With the rise of large-scale, high-profile data breaches, the Federal Trade Commission has expressed its intent to hold companies accountable. (See “Consumer Financial Protection Circular 2022-04,” Consumer Financial Protection Bureau, https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficientdata-protection-or-security-for-sensitiveconsumer-information/.) But most alarmingly, there has been a move toward enforcement against company executives in their individual capacity. Whether such enforcement falls within the scope of the FTC Act, however, is another question.
The FTC issued a draft complaint against Drizly LLC and its CEO, James Cory Rellas, for violations of 15 U.S.C. s 45(a)(1), which provides that “unfair or deceptive acts or practices in or affecting commerce … are … unlawful.” Drizly offers online alcohol delivery services and in its course of business collects and stores customer information such as emails, addresses, phone numbers and unique device identifiers. In 2020, Drizly experienced a data incident where hackers breached an employee’s account and stole customer information.
According to the FTC, Drizly knew that its data security practices were inadequate due to a previous data incident in 2018 but failed to properly remedy those issues despite its representations to the contrary. In particular, the FTC claimed Drizly failed to implement simple, inexpensive security measures such as two-factor authentication and limit employee access to customer information. Accordingly, the FTC claimed that Drizly’s representations to consumers on its website and mobile app that it had “appropriate safeguards” were false. (In the Matter of Drizly, LLC, https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf)
As to Rellas, the FTC claimed he should have hired a senior executive responsible for data security:
[A]s CEO of Drizly prior to and during the breach, Rellas hired senior executives dedicated to finance, legal, marketing, retail, human resources, product[] and analytics[] but failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly (Id.).
The parties entered into a consent agreement in October 2022 thereby waiving judicial review. Most interestingly, the consent agreement follows Rellas for 10 years — even after he leaves Drizly:
Part VII of the Proposed Order requires Individual Respondent James Cory Rellas, for a period of ten years, for any business that he is a majority owner, or is employed or functions as a CEO or other senior officer with responsibility for information security, to ensure the business has established and implements, and thereafter maintains, an information security program.
(“Analysis of Proposed Consent Order to Aid Public Comment in the Matter of Drizly, LLC, and James Cory Rellas,” File No. 2023185, https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-AAPC.pdf.)
“After receiving no substantive comments, the Commission voted 4-0 to finalize the complaint and order against Drizly.” (“FTC Finalizes Order with Online Alcohol Marketplace for Security Failures that Exposed Personal Data of 2.5 million People,” Federal Trade Commission, (https://www.ftc.gov/news-events/news/press-releases/2023/01/ftc-finalizes-order-online-alcohol-marketplace-security-failures-exposed-personal-data-25-million.) The question remains, however, whether CEOs like Rellas should be subjected to this kind of regulatory reach.
The law is clear that a person may be individually liable under the FTC Act if they: (1) participated directly in the deceptive practice or had the authority to control the practice; and (2) knew or should have known the practices were deceptive. F.T.C. v. Ross, 743 F.3d 886, 892-93 (4th Cir. 2014). As the U.S. Court of Appeals for the Tenth Circuit has explained:
[T]o hold an individual personally liable for consumer redress, the FTC must show a heightened standard of awareness beyond the authority to control. This awareness, however, need not rise to the level of an intent to defraud. In particular, the FTC need only show the individual had or should have had knowledge or awareness of defendants’ misrepresentations. The FTC may fulfill its burden by showing the individual had actual knowledge of material misrepresentations, reckless indifference to the truth or falsity of such misrepresentations, or an awareness of a high probability of fraud along with an intentional avoidance of the truth.
F.T.C. v. Freecom Commc’ns, Inc., 401 F.3d 1192, 1207 (10th Cir. 2005) (internal citations and quotation marks omitted). This “heightened standard of awareness” could prove difficult in the data incident context.
Regardless, even if the act reaches this conduct, the FTC’s decision to proceed against Rellas on an individual basis is surprising. As Commissioner Christine Wilson explained in her Oct. 24, 2022 concurring and dissenting statement:
The [c]ommission traditionally has exercised its prosecutorial discretion and assessed a variety of factors when deciding whether to name a CEO or principal, including consideration of whether individual liability is necessary to obtain effective relief, and the level of the individual’s knowledge and participation in the alleged illegal conduct.
(Wilson Concurring Statement (Oct. 24, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/2023185WilsonDrizlyStatement.pdf.) According to Wilson, none of these factors favored proceeding against Rellas in particular because “the number of issues crossing a CEO’s desk on any given day is substantial” and there is no allegation that “Rellas oversaw day-to-day operations of the company’s data security practices, had any data security expertise[] or was responsible for decisions about data security policies, procedures[] or programs” (Id.). In doing so, Wilson noted that the FTC has “signaled that [it] will substitute its own judgment about corporate priorities and government decisions for those of companies” (Id.).
While proving an executive’s “heightened standard of awareness” may prove difficult, it is not stopping the FTC from filing complaints, which — as in the case of Rellas — could follow executives for years after they leave the company at issue.
