Privacy & Information Security Law Blog

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.

In the FTC’s complaint, the agency alleged that Drizly failed to use appropriate information security practices to protect consumers’ personal information, which led to a malicious actor accessing Drizly’s consumer database and exfiltrating consumer personal information, including names, email addresses, postal addresses, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, and other consumer data (e.g., income level, marital status, gender, ethnicity, existence of children, and home value).

Notably, the FTC also named as a defendant in the action Drizly’s CEO James Cory Rellas, in both an individual and corporate officer capacity. The FTC alleged that Rellas was personally responsible for the company’s security failures by not properly implementing reasonable information security practices, such as by failing to hire a senior executive responsible for the security of consumers’ personal information.

The FTC’s proposed order against Drizly would require the company to (1) destroy unnecessary data, (2) limit the company’s data collection practices to only information that is necessary for specific purposes outlined in a retention schedule,  and (3) implement a comprehensive information security program that establishes security safeguards to protect against security incidents (including requiring employee training, appointing a high-level employee responsible for overseeing the company’s information security program, implementing data access controls, and requiring employees to use multi-factor authentication to access databases containing consumer personal information).

Notably, the proposed order also would require CEO Rellas to implement an information security program at a future company (that collects personal information of more than 25,000 individuals) at which he is employed in a majority owner, CEO or senior officer position with information security responsibilities. In the FTC’s press release about the enforcement action, the agency noted that “in the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record,” emphasizing that the proposed order “will follow Rellas even if he leaves Drizly.”

Update: On January 10, 2023, the FTC finalized the complaint and order against Drizly and its CEO, with a Commission vote of 4-0.