On January 9, 2023, the Federal Trade Commission (“FTC”) finalized an order with Drizly, LLC, an online marketplace for alcohol delivery services, and its Chief Executive Officer (“CEO”), James Cory Rellas over alleged security failures that led to data breaches that exposed the personal information of 2.5 million consumers.¹ The Order is significant because it holds Rellas individually accountable for the company’s security failures and imposes future restrictions on him for the next ten years, regardless of his place of employment.

For years, the FTC has taken enforcement actions relating to data security under Section 5 of the FTC Act. Penalties in these enforcement actions typically include fines or mandated corrective action that includes ongoing monitoring and reporting requirements.

Historically, FTC enforcement actions only focused on individual accountability in certain circumstances.² Since 2019, however, the FTC has placed increased scrutiny on corporate officers and directors. For instance, following the 2019 settlement with TikTok (formally Musical.ly Inc.) for alleged COPPA violations, two FTC Commissioners stated that investigations should prioritize uncovering the roles of corporate officers and directors and holding them accountable.³ Since then, the FTC has held executives personally liable for privacy, cybersecurity, and marketing violations in various enforcement actions. For example, in 2019, the FTC issued a final order against UrthBox, Inc. and its principal, Behnam Behrouzi4, and in 2021, the FTC held SpyFone and its CEO, Scott Zuckerman, accountable for FTC Act violations.⁵

According to FTC Chair Lina M. Khan, the Drizly settlement is meant to put other market participants on notice and send a clear message that “protecting Americans’ data is not discretionary. It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”⁶

The Consent Order

The Order requires Drizzly to implement a variety of data security measures, including:

• Data Minimization - Drizly is required to destroy any personal data it collected that is not necessary for it to provide products or services to consumers. It must also document and report to the FTC what data it destroyed. Drizly must also limit the information it collects unless it is necessary for specific purposes outlined in a retention schedule, which Drizly must make publicly available.
• Security Program Implementation - The order also requires Drizly to implement an information security program, which will include providing security training for its employees, designating an employee to oversee the information security program, implementing access controls, and requiring multi-factor authentication.
• Security Assessments - Drizly is also required to hire a qualified third-party to conduct biennial security assessments for the next 20 years. These assessments must be submitted to the FTC.

Executive Accountability

The consent agreement will require Rellas to implement an information security program at any company that collects information on more than 25,000 individuals and where he is a majority owner, CEO, or senior officer with information security responsibilities.

Notably, FTC commissioners disagreed as to whether Rellas should be held individually liable.⁷ Commissioner Christine S. Wilson noted that she did not support holding Rellas liable. Commissioner Wilson noted that she would “expect CEOs to have little to no involvement with, and no direct knowledge of, practices that are the subject of an FTC investigation.”⁸ She emphasized that “CEOs have hundreds of issues and numerous regulatory obligations to navigate … and, companies, not federal regulators, are better positioned to evaluate what risks require the regular attention of a CEO.” In response, FTC Chair Khan, emphasized that “overseeing a big company is not an excuse to subordinate legal duties in favor of other priorities.”⁹ Khan also stated that “FTC has a role to play in making sure a company’s legal obligations are weighed in the boardroom.”¹⁰

Takeaways

The final consent agreement sends a clear message to businesses and executives that the FTC will not tolerate lax data security practices. In the absence of specific legally mandated security requirements, the FTC will continue to hold companies accountable for failures to use “reasonable” security practices to protect consumers. Companies can expect the FTC to continue to exercise its authority under Section 5 broadly and to pursue companies that fail to implement best practices and hold executives accountable where appropriate. Data retention and minimization practices will also likely receive heightened FTC scrutiny going forward.

Footnotes:

1. See Combined Consent, In the Matter of Drizly, LLC, Docket No. C-4879 (Jan. 9, 2023), available at https://www.ftc.gov/system/files/ftc_gov/pdf/2023185-drizly-combined-consent.pdf.

2. See Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter, In the Matter of Musical.ly Inc. (Feb. 14, 2019) available at https://www.ftc.gov/system/files/documents/public_statements /1463167/chopra_and_slaughter_musically_tiktok_joint_statement_2-27-19_0.pdftement_2-27-19_0.pdf.

3. Id.

4. See Decision and Order, In the Matter of UrthBox, Inc., Docket No. C-4676 (May 14, 2019) available at https://www.ftc.gov/system/files/documents/cases/c-4676_172_3028_urthbox_decision_and_order_5-17-19_0.pdf.

5. See Press Release, Fed. Trade Comm’n, FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data (Sept. 1, 2021), available at https://www.ftc.gov/news-events/news/pressreleases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data.

6. See Joint Statement of Chair Lina M. Khan and Commissioner Alvaro M. Bedoya, In the Matter of Drizly, LLC, (Oct. 24, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Statement-of-Chair-Lina-M.-Khan-Joined-By-Commissioner-Alvaro-M.-Bedoya-re-Drizly-final.pdf.

7. Id.

8. See Concurring and Dissenting Statement of Commissioner Christine S. Wilson, In the Matter of Drizly, LLC (Oct. 24, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/2023185WilsonDrizlyStatement.pdf.

9. Id.

10. See Joint Statement of Chair Lina M. Khan and Commissioner Alvaro M. Bedoya, In the Matter of Drizly, LLC, (Oct. 24, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Statement-of-Chair-Lina-M.-Khan-Joined-By-Commissioner-Alvaro-M.-Bedoya-re-Drizly-final.pdf.