On Monday the Federal Trade Commission issued a press release stating it is settling a case against Drizly and its CEO for a data breach that exposed the information of 2.5 million consumers in July 2020.1 The proposed settlement is notable because the FTC alleges in the underlying Complaint that:
(1) Drizly broke the law by not improving security after an incident in 2018, and
(2) Drizly’s CEO broke the law for taking shortcuts on security.
On the same day, in a blog post titled “Data security forecast: Drizly with a 100% chance of far-reaching order provisions,” the FTC detailed Drizly and its CEO’s missteps which it said “exacerbated the impact of the [2020] breach” and exposed failures in their governance structures – Drizly did not have a security program and had not conducted a risk assessment.
Background
Drizly is an online alcohol delivery platform and a subsidiary of Uber. In 2018 Drizly suffered a security incident known as crypto-jacking – an exploit that uses malware to steal computing power to mine cryptocurrencies. In 2020 Drizly suffered another breach when an executive’s 2018 account information was used to access customer information.
The FTC pointed to Drizly’s own analysis of the 2018 incident, which acknowledged that Drizly did not have a security program and that it failed to follow basic cybersecurity best practices such as unique passwords and multifactor authentication.2 The FTC also pointed to Drizly’s public-facing privacy policy that referenced security practices it suggested were false.3
In a statement about the settlement, the Chair of the FTC, Linda Khan, footnoted an article titled Why Does the WeWork Guy Get to Fail Up? to emphasize the requirement that the CEO “who presided over Drizly’s lax data security practices … will be required to implement an information security program at future companies if he moves” for up to ten years.
The FTC’s announcement comes three weeks after U.S. Senate Majority Leader Chuck Schumer called on the FTC to apply more pressure for businesses to protect consumer data, citing recent hacking incidents involving consumer information stolen from American Airlines, DoorDash, Uber, and U-Haul.4
But the FTC has been applying pressure under Chair Khan since last October when she declared to Congress: “Policing data privacy and security is now a mainstay of the FTC’s work” and “we must update our approach to keep pace with new learning and technological shifts.”5 Three weeks later the FTC updated the Safeguards Rule, something it hadn’t done since 2002.6
Under the updated Safeguards Rule requiring financial institutions to implement security measures, the definition of “financial institution” includes many businesses that don’t normally describe themselves that way. For example, personal property or real estate appraisers, professional tax preparers, courier services and even ATM providers.7
As highlighted in its press release, the FTC settlement with Drizly follows a recent FTC trend of “requiring a firm to minimize data collection” – to ensure companies only collect what they need – and a recent notice of proposed rules for commercial surveillance, “the business of collecting, analyzing, and profiting from information about people.”8
As to executives being personally liable for cybersecurity incidents and data privacy violations, the FTC has been down this road before, but only sparingly. Since 2010 the FTC has resolved about 50 cybersecurity and data privacy cases. In about a dozen the FTC named directors and officers as well as their organizations.
On February 27, 2019, after announcing a $5.7 million settlement with TikTok for various privacy violations relating to its lip-syncing app, two of the five FTC commissioners, Rebecca Kelly Slaughter and Rohit Chopra, issued a joint statement foreshadowing an emphasis on executive liability:
When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.9
This approach gained traction with former FTC Chairman, Joe Simons, and the Bureau of Consumer Protection Director, Andrew Smith, when on January 6, 2020, the FTC announced new and improved FTC cybersecurity orders, and better guidance for companies about what they can do to improve security.10
Looking Ahead
Indeed, the FTC’s settlement with Drizly will be far-reaching – there is still a lot to unpack. But it is clear Chair Khan is focused on imposing conditions that prevent future data breaches, which include:
-
Implementing practices that reduce or prohibit the collection of consumer data that is not necessary for pre-specified business purposes;
-
Implementing a comprehensive security program that includes multifactor authentication and prevention mechanisms for unsecured data;
-
Implementing practices covered in past decisions which have emphasized conducting regular risk assessments and incident response planning; and
-
Creation of a public retention schedule for certain types of data, including timeframes for the eventual deletion of stored data.
Not even eighteen months have passed since Chair Khan was sworn in but already the FTC is making its presence felt.
FOOTNOTES
2 See, e.g., Complaint paragraphs 19, 23, and 25 found here: https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf
3 Id. at paragraphs 14-16.
4 See, e.g., https://www.govtech.com/security/schumer-calls-on-ftc-doj-to-increase-focus-on-citizen-data
6 https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
7 https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know