The Federal Trade Commission is seeking tough new restrictions against Drizly, the alcoholic beverage delivery platform, after what US regulators allege were repeated security failures that compromised the data of 2.5 million people.
The proposed order against Drizly, if finalized, would force the company to beef up its cybersecurity and limit its data collection practices, a common requirement in FTC privacy orders. But in a significant step, the FTC also specifically named the company’s CEO, James Cory Rellas, imposing what would be binding obligations on him and all of his future business activities, at Drizly or otherwise. Drizly would also be required to delete any data it holds on consumers that isn’t strictly necessary for it to run its service, the FTC said in a release.
“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson told CNN Business.
The Drizly order reflects recent promises by top FTC officials to use novel remedies — such as forcing businesses to destroy “ill-gotten data” — in the agency’s increasingly tech-focused work, as well as vows to hold individual executives personally accountable if they’re found to be responsible for illegal conduct that harms consumers.
According to the FTC, Drizly — which Uber acquired last year — had been aware of its cybersecurity problems since 2018, after hackers gained access to Drizly employee credentials that then allowed them to use Drizly’s cloud computing accounts to mine cryptocurrency. In another incident in 2020, a hacker compromised Drizly’s corporate network and stole customer data. At least some of that personal data was then offered for sale on underground hacker forums, the FTC said.
FTC orders have come under mounting scrutiny in recent years, particularly after Twitter’s former head of security came forward with a whistleblower report alleging that the company had never been on track to comply with its FTC obligations.
Since then, FTC Chair Lina Khan has told lawmakers the agency is increasingly interested in naming executives in consent orders as a way to ensure businesses are held accountable.
As part of the Drizly order, Rellas will have to implement cybersecurity programs at any future business he works for where he is CEO or majority owner and where the business collects personal data from more than 25,000 people.
The FTC will determine whether to finalize the order after a 30-day public comment period that’s expected to begin when a summary of its provisions is published in the Federal Register.