08:36:38 PM
25 2022

USA: FTC proposes order against Drizly and its CEO for security failures

View 4.8K

word 580 read time 2 minutes, 54 Seconds

The Federal Trade Commission ('FTC') announced, on 24 October 2022, that it had issued a proposed order against Drizly, LLC and its CEO, James Cory Rellas, over allegations that the company's security failures had led to a data breach exposing the personal information of approximately 2.5 million consumers, and violating § 5(a) of the Federal Trade Commission Act ('the FTC Act').

Background to the case

Specifically, the FTC initiated an investigation into certain acts and practices of Drizly and Rellas.

Findings of the SEC

Following the investigation, the #FTC issued a complaint against #Drizly, highlighting that it had reason to believe that Drizly and Rellas violated the provisions of § 5(a) of the FTC Act by failing to use appropriate information security practices to protect consumers' personal information. More specifically, the FTC detailed that Drizly did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.

Furthermore, the FTC also noted that Drizly stored critical database information on an unsecured platform and neglected to monitor its network for security threats including not putting a senior executive in charge of ensuring that the company was keeping its data secure, nor monitoring its network for unauthorised attempts to access or remove personal data. To this end, the FTC concluded that these failures allowed a malicious actor to access Drizly's consumer database and steal information relating to 2.5 million consumers.


In light of the above, the FTC noted that its proposed order includes several requirements to ensure that Drizly take steps to address the problems outlined in the FTC's complaint. As such, the FTC specified that this would require Drizly to, among other things:

  • Destroy any personal data collected that is not necessary for it to provide products or services to consumers. The data destroyed must be documented and reported to the FTC.
  • Refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule, and publicly detail on its website the information it collects and why such data collection is necessary.
  • Implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint including:
    • providing security training for its employees;
    • designating a high-level employee to oversee the information security program;
    • implementing controls on who can access personal data; and
    • requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.

Notably, the FTC clarified that the order applies personally to Rellas, noting that the FTC's proposed order will follow Rellas even if he leaves Drizly. Specifically, the FTC highlighted that Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

On the above, Commissioner Christine S. Wilson clarified that she dissented from the inclusion of Rellas in the complaint and settlement. Specifically, Wilson explained that "To seek injunctive relief with respect to a CEO or other principal, the FTC must show only that the individual 'participated directly in the deceptive practices or had authority to control those practices', and does not require the FTC to show a 'specific link from [the individual] to the particular deceptive [acts] and instead looks at whether [the individual] had authority to control the corporate entity's practices". / dataguidance

Source by Redazione

LSNN is an independent publisher that relies on reader support. We disclose the reality of the facts, after careful observations of the contents rigorously taken from direct sources. LSNN is the longest-lived portal in the world, thanks to the commitment we dedicate to the promotion of authors and the value given to important topics such as ideas, human rights, art, creativity, the environment, entertainment, Welfare, Minori, on the side of freedom of expression in the world «make us a team» and we want you to know that you are precious!

Dissemination* is the key to our success, and we've been doing it well since 1999. Transparent communication and targeted action have been the pillars of our success. Effective communication, action aimed at exclusive promotion, has made artists, ideas and important projects take off. Our commitment to maintain LSNN is enormous and your contribution is crucial, to continue growing together as a true team. Exclusive and valuable contents are our daily bread. Let us know you are with us! This is the wallet to contribute.

*Dissemination is the process of making scientific and technical information accessible to a non-specialist public. This can come through various forms, such as books, articles, lectures, television programs and science shows.

Similar Articles / USA: FTC... failures
01 gen 1970
from: ladysilvia
by: esaint
from: ladysilvia
by: Green_Cross_Italia
15 mar 2005
Password: security