On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed consent order against Drizly and its CEO, James Cory Rellas, over the online alcohol marketplace company’s data breach incident in 2020, which exposed personal information of about 2.5 million customers. The order is noteworthy in that it 1) personally names and requires Drizly’s CEO to implement an information security program, even if he moves to a different company, and 2) demands that Drizly implement data minimization practices, such as deleting all data not used for serving its products and services. This alert provides a summary and analysis of the FTC’s complaint, the proposed order, and the key takeaways.
The Complaint
Background Leading to Drizly’s Breach Incident
A subsidiary of Uber, Drizly operates an online alcohol marketplace that allows local retailers to sell alcohol online to consumers of legal drinking age. According to the complaint, Drizly, in its course of business, collected and stored customers' personal information on Amazon Web Services (AWS)’s cloud computing service, such as customers’ email, passwords, geolocation information, and postal addresses. To facilitate developers’ collaboration, Drizly allegedly also used the GitHub software platform, an unsecured “repository,” in which Drizly stored not only the company's projects but also AWS credentials that provide access to its customers’ passwords.
In 2018, Drizly experienced a security breach after allegedly allowing a Drizly executive to access the GitHub repository for an event and failing to terminate that executive’s access. An intruder, who was able to infiltrate Drizly’s GitHub’s repository using the executive’s passwords, found AWS credentials in the repository. In 2020, a breach occurred again when an intruder similarly gained access to AWS credentials through the unsecured GitHub repository.
Drizly’s Alleged Unreasonable Security Practices
The FTC’s complaint accused Drizly of failing to implement reasonable information security practices to protect customers’ personal information. For example, it:
- failed to protect access to its GitHub account through multifactor authentication;
- failed to monitor and terminate employee and contractor access even after they no longer needed such access;
- continued to store login credentials on GitHub after being put on notice about the dangers of doing so after its 2018 breach incident; and
- failed to implement basic security measures. For example, it did not hire a senior executive specifically for security; it did not test, audit, assess, or review its products’ or application’s security features; and it did not develop written policies, procedures, and practices on security practices.
The Proposed Order
Requirements
Some of the proposed order requirements, such as the requirement to develop an information security program and conduct third-party information security assessments, are typical in the FTC’s security-related settlement orders (although the company only has to conduct data security assessments for 10 years, as opposed to requirements in prior FTC cases that these assessments take place over a period of 20 years).
Other requirements are more novel. For example, the order explicitly requires the company to publish a retention schedule online and to refrain from collecting or retaining personal information not necessary for the specific purposes listed in the retention schedule. This emphasis on data minimization is not surprising, given the commissioners’ statements in the Advance Notice of Proposed Rulemaking on privacy and security issues, which is open for public comment. For example, Commissioner Rebecca Kelly Slaughter in her statement noted her interest in data minimization and cited her history of advocacy for codifying the principle in a federal legislation. The order also requires multifactor authentication methods for all employees, contractors, and affiliates, and notes that such methods must not include telephone or SMS-based authentication methods and must be resistant to phishing attacks.
Notably, the proposed order also specifically binds Rellas to implement and maintain a comprehensive Information Security Program for the next 10 years. The order would follow him if he were to leave Drizly and move to a different company, if the company collects personal information from more than 25,000 individuals, and if his position in the company is that of a majority owner, CEO, or senior officer with information security responsibilities.
Commissioners’ Statements
While the FTC commissioners unanimously approved the proposed order, they were split along party lines on whether Rellas should be named and be held personally responsible as an individual defendant. On the one hand, Republican Commissioner Christine Wilson in her concurring and dissenting statement objected to penalizing Rellas, arguing that the FTC is doing so not because he had a direct control over the company’s security practices, but because he did not prioritize security as a CEO, whose job includes many other priorities. According to Commissioner Wilson, prescribing companies’ priorities reaches beyond the scope of the FTC’s authority. On the other hand, Democrat Chairwoman Lina M. Khan, in a statement that Commissioner Alvaro Bedoya joined, wrote that overseeing a big company is “not an excuse to subordinate legal duties in favor of other priorities” and that the FTC’s role is to make sure that companies' legal obligations are met. Commissioner Slaughter issued a separate statement reiterating the importance of data minimization principles.
The proposed order is subject to a 30-day public comment period before the commissioners vote again on whether to make it final.
Takeaways
Increasing Trend to Hold Executives Personally Accountable
The FTC has been increasingly naming company executives in its complaints and orders. In the case of Drizly, the FTC’s main allegation against Rellas was that, as CEO, he failed to hire a senior executive to oversee the security practices. To mitigate against the risk of individual liability for CEOs, companies may want to ensure that they appoint a senior official responsible for security.
The FTC Expects Companies to Maintain Data Minimization Principles
All commissioners across party lines agreed that data minimization practices play an important role in the healthy data security system because “hackers cannot steal data that companies did not collect in the first place.” Given the unanimity, it is likely that the FTC will insist on a data minimization requirement going forward in its data security orders.
The FTC’s Views on Multifactor Authentication Are Evolving
As part of the FTC’s financial privacy rulemaking completed in 2021, it required entities to implement multifactor authentication, unless a qualified individual determined that an equivalent measure was appropriate. But the requirements are quickly getting more stringent. For instance, in the CafePress settlement announced in June 2022, the FTC required the company to adopt multifactor authentication methods and specifically cited mobile authenticator applications as an appropriate protocol. However, here, the FTC ordered Drizly to implement a multifactor authentication but specifically prohibited Drizly from using telephone or SMS-based multifactor authentication. Moreover, in neither CafePress nor in Drizly would the company be permitted to implement an exception if a security officer deemed it appropriate. The FTC appears to be sending a signal that it considers telephone or SMS-based authentication to be subpar, and cabining the discretion of companies under order on security issues.
