FTC seeks action against Drizly — and its CEO — for cybersecurity failures

The Federal Trade Commission Monday announced a planned settlement with online alcohol delivery service Drizly and its CEO over cybersecurity failures that led to a 2020 breach affecting 2.5 million consumers. 

The proposed consent order requires the company, which was acquired by Uber in 2021, to destroy “unnecessary data,” limit future information collection and retention, and implement a data security program — as well as binds CEO Cory Rellas to data security requirements in future endeavors. 

Sanctioning Rellas personally — an unusual step for the agency — appears to signal a desire to hold executives personally accountable for data security failures. 

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a press statement. “CEOs who take shortcuts on security should take note.”

The 2020 breach occurred due to a failure to manage credentials — one the company should have already been prepared for due to a similar failure in 2018, according to the FTC’s administrative complaint outlining their findings. Rellas, a co-founder of the company, was specifically cited for failing to delegate cybersecurity responsibilities. 

“Rellas hired senior executives dedicated to finance, legal, marketing, retail, human resources, product, and analytics, but failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly,” the complaint said.  

In an emailed statement, a Drizly spokesperson said the company takes “consumer privacy and security very seriously” and was happy to put the 2020 incident behind it. 

The FTC’s commissioners voted 4-0 on the proposed administrative complaint and consent agreement regarding Drizly and Rellas. The commissioners will vote again on whether to finalize their decision after a thirty-day public comment period. 

However, Commissioner Christine Wilson released a statement partially dissenting despite her vote for the order. 

“While I support the complaint against the corporate defendant, I do not support holding the individual defendant, Rellas, liable,” Wilson wrote, adding that such a ”broad standard effectively could enable the Commission to hold individually liable the CEOs of most companies against which we initiate enforcement action.”

In a joint statement, Chair Lina Khan and Commissioner Alvaro Bedoya argued that C-suite accountability was the point. 

“The FTC has a role to play in making sure a company’s legal obligations are weighed in the boardroom,” they wrote. “Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive.”

Due to current limits on the FTC’s enforcement powers, the consent decree carries no financial penalties although the company and Rellas could face fines if they violate it in the future. 

However, the FTC is exploring a privacy and data security rulemaking process that may expand its enforcement toolkit.