On October 24, 2022, the Federal Trade Commission (FTC) announced a settlement with Drizly LLC, an alcoholic beverage delivery platform, and its CEO after alleged security failures, including reusing the same password, led to a threat actor stealing information about 2.5 million consumers.
According to the FTC’s two-count complaint, Drizly, a subsidiary of Uber Technologies since April 2021, operates a platform that includes tools for verifying the consumer’s age; monitoring, tracking, and analyzing orders; and supporting customer service. Drizly’s production database environment (the software it uses to operate the e-commerce platform) is hosted by a cloud service provided by Amazon Web Services (AWS) and stores consumer data (like name, email address, postal address, phone numbers, device identifiers, order histories, partial payment information, geolocation information, demographic information, and hashed passwords). In addition to its platform, Drizly utilized the GitHub software platform for the development, management, and storage of its source code that supports Drizly’s website and mobile app (and that included Drizly’s AWS and database login credentials stored in a GitHub repository that could be used to access Drizly’s production environment), which Drizly employees accessed through their personal GitHub accounts.
In April 2018, Drizly provided one of its executives access to the GitHub repositories to participate in a collaborative programming event but did not terminate or monitor the executive’s access after the event ended even though it was no longer needed. Nor did Drizly require unique/complex passwords, multifactor authentication, or single sign-on to access GitHub. The complaint alleged that the executive used a seven-character alphanumeric password that he also used on other personal accounts. This all came to a head when a malicious actor accessed the executive’s GitHub account by reusing credentials from an unrelated breach. With access to the GitHub account, the malicious actor could view source code (to find vulnerabilities in Drizly’s software) and access AWS and database credentials. The malicious actor ultimately modified the company’s AWS security settings, which provided “unfettered access” to Drizly’s production environment and allowed for the exfiltration of more than 2.5 million consumers’ personal information. The FTC alleges that this was an unfair information security practice under the FTC Act.
The FTC alleges that CEO James Cory Rellas was responsible for Drizly’s security failures because he did not implement or properly delegate the responsibility to implement reasonable security practices. Moreover, not only did Drizly fail to detect the breach itself (instead learning of it from media reports describing the sale of consumer information on dark web forums), Drizly had experienced a similar GitHub incident just two years prior. In the previous breach, a Drizly employee posted AWS credentials to his personal GitHub repository, which led to Drizly’s AWS servers being compromised and used to mine cryptocurrency.
The FTC identified two “explicit representations about [Drizly’s] information security practices” that it claims led consumers to believe Drizly would use reasonable and appropriate practices to protect their information:
The FTC concluded that Drizly represented (either expressly or by implication) that it used appropriate safeguards, but “in truth and in fact,” it did not.
The Proposed Consent Order
The proposed consent order will be open for public comment for 30 days, after which the FTC will vote to finalize it. In addition to the standard language we have all become accustomed to in FTC data security orders, such as a mandatory information security program, third-party assessments, and covered incident reports, the proposed consent order contains a number of notable requirements.
First, there is no civil penalty or other monetary relief. In a post-AMG world the FTC lacks the hammer it once had in Section 13(b) to leverage monetary relief. While Congress continues to drag its feet on passing a privacy law, the FTC is marching ahead with its privacy rulemaking, which could add to its enforcement arsenal in the form of civil penalty authority, but will take years to finalize. In the meantime, the Drizly consent order sends an important message: the FTC is going to continue privacy-related enforcement actions even with this more limited ability to seek monetary relief.
Second, the FTC has signaled that it will continue to insist on holding individuals liable in some cases. Here, the proposed order will follow Rellas for 10 years. If Rellas is a majority owner of any business that collects consumer information or is employed in certain other high-level roles, he is personally responsible for ensuring that the company implements an information security program. If Rellas were to violate the order while at Drizly (or elsewhere) over the next decade, he would potentially be subject to civil penalties, currently clocking in at $46,517 per violation.
This appears to be the first time that a CEO of a major company has agreed to be bound by an FTC order placing significant obligations related to information security on any company where he holds an executive position. In a joint statement, FTC Chair Lina Kahn and Commissioner Alvaro Bedoya said, “Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”
Commissioner Rebecca Kelly Slaughter agreed, noting in her statement that naming Drizly’s CEO “helps ensure that corporate leadership must take seriously their obligation to safeguard customer information.” In contrast, Republican Commissioner Christine Wilson dissented because in her mind, he did not have the requisite knowledge and participation necessary to hold an individual liable under the FTC Act.
Finally, the proposed consent order goes beyond standard data collection and retention requirements and shows how the FTC continues to push the boundaries of its authority. With the Drizly order, the FTC does not just require a standard data retention policy and security measures, it demands a company-wide policy of data minimization. Drizly’s website and applications must also display its data retention schedule, explaining why it is collecting the consumer information, why it needs the information, and a timeframe for deletion.
While the outcome of the FTC’s rulemaking process is uncertain and likely to take years to complete, and the likelihood of a nationwide privacy or data security statute remains in flux, the FTC has signaled a few important points with this most recent settlement:
- The FTC is going to continue to enforce privacy and data security issues as unfair or deceptive trade practices.
- Individual executive officers will continue to be a target of regulatory scrutiny.
- Companies should train employees on the dangers of reusing passwords across their personal (and business) accounts.
- Companies should consider a data minimization policy on top of data retention standards.
- Companies should heed lessons from prior breaches (which regulators can, and will, use against them).