Drizly CEO hit with rare FTC order that cites him as an individual



The Federal Trade Commission plans to take the rare step of imposing individual sanctions against the CEO of alcohol delivery company Drizly for data privacy abuse, following allegations that security flaws in the company under his watch disclosed the personal information of about 2.5 million customers.

The proposed order will follow Drizly CEO James Cory Rellas into future ventures, requiring him to implement a security program at all businesses he leads that collect information from more than 25,000 people . The order will also apply to the company itself, which is now a subsidiary of ride-sharing service Uber. Under the terms of the FTC action, Rellas and Drizly will have to destroy unnecessary data, implement new data controls and train employees on cybersecurity.

In singling out Rellas, the FTC signaled it could use a broader range of tools to combat data privacy breaches under Chairwoman Lina Khan, who was widely expected to bring tougher oversight to the data privacy. tech industry. Rellas’ inclusion follows a push by Democrats to more aggressively penalize individual executives implicated in major data privacy breaches. Committee Democrats have previously criticized the agency’s record settlement with Facebook over the Cambridge Analytica data scandal because it did not name Facebook chief executive Mark Zuckerberg.

“CEOs who take security shortcuts should take note,” Samuel Levine, director of the FTC’s Consumer Protection Bureau, said in a press release.

The agency voted 4-0 to support the order, but the commission’s only Republican commissioner, Christine Wilson, opposed the decision to appoint Rellas.

After months of deadlock, Lina Khan goes wild

Khan, who arrived with high expectations to bring regulatory calculus to Silicon Valley, is under increasing pressure to deliver on her promises to reinvigorate the agency’s data security enforcement now that she again has a majority democrat. But she has limited tools at her disposal in the absence of a federal privacy law that would allow the FTC to issue fines for first-time offenders. The order against Drizly and Rellas carries no fines, but the company and the executive could face financial penalties if they fail to comply with proposed data security requirements.

The FTC has sought to use such data privacy orders like the one proposed against Drizly and Rellas to hold companies accountable when they misuse or allegedly misuse consumer data. These orders are very limited, and repeated data leaks at companies under order have raised questions about their effectiveness and whether companies are taking them seriously. Current and former FTC officials told the Washington Post that the agency lacked the staff and technical expertise to effectively monitor and enforce the orders.

Twitter whistleblower exposes limits of FTC power

The agency has sought to make its orders more prescriptive to ensure companies adopt stronger data protections. Drizly employees will need to use multi-factor authentication to access critical databases and implement new controls over access to personal data.

The action follows allegations that Drizly has failed to implement basic security measures to protect its customers’ personal information. The company also allegedly stored important login credentials on software development service GitHub, even though the FTC had previously sued Uber for similar claims. The agency also alleged that Drizly did not have a senior manager responsible for securing the data.

The FTC will collect public comment on the consent order for 30 days, after which it will decide whether to finalize the order.


About Author

Comments are closed.