No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

FTC tells alcohol delivery service — and its CEO — they should have known better

by Baker Donelson
February 1, 2023
in Cybersecurity
data breach

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data breach exposed the personal information of 2.5 million customers of the alcohol delivery service. So egregious were Rellas’ actions, according to the agency, that not only will his company face a series of data privacy requirements but Rellas himself will as well, even when he’s no longer employed by Drizly. Alisa Chestler and Greta Messer from Baker Donelson unpack this unprecedented order.

If your management team and board of directors are not talking often about cyber liability and risk management, they soon will be. As a matter of both corporate and individual liability, recent enforcement makes it clear that management cannot rely on generic privacy policy language at the expense of meaningful operations supporting the statements it posts and publicizes.

As an example, the FTC announced an enforcement action against the online alcohol marketplace Drizly in late October 2022. This FTC action comes after Drizly’s data breach in 2020 when internal data security failures affected the information of 2.5 million customers.

FTC enforcement in privacy is common, but the agency’s new focus on management’s role in privacy and information security is unprecedented. On Jan. 10, the FTC finalized the Drizly consent order requiring the company to implement and maintain a data protection program, which is a common outcome of any privacy-related consent order. Less common to date, however, is the FTC’s requirement that Rellas, Drizly’s CEO, implement an information security program at any future companies he works for that meet certain specifications.

In this unprecedented move, Rellas will be required to ensure that any business with which he is involved that is in possession of the personal data of more than 25,000 consumers and in which he holds a majority interest, serves as CEO or holds a management position implements and maintains a formal information security management program. 

merge infosec compliance
Compliance

How to Turn Security and Compliance From a Tug of War Into the Dream Team

by George Gerchow
January 18, 2023

Perhaps once distinct teams within organizations, security and compliance functions today go hand-in-hand — or at least they should, writes Sumo Logic CSO George Gerchow. Data breaches continue to wreak havoc on today’s enterprise, with rising stakes of both cost and reputation.

Read more

Announcing the action against Drizly and Rellas in October, the agency specifically underscored this mandate: “Our [order] against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in the agency’s news release. 

Accordingly, the FTC’s final decision is fairly substantial in its depth and breadth, highlighting two key violations by Drizly:

  • Failure to implement readily available, low-cost data safeguards
  • Using the company’s website to misrepresent compliance with commercially reasonable security practices

Within these violations, the FTC points to the absence of written policies and procedures at the company, such as those requiring employee training, and neglecting to place qualified professionals at the helm of a data security program.

 Drizly also failed to implement certain other standard safeguards and policies, which allowed for faulty encryption technology, poor credential management, absence of multi-factor authentication and inability to monitor for the exfiltration of data. The FTC found that Rellas should have been aware of these issues, especially given a prior incident that served as constructive notice to Rellas of Drizly’s inadequate privacy and security practices, namely a 2018 incident involving Drizly’s parent company, Uber.

Now, Drizly is tasked with implementing an information security program, including policies and procedures for:

  • Specifying data retention, destruction and minimization limits
  • Introducing data access controls
  • Routinely testing safeguards
  • Training employees
  • Creating measures to prevent storage of unsecured access keys or credentials

Further, this program will be subject to biennial third-party assessments to ensure its ability to protect personal information.

Moving forward, the FTC’s ongoing monitoring of Drizly and Rellas serves to alert companies to the government’s expectations for the development of data protection programs and accountability for misrepresentations of compliance with reasonable security practices.

The bottom line for your company and its management and officers: Get real about your risk

Management cannot rely on a one-size-fits-all privacy policy. Businesses — and their individual leaders — must accept responsibility for evaluating the company’s operations and adopting meaningful operations that support the statements it posts and publicizes.

Baker Donaldson Law , PR Headshots of Alisa ChestlerAlisa Chestler, a shareholder in Baker Donelson’s Nashville and Washington, D.C. offices and chair of the firm’s Data Protection, Privacy and Cybersecurity Team, concentrates her practice in privacy, security and records management issues; health care and insurance regulatory compliance; and corporate transactions matters.
Messer_GretaGreta Messer is an associate in Baker Donelson’s Nashville office and focuses her practice on commercial transactions and assists in the development of platform agreements, terms of use, and compliance policies related to client privacy, cybersecurity, and information practices.

Tags: Data BreachData Governance
Previous Post

WhatsApp, FinServ? Feds Seem Done With Grace Period on Messaging Apps

Next Post

2023 Annual Litigation Trends

Baker Donelson

Baker Donelson

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 22 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia and Washington, D.C.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

doj outside sculpture_n

Monaco Memo 2.0: Companies Should Start Preparing Now for Future DOJ Investigations

by Miller & Chevalier
November 2, 2022

Following up on her watershed 2021 memo, Deputy Attorney General Lisa Monaco’s latest missive highlights a pair of issues that...

Next Post
Norton Rose Fullbright 2023 Litigation Trends_f

2023 Annual Litigation Trends

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT