FTC's Data Security Complaint Against Drizly Sets New Leadership Responsibility

The Federal Trade Commission proposed restrictions on alcohol delivery company Drizly and its chief executive officer for failing to properly update its data security—despite being instructed to do so in 2018—following a 2020 data breach that exposed the personal information of 2.5 million customers.

As outlined in the FTC’s complaint, Drizly failed to install new network security practices to better protect its customers’ data. Some of the lapses in security include failures to secure database login credentials, prevent efforts to seize data from external login attempts and monitor employee access to shared customer data repositories and coding platforms. 

Some of the personal information leaked from Drizly’s databases was later posted for sale on dark web forums. The hacker was able to access sensitive customer data through Drizly’s GitHub repositories, which allowed the intruder to get access to the company’s databases. 

Drizly reportedly only learned about the data breach following customer complaints and media reports. 

The company, a subsidiary of ridesharing giant Uber, allegedly violated two counts of the FTC Act: unfair information security practices and deceptive security statements. The penalties Drizly faces revolve primarily around future data collection. 

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, in a news release. “CEOs who take shortcuts on security should take note.”

Both Drizly and its CEO, James Cory Rellas, are required to destroy superfluous user data, document this data destruction, limit storing customer information and implement a stronger security program. 

“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson told Nextgov.

Notable within the FTC’s ruling is its applicability to Rellas as an individual defendant. The FTC clarified that his data collection restrictions will be in effect regardless of whether or not he remains at Drizly. 

“In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record,” the FTC wrote. “Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly.”

Rellas will still be required to implement stronger security protocols at a different company, if he still oversees the collection of over 25,000 individuals’ sensitive information in regards to business activity. 

“This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures,” the FTC continued. 

The FTC does not have the authority to impose financial penalties on companies and individuals, like Drizly and Rellas, for initial violations of the FTC Act. However, failure by either party to comply with the agency’s order—once finalized—could result in monetary penalties. 

The FTC’s order against Drizly will be open for public comment in the Federal Register for 30 days. Once that period expires, the FTC will vote on making it final.