly, the proposed order requires Drizly to implement various remedial and prospective data security practices, including deleting unnecessarily collected data, limiting future data collection, implementing an information security program, and obtaining third-party security assessments of the company’s security measures.

As to Rellas, for the next 10 years, the proposed order requires Rellas to implement an information security program at any company (1) that collects personal information of 25,000 or more consumers and (2) of which he is a majority owner or senior officer. To comply with the order, Rellas will need to ensure that any such company develops a written information security plan, updates and provides the plan to the board of directors annually, designates a qualified employee to be responsible for the information security plan, conducts annual testing of the plan’s data security safeguards, and requires third-party service providers to implement data security safeguards. This is an exceptional aspect of the FTC’s proposed order. Obligations stemming from a data breach are typically limited to the company or entity that suffered the incident. Structuring the remedial and prophylactic obligations to follow the individual rather than the company—and extending those obligations a decade into the future—is a remarkable development in the FTC’s information-security practices.

Key Takeaways

The FTC Is Treating Data Security as an Executive Responsibility

By naming Rellas individually in the complaint and imposing obligations that would follow Rellas to any new qualifying company, the FTC is signaling that it views data security as an executive responsibility. The FTC’s complaint faults Rellas for “hir[ing] senior executives dedicated to finance, legal, marketing, retail, human resources, product, and analytics, but fail[ing] to hire a senior executive responsible for the security of consumers’ personal information.”[1] And as FTC chair Lina Khan explained of the proposed order: “Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive.”[2] Thus, executive leaders should be aware that the FTC expects them to prioritize the protection of customer data and that it will seek to hold executives accountable for preventable data security breaches.

Note, however, that although the FTC intends to send a message to executives by imposing obligations on Rellas that may follow him to a new company, the FTC may encounter difficulties in enforcing those obligations. As noted by FTC Commissioner Christine Wilson—who dissented from the imposition of liability on Rellas personally—the FTC’s proposed order does not address scenarios in which Rellas moves to a new company whose owners or other executives prevent him from implementing a robust data-security plan.[3]

The FTC Is Taking a Broad View of “Unreasonable Security Practices” 

 Drizly’s 2018 and 2020 data breaches were made possible by obvious security lapses. Both breaches would have been prevented if Drizly followed GitHub’s recommendation to avoid storing passwords in GitHub repositories, and the 2020 breach would have been avoided if the unnamed Drizly executive used unique passwords for personal and work accounts. But the FTC’s order faults Drizly not only for these obvious security lapses, but also for a number of security practices that are less obviously deficient. For example, the FTC’s draft complaint characterizes all of the following as unreasonable information security practices:

  • Drizly did not use readily available measures to scan its GitHub repositories to determine whether they contained unsecured passwords and other credentials.
  • Drizly did not require multifactor authentication for all employees with access to code repositories.
  • Drizly did not regularly review access permissions and revoke permissions that were no longer being used.
  • Drizly did not regularly inventory and delete customers’ personal information that no longer needed to be stored.
  • Drizly did not conduct regular risk assessments, vulnerability scans, penetration tests, or other audits of its networks and databases.[4]

Executives and others responsible for a company’s information security practices should therefore be aware that simply implementing an information security plan may not be sufficient to avoid FTC liability in the event of a data breach or investigation. Rather, these individuals will need to review the substantive aspects of the plan to check that they conform to the FTC’s expectations. Guidance for those looking to conform to the FTC’s data-security expectations can be found in the FTC’s 2021 update to its Safeguards Rule. Although the Safeguards Rule applies only to financial institutions, the rule is informative as to those data security practices the FTC considers to be adequate.

The FTC Is Placing an Increased Focus on Data Minimization

“Data minimization”—the practice of collecting and retaining only the customer information that a company needs to conduct its business—has become an increasing focus for the FTC. 2021 was the first year in which the FTC secured an order that imposed a data minimization requirement, and FTC’s proposed order against Drizly and Rellas likewise requires both to implement data minimization measures. FTC Chair Lina Khan has explained that data minimization is an enforcement priority because “[h]ackers cannot steal data that companies did not collect in the first place.”[5] As compared to other information security practices such as third-party audits and the hiring of dedicated information security employees, data minimization is a comparatively low-cost measure that companies may choose to adopt to avoid FTC enforcement.

The FTC Is Policing Statements about Data Security

One of the violations charged in the FTC’s draft complaint concerned Drizly’s allegedly deceptive statements to its customers regarding its information security practices. Among the offending statements was the generic statement in Drizly’s privacy policy that “[w]e use standard security practices such as encryption and firewalls to protect the information we collect from you.”[6] The FTC alleged that this and a related statement were false or misleading because Drizly did not in fact maintain appropriate safeguards, thereby demonstrating the FTC’s focus on security disclosures and claims—even including somewhat non-specific assurances of security such as those in Drizly’s privacy policy. The FTC’s treatment of these statements as false or misleading highlights that those individuals drafting privacy policies, ad copy, and other customer-facing materials need to be in communication with those responsible for a company’s data security practices to ensure that any statements about the company’s data security practices are accurate and defensible.

*          *          *

The FTC’s proceedings against Drizly show that the FTC is taking new approaches towards information security, including looking beyond the company itself to its executives, emphasizing data minimization, and policing statements regarding information security in addition to the sufficiency of the information security itself. Companies subject to the FTC Act should be aware of these developments so that they can respond as necessary to ensure compliance.

[1] Draft Compl. ¶ 4, In re Drizly, LLC, FTC Dkt. No. 202-3185, https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf.

[2] 87 Fed. Reg. 65767, 65769 (Nov. 1, 2022).

[3] 87 Fed. Reg. 65767, 65771 n.7 (Nov. 1, 2022).

[4] Draft Compl. ¶¶ 13(a)-(f), In re Drizly, LLC, FTC Dkt. No. 202-3185, https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf.

[5] 87 Fed. Reg. 65767, 65770 (Nov. 1, 2022).

[6] Draft Compl. ¶ 16, In re Drizly, LLC, FTC Dkt. No. 202-3185, https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf.