In singling out Rellas, the FTC signaled it could use a broader range of tools to combat data privacy breaches under Chairwoman Lina Khan, who was widely expected to bring tougher oversight to the data privacy. tech industry. Rellas’ inclusion follows a push by Democrats to more aggressively penalize individual executives implicated in major data privacy breaches. Committee Democrats have previously criticized the agency’s record settlement with Facebook over the Cambridge Analytica data scandal because it did not name Facebook chief executive Mark Zuckerberg.
“CEOs who take security shortcuts should take note,” Samuel Levine, director of the FTC’s Consumer Protection Bureau, said in a press release.
The agency voted 4-0 to support the order, but the commission’s only Republican commissioner, Christine Wilson, opposed the decision to appoint Rellas.
After months of deadlock, Lina Khan goes wild
Khan, who arrived with high expectations to bring regulatory calculus to Silicon Valley, is under increasing pressure to deliver on her promises to reinvigorate the agency’s data security enforcement now that she again has a majority democrat. But she has limited tools at her disposal in the absence of a federal privacy law that would allow the FTC to issue fines for first-time offenders. The order against Drizly and Rellas carries no fines, but the company and the executive could face financial penalties if they fail to comply with proposed data security requirements.
The FTC has sought to use such data privacy orders like the one proposed against Drizly and Rellas to hold companies accountable when they misuse or allegedly misuse consumer data. These orders are very limited, and repeated data leaks at companies under order have raised questions about their effectiveness and whether companies are taking them seriously. Current and former FTC officials told the Washington Post that the agency lacked the staff and technical expertise to effectively monitor and enforce the orders.
Twitter whistleblower exposes limits of FTC power
The agency has sought to make its orders more prescriptive to ensure companies adopt stronger data protections. Drizly employees will need to use multi-factor authentication to access critical databases and implement new controls over access to personal data.
The action follows allegations that Drizly has failed to implement basic security measures to protect its customers’ personal information. The company also allegedly stored important login credentials on software development service GitHub, even though the FTC had previously sued Uber for similar claims. The agency also alleged that Drizly did not have a senior manager responsible for securing the data.
The FTC will collect public comment on the consent order for 30 days, after which it will decide whether to finalize the order.