On October 24, 2022, in a rare occurrence, the Federal Trade Commission (FTC) issued a proposed order against Drizly, an online alcohol ordering and delivery service provider, that specifically holds the company’s CEO as liable for the company’s failure to maintain appropriate security safeguards that led to a second data breach.

In 2018, Drizly experienced a data breach that affected 2.5 million consumers’ personal information. The bad actor exfiltrated consumer personal information, such as names, email addresses, phone numbers, mailing addresses, login credentials, order histories, geological information, and a myriad of other consumer data types, all of which was allegedly uncovered because the information was stored on an unsecured website. GitHub, and Drizly allegedly failed to monitor security threats in any capacity.

The FTC further alleged that Drizly and its CEO were aware of the 2018 security incident and failed to take any actions after the fact to address the known security vulnerabilities that ultimately led to a second breach, again involving the theft of consumer personal information data. In light of Drizly’s inability to prioritize data security, the FTC has imposed several requirements of the company and its CEO:

  • Mandated deletion and data minimization – the deletion or destruction of all Covered Information (as defined in the order) that is not being used or retained in connection with providing products or services to customers;
  • Data retention limits – document, adhere to, and make publicly available a retention schedule for Covered Information detailing (1) why each type of Covered Information is collected, (2) specific business needs for retaining the Covered Information, and (3) a set timeframe for deletion of each type of Covered Information; and
  • Mandated information security program – establish, implement, and maintain a comprehensive information security program; among other obligations.

Particularly noteworthy in the FTC’s proposed order is to follow the CEO for the next ten (10) years, regardless of whether he remains at Drizly, he “must within 180 days ensure that the business has established and implemented, and thereafter maintains, a comprehensive information security program (“Business ISP”) that protects the security, confidentiality, and integrity of Covered Information,” subject to other specificities. The FTC order and statements made by Chairwoman Linda Khan and Commissioner Alvaro Bedoya make it clear that data privacy and security must be a priority and that the responsibility fails on any chief executive. Good business hygiene is to name a specific executive responsible for data privacy and security.

The FTC voted 4-0 in support of the order. “Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary,” Khan and Commissioner Alvaro M. Bedoya said in a joint statement. “It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”

The order is subject to a 30-day public comment period prior to the commissioners voting on whether to make it final.

For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.